SCADA Security Reality

For an interesting debate between a "SCADA Realist" and a "SCADA Apologist", check out this video submitted by Dale Peterson.

SCADA security is a critical problem. Consider how many of these legacy systems, operating on insecure protocols and firmware, on hardware that hasn't been available for purchase for decades, and running software for which security patches no longer exist, are running the critical infrastructure of our country.  

• transmission of oil and gas through pipelines
• water and sewage systems of major cities
• security and safety systems installed within sporting facilities
• our electricity grids
• more and more...

This list is long. 

Sure, it's going to cost billions of dollars to upgrade and replace all of this legacy equipment and reengineer the design of critical control systems.  But, consider the costs to the country's major social and political systems should we lose control of one of these critical pieces of our existence?  I look at what a simple, yet massive, flood did to the city of Calgary in 2013 - people panicked for 4 hours on the second morning and the city ran out of bottled water and bags of ice.  This is a minor inconvenience compared to the loss of our utilities that keep us safe, warm, and fed.  A destructive, targeted piece of malware is capable of taking out our electrical grid for days, and don't be naive to think that attackers are not building these viruses now because they know how vulnerable our critical infrastructure is at the moment.

I am a SCADA realist - I know how important it is to upgrade and replace as many systems as possible over the next few years.  However, the apologists will continue to tell us how costly and difficult it will be to do all this work.  They will continue to push for compensating controls - physical security, segregated networks behind a firewall, anti-virus.  What's stopping a vendor - those most at fault to keeping these horribly insecure systems running today - from introducing malware via USB or FTP, unknowingly, during routine maintenance?  
It's time to face the reality - our SCADA infrastructure needs to be upgraded now.  We need to re-prioritize our budgets and start focusing on planning out the major projects required to ensure we keep our Canadian control systems and our population safe from an unnecessary outage of some of our most vitally relied upon systems.  
 

Are Mobile Banking Apps Secure?

We have apps on our Smartphones to chat with friends, maintain our schedules, and purchase our morning coffee.  Both Apple and Android catalogue millions of apps, targeting users from all age groups and demographics, across the globe.  The convenience of having your world right at your fingertips has spawned a revolution.  People are now so in tune with their mobile lives that they simply forget that accessing some information across public Wifi connections or through untrusted apps can lead to major headaches.

Like identity theft.

Jumping on the bandwagon to attract more customers, banks recently launched mobile apps for both Smartphone platforms to ensure people can transfer money, check balances and pay bills on the go.  But, considering the vital information that is stored on a banking website, are these apps secure?

One researcherat IOActive conducted his own tests against 40 different iOS mobile banking apps and found that 70% do not support two-factor authentication and only 40% operate over SSL.  What does this mean?  Two-factor authentication consists of two of three authentication mechanisms – what you know, what you have, and who you are.  Typically, for most organizations, this includes a password (what you know), a fob with a rotating PIN (what you have), and, in highly secure areas, a fingerprint scanner (who you are).  Most banks offer 2-factor authentication into their sites by a bank card number/password combination (what you have), and a secondary secret question to verify you are who you say you are (what you know).  What’s surprising about bank mobile apps is that, it is hard to find a reputable bank that hasn’t implemented 2-factor authentication for its website, yet most haven’t bothered to include this vital need into their apps.  

SSL certificates act as a second factor in authentication, as well, because your correct password tells the banking servers that you are now a legitimate user and a public certificate is used to set up the session.  Traffic between your computer, logged into their website, is encrypted right up until their internal server.  This means, only well-intentioned hackers should be able to intercept the data in transit, obtaining important bank card, password and balance information.  The lack of secure connectivity between mobile apps and the bank is shocking – this information is sent in clear text across the public Internet where anyone can see it!  

Recently, it was reported that 8 out of 10 banking apps for mobile devices, both Android and Apple, contain major security flaws.  Credit unions were at the top of the list, with JavaScript errors one of the most predominant problems.  

Protect yourself.  The most secure thing you can do is NOT use mobile banking apps until the implementers have figured out that there is a critical need to encrypt this data and force two- or –three factor authentication for all users.  Mobile devices are inherently at higher risk for theft, loss and data capture, so running insecure apps is the worst thing you could do.  

The RoyalBank makes a statement that all transactions are guaranteed to be secure when using their mobile app.  However, this same app also allows the user to save his or her card number or username.  Even this information presents opportunity for data theft.  Read the fine print or call your bank first before using any mobile banking apps to find out about their security controls.