Risk assessment of a power plant: evaluating the security of a supervisory control and data acquisition system.ABSTRACT
With the increased potential of a bona fide [Latin, In good faith.] Honest; genuine; actual; authentic; acting without the intention of defrauding.
A bona fide purchaser is one who purchases property for a valuable consideration that is inducement for entering into a contract and without suspicion of being cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. terrorist attack and the possibility of a future "war in the wires," we must continue to sterilize sterilize /ster·i·lize/ (ster´i-liz)
1. to render sterile; to free from microorganisms.
2. to render incapable of reproduction.
1. the networks connected to critical infrastructures. This paper provides a risk assessment of an existing operational computer network used to control a boiler system generating power and heat for an installation. The methodology used in evaluating the security of the system is described along with specific recommendations for minimizing the risk associated with connecting the network to the Internet for the purposes of remote data collection and administration. Our assessment and proposed recommendations may be applied to any critical infrastructure with a requirement for remote administration and/or data collection.
As an aftermath of the terrorist events that occurred on September 11, 2001, the President of the United States The head of the Executive Branch, one of the three branches of the federal government.
The U.S. Constitution sets relatively strict requirements about who may serve as president and for how long. created the Office of Homeland Security Noun 1. Homeland Security - the federal department that administers all matters relating to homeland security
Department of Homeland Security
executive department - a federal department in the executive branch of the government of the United States to analyze, plan, and coordinate the interior defense of the country. One of the critical components of this new organization was the creation of the President's Critical Infrastructure Protection Department of Defense (DOD) program to identify and protect assets critical to the Defense Transportation System. Loss of a critical asset would result in failure to support the mission of a combatant commander. Board (CIPB CIPB Citizens for Independent Public Broadcasting
CIPB Critical Infrastructure Protection Board (NIPC)
CIPB Computer-Integriertes Private Banking
CIPB China International Poster Biennial
CIPB Canadian Initiative for the Prevention of Bullying ), tasked "to ensure protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems" (US 2003a). Within a year, the organization, in conjunction with computer security experts from academia, industry, and government, produced a draft of a national strategy to secure cyberspace In the United States government, the National Strategy to Secure Cyberspace, is a component of the larger National Strategy for Homeland Security. The National Strategy to Secure Cyberspace was drafted by the Department of Homeland Security in reaction to the September 11, 2001 that outlines some of the critical steps required for the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. to secure its information systems from deliberate cyber attacks. The key sectors addressed in this document were critical infrastructures such as banking and finance, transportation, and electrical power. This document was recently finalized and endorsed by the President of the United States (US 2003b).
The forensics See computer forensics. analysis of al Qaeda computers seized from the caves of Afghanistan in the spring of 2002 suggests an extremely high level of interest from this terrorist group in how to remotely control, through the Internet, electrical substations An electrical substation is a subsidiary station of an electricity generation, transmission and distribution system where voltage is transformed from high to low or the reverse using transformers. , pipelines, dams, and communication grids (Gellman 2002). The devices used to control such systems remotely are called supervisory control and data acquisition (application) Supervisory Control and Data Acquisition - (SCADA) Systems are used in industry to monitor and control plant status and provide logging facilities. SCADA systems are highly configurable, and usually interface to the plant via PLCs. (SCADA (Supervisory Control And Data Acquisition) A process control application that collects data from sensors and machines on the shop floor or in remote locations and sends them to a central computer for management and control. ) systems. They use their own application protocol but employ the standard transmission control protocol/Internet protocol (TCP/IP TCP/IP
in full Transmission Control Protocol/Internet Protocol
Standard Internet communications protocols that allow digital computers to communicate over long distances. ) used by computers to communicate across the Internet and local intranets. The computer devices used to control critical systems and the protocols they use to communicate are often not well understood except by the vendors who develop them. Because they are not as common as the familiar Internet application protocols, they are not subject to the constant scrutiny of the Information Assurance (IA) community. However, the threat against such systems is real. One utility reported 100,000 scans a month in 2001 (Dagle et al. 2002).
The problem with such a situation is that assuming information systems are secure because the nodes on the network and the protocols used to communicate are obscure is a fatal mistake. Obscurity only slows the development of attacks on the system. Given enough time and money to replicate the devices used in the system, a motivated cyber agent or cyber warrior will develop tools to attack the system. The proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous
n. of such tools to the computer underground is then trivial (Welch 2002).
In this paper we describe a risk assessment of a power plant's information system. The power plant is real and operational with a network of control devices and computers controlling the plant's central boilers. The plant is capable of producing over 5 MW of electricity as well as central heating central heating
a system for heating a building by means of radiators or air vents connected to a central source of heat
centrally heated adj
Noun 1. . Ultimately, the goal of the project is to reduce the cost of operating the plant by remotely administering the system and enabling a software application to dynamically control the mechanical equipment. The software makes decisions based on several attributes, such as electrical and fuel tariffs, ambient air temperature, and the number of personnel on site. The purpose of the assessment is to identify specific threats and vulnerabilities of the system and then take the necessary steps to minimize the risk associated with connecting the network to the Internet. In order to fully evaluate the network, we conducted a penetration test A test of a network's vulnerabilities by having an authorized individual actually attempt to break into the network. The tester may undertake several methods, workarounds and "hacks" to gain entry, often initially getting through to one seemingly harmless section, and from there, using open-source software tools that both cyber attackers (i.e., computer hackers) and computer security professionals use to evaluate network security. We emphasize open-source tools because these tools are freely available for download on the World Wide Web and, thus, could be obtained by anyone. An organization with more resources could purchase more advanced tools or modify the open-source software tools to fit their needs.
Facilities and Motivation
The central plant was originally built in 1903 as a heating facility. However, upgrades over time have changed it into a cogeneration facility that is capable of providing up to 5.2 MW of emergency power. The plant consists of two 1.25 MW steam turbines Steam turbine
A machine for generating mechanical power in rotary motion from the energy of steam at temperature and pressure above that of an available sink. By far the most widely used and most powerful turbines are those driven by steam. and one 1.65 MW steam turbine. High pressure (1.2 MPa) and low pressure (184 kPa) steam lines, acting as the condenser condenser
Device for reducing a gas or vapour to a liquid. Condensers are used in power plants to condense exhaust steam from turbines and in refrigeration plants to condense refrigerant vapours, such as ammonia and Freons. for the plant, provide heat to buildings. Due to steam pipe losses and process loads, only 40% of the steam condensate condensate, matter in the form of a gas of atoms, molecules, or elementary particles that have been so chilled that their motion is virtually halted and as a consequence they lose their separate identities and merge into a single entity. returns to the central plant. Makeup feed water, from a local reservoir, is mixed with the condensation that returns from the heating load. Once mixed, the water is pumped to any combination of the three boilers in the system. In 1993, a 1.2 MW diesel generator A diesel generator is the combination of a diesel engine with an electrical generator (often called an alternator) to generate electric energy.
Diesel generators are used in places without connection to the power grid or as emergency power-supply if the grid fails. intended for peak shaving (demand reduction) was added to the plant.
The organization purchases grid electrical power under a fixed price of demand (kW) plus energy charges (kWh), which vary by time of year. Since electricity can usually be purchased for less than it costs to produce it on site, local power generation is only economical for peak shaving or when cogeneration is possible. Since the only condensing con·dense
v. con·densed, con·dens·ing, con·dens·es
1. To reduce the volume or compass of.
2. To make more concise; abridge or shorten.
a. capability is from the heating and processing loads, the steam turbines can only be economically run during winter months. The diesel generator may be operated at any time of year; however, waste heat recovery is not possible with the current configuration.
The plant had traditionally been controlled by operators who set its operation based upon their experience. Unfortunately, they often did not operate the plant optimally because they lacked access to certain information. Such information included site population, hourly weather predictions, and electrical price signals. In some cases, the plant operators were not trained in all the subtleties of plant operation. This sub-optimal performance can be improved with a clear methodology of how plant equipment operates and interacts.
An artificial intelligence agent-based software application is being developed that takes input from equipment sensors, building thermal loads, and an electrical profile coupled with rates from a remote location and determines the combination of equipment that would offer the least-cost option for providing power and heat. This information is used to produce accurate models, which increase the ability to operate the plant efficiently. While this information could be collected manually, operator error would be minimized if the program were fully automated.
The SCADA system uses component off-the-shelf (COTS) technology. The operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. and the applications they run, along with the communication protocols used to exchange information between devices, are subject to the same sort of attacks that are used everyday on the Internet. The weakest link--the human element--is subject to attack through social engineering, weak or absent passwords, poor policy, and improper configurations.
The security of the system and assurance of its information are paramount. In order to provide the functionality desired, the system must be connected to the Internet. Preventing cyber attacks against the plant requires a risk assessment of the current infrastructure and hardening of the final implementation.
Published work in this area is very sparse. This may be because results of such assessments are not releasable to the public or, worse, tests such as described in this paper are not being conducted. Government and private agencies are continuing to investigate protection and security of critical infrastructure. Their recommendations consist of making industry aware of the threat and potential vulnerabilities associated with their SCADA systems, providing assistance in the form of a training and penetration tests similar to the one described in this paper, and establishing partnerships between the national laboratories and industry in order to leverage each organization's expertise. As in this paper, their presentation describes the typical vulnerabilities observed in SCADA systems (Dagle et al. 2002). The difference between this paper and their presentation is that we present a more thorough risk assessment, including results from a vulnerability assessment A Department of Defense, command, or unit-level evaluation (assessment) to determine the vulnerability of a terrorist attack against an installation, unit, exercise, port, ship, residence, facility, or other site. .
We use the Information Assurance (IA) model (Figure 1) presented by Maconachy et al. (2001) as a framework for assessing an information system. The model describes four dimensions: (1) information states, (2) information services See Information Systems. , (3) information security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security and countermeasures That form of military science that, by the employment of devices and/or techniques, has as its objective the impairment of the operational effectiveness of enemy activity. See also electronic warfare. , and (4) time.
The power plant uses information that can be in any one of three states at any given point in time: (1) processing, (2) transmission, or (3) storage. When assessing the security of that information, one must consider all three states. The types of security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the a system can provide include confidentiality, integrity, availability, authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.
(2) Verifying the identity of a user logging into a network. , and nonrepudiation. We focused our evaluation on the first three services. When considering where one may accept risk, confidentiality may be the least important attribute, as the power plant still operates even if an outsider is able to view the information. On the contrary, the integrity of the data is very significant. Any modification of the data may cause damage or loss. For example, a data packet with incorrect values may be sent to a boiler computer that in turn directs the combustion subsystem to overcompensate o·ver·com·pen·sate
v. o·ver·com·pen·sat·ed, o·ver·com·pen·sat·ing, o·ver·com·pen·sates
To engage in overcompensation.
To pay (someone) too much; compensate excessively. the air-to-fuel ratio. Or, incorrect information could be fed to the software application, leading to incorrect predictions. In every case, availability is important, as loss of data to the system degrades or possibly disables power and heat generation. Availability and integrity over time are particularly important factors for control systems, as updates to the controllers happen in real time. Any disruption to the flow of information can result in the system becoming desynchronized.
[FIGURE 1 OMITTED]
As with any risk assessment process, the ultimate goal is to reduce risk to an acceptable level without giving up the functionality and performance required by the organization. In the context of the IA model, risk is the probability that a particular threat is manifested against a specific vulnerability in the system that undermines availability, integrity, or confidentiality. One cannot eliminate risk in the information system without physically disconnecting the computers from the network and burying them in a hole. Obviously such a solution defeats the purpose of deploying and using the technology in the first place.
The model's security countermeasures Those protective activities required to prevent espionage, sabotage, theft, or unauthorized use of classified or controlled information, systems, or material of the Department of Defense. See also counterintelligence. enable one to reduce risk. These countermeasures include technology; policy, procedures, and practices; and the people within the organization administering and using the system. Most people will immediately associate security countermeasures with computer security applications such as firewalls, anti-virus software anti-virus software n → Antivirensoftware f , and patches. In most cases, however, the people, policy, and procedures play the most important role in determining the overall security of an information system. Throughout the remainder of the paper we will use the IA model as a roadmap for our discussion. First we will look at the threat and potential attacks against the three security services we studied (confidentiality, integrity, and availability), then we will look at the vulnerabilities we found as they relate to each of the information states and provide recommendations in terms of the security countermeasures.
Based on our penetration test and an analysis of the protocols and platforms used in the power plant, we conclude that there are three major forms of attack against the power plant's infrastructure, each with an increasing degree of severity.
Integrity Attack on the Information. This type of attack involves modifying the information stored in databases and transmitted across the communication networks. Such an attack's visible end state is an unknown amount of decrease in the efficiency of the power plant's generation of power or heat, resulting in a higher cost of operating the plant. Such a scenario involves an attacker modifying the current cost of electrical power, number of personnel, ambient air temperature, or data returned from the boiler's sensors that is either stored in the databases or in transit. Modification to the data causes the software relying on the information to incorrectly adjust boilers and either over- or underproduce un·der·pro·duce
v. un·der·pro·duced, un·der·pro·duc·ing, un·der·pro·duces
To produce (goods, for example) at a level below full capacity or beneath the degree of demand.
v.intr. steam, resulting in an inefficient process, lack of confidence in the design capacity during critical loads A critical load is defined as
”A quantitative estimate of an exposure to one or more pollutants below which significant harmful effects on specified sensitive elements of the environment do not occur according to present knowledge” (Nilsson and Grennfelt 1988) , and any competitive edge that the control software was supposed to provide. This is exactly the opposite result desired by the designers of the agent-based control software.
Availability Attack on Power Generation. The second attack is an availability attack (also known as a denial of service attack An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. ). The attack causes degradation in the facility's ability to generate power. There are two possible ways an attacker could perform a denial of service attack against the power plant and effectively prevent it from producing power or heat. The first is a very overt, noisy attack where the attacker sends several thousand packets, or "pings of death" in hacker terminology, to control computers running on the power plant's internal network. The victimized computers become overwhelmed with packets and are unable to perform their primary function as they are busy attending to the large number of incoming packets. Another possibility for such an overt attack is for the attacker to execute an exploit that effectively shuts down a device on the network responsible for maintaining network connectivity. A network router is an example of such a device, and an exploit in this context is a computer program that takes advantage of a particular vulnerability in software. Once the router can no longer perform its connectivity function, communication ceases between computer nodes on the network, and information cannot be transferred to the boilers' controllers. This action results in degradation to default operations.
The second and more dangerous method an attacker could use to temporarily disable To turn off; deactivate. See disabled. the power plant is much more covert and relies on the attacker initially gaining access to computer systems within the plant's internal network. Based on our analysis, an attacker could gain access to one or more computers on the network using operating-system-based attacks, application-based attacks, or social engineering. If access is gained using a normal user account, escalation of privileges may be obtained by attempting "user to administrator" exploits (Skoudis 2002). One would believe that such vulnerable applications and operating systems are not running on SCADA systems used to control boilers, but our assessment shows the contrary.
Once access on a computer within a central plant is gained, the intruder An attacker that gains, or tries to gain, unauthorized access to a system. See attacker, intrusion and IDS. can then launch network-based attacks. Again, the attacker could launch a noisy denial of service attack from within the internal LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. , as they are now within the confines of the local network and outside the reach of external security. However, if they wish to remain overt, a serious cyber warrior could take advantage of the weak, unencrypted protocols used in control systems and either create their own packets to communicate to the boiler controllers or modify the integrity of the packets already in transit. By simply zeroing out the data in a controller's registers, the attacker could effectively shut down the power generation capability of the plant.
Confidentiality and Integrity Attack Against the Boiler Controllers. The final and most devastating dev·as·tate
tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates
1. To lay waste; destroy.
2. To overwhelm; confound; stun: was devastated by the rude remark. attack that a cyber-terrorist may attempt to exploit would result in physical damage to the plant and potentially loss of human life. It is a combined exploit on the confidentiality and integrity of the information that controls the boilers, resulting in an explosion and possible physical damage. More research into this final attack is required, but theoretically it is very possible. We describe it in order to be complete in our analysis, to highlight our concerns with the unencrypted network protocols used in SCADA systems, and to show the relative ease of such an attack.
Before describing the attack, it is important to understand the primary purpose of a boiler control system. A boiler's controller maintains steam availability and improves efficiency in an effort to reduce cost and emissions. One of the key subsystems of a boiler control system is the combustion subsystem. Its function is to deliver the right mix of air and fuel to the burner at a rate that satisfies the firing rate demand and at a mixture (air to fuel ratio) that provides safe and efficient combustion.
An explosion might occur if one could cause the controller to overcompensate the air to fuel mixture. Forcing the controller to overcompensate is a matter of writing certain data to the appropriate memory locations that trigger such an event. In our analysis, with a terse Terse - Language for decryption of hardware logic.
["Hardware Logic Simulation by Compilation", C. Hansen, 25th ACM/IEEE Design Automation Conf, 1988]. inspection of the controller's documentation it is not obvious which memory location controls the combustion subsystem, but a diligent cyber warrior backed with state-sponsored or terrorist-organizational resource could purchase the equipment and evaluate its operational functionality. It is then trivial to inject a packet or modify a packet in transit to enable such a memory write.
Vulnerabilities and Recommendations
In order to evaluate the vulnerability of the power plant's current information technology infrastructure and provide sound recommendations, we took the approach from an attacker's vantage point and used several active reconnaissance-based port scanning Sending queries to servers on the Internet in order to obtain information about their services and level of security. On Internet hosts (TCP/IP hosts), there are standard port numbers for each type of service. Port scanning is also widely used to find out if a network can be compromised. tools that an attacker might use to determine the network topology See topology. , operating systems, and open TCP (1) (Transmission Control Protocol) The reliable transport protocol within the TCP/IP protocol suite. TCP ensures that all data arrive accurately and 100% intact at the other end. ports running on each machine. We also employed several vulnerability scanners A vulnerability scanner is a computer program designed to search for and map systems for weaknesses in an application, computer or network. Step 1, typically the scanner will first look for active IP addresses, open ports, OSes and any applications running. that attempt to determine the specific vulnerabilities associated with the computers and their software. Passive reconnaissance measures were also employed, such as searching for publicly available information on the Web that may be of interest to an attacker.
We also used specific exploitation tools that an attacker could use to further penetrate the network once access is gained through the vulnerability. These exploitation tools included network monitoring The term network monitoring describes the use of a system that constantly monitors a computer network for slow or failing systems and that notifies the network administrator in case of outages via email, pager or other alarms. tools used to monitor network traffic, password crackers to determine the strength of passwords on the system, and various other attack tools designed against specific operating systems and applications to identify security weaknesses.
Because not all tools provide the same information, we employed a breadth of tools in conducting our analysis. It is also important to note that despite the fact that we were physically on site for our evaluation, if the current topology was connected directly into a switch or router with access to the Internet we would have been able to collect similar information. Access to the physical wires is not necessary, as the Internet supports protocols that allow transmission between two interconnected devices. We used all open-source tools to evaluate the system. These tools are freely available on the Internet. We hypothesize hy·poth·e·size
v. hy·poth·e·sized, hy·poth·e·siz·ing, hy·poth·e·siz·es
To assert as a hypothesis.
To form a hypothesis. that a true cyber warrior would develop their own in-house tools and purchase the systems described in the paper in order to increase their capability and specifically target the critical infrastructure for which they were attempting to gain access.
Although we did not attempt any social engineering attacks on the personnel running the plant, it appeared that the plant operators would have been very helpful in providing useful information such as passwords, types of software running on the system, and other information over the phone or even in person if we appeared to be the local "IT guys." During our visit, when we were connecting our computers to the plant's network, we were never questioned or asked what we were doing even though we had no name tags, escorts, etc. There appeared to be only one person in the plant even familiar with the computer systems, and that person did not physically work full time at the plant's location.
We now provide our assessment and specific recommendations for the power plant's information infrastructure by categorizing them using the IA model's security countermeasures (technology, policy, and people) as shown in Figure 1. We focus primarily on technology but also briefly address the issues surrounding policy and people.
[FIGURE 2 OMITTED]
Technology Recommendations. When speaking of technology, we are including the hardware, software (both operating system operating system (OS)
Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. and application), and communication networks. Each has specific vulnerabilities. The discovered network topology from our reconnaissance is shown in Figure 2. Table 1 depicts the computer name, operating systems guessed by the port scanning tools, open ports discovered, and vulnerabilities found. Note that due to the number of vulnerabilities found, we are highlighting only the critical weaknesses. Table 2 lists the purpose of each open port found. It is important to note that this information was gathered by our tools and is not a result of physically going to each machine or reprinting an operation manual.
There are eight computers connected to the network, each having a static IP address. Four of the computers were running a vendor-specific Unix operating system Noun 1. UNIX operating system - trademark for a powerful operating system
UNIX, UNIX system
operating system, OS - (computer science) software that controls the execution of computer programs and may provide various services . The other four computers were running the Windows operating system. Additionally, there are two appliances (a router and a switch) found on the network. The Windows operating systems are familiar to the common hacker, and numerous exploits are known to exist against such systems. The proprietary controllers, on the other hand, are not common on commercial or government networks. The networking protocols identified running on the network included TCP, UDP UDP (uridine diphosphate): see uracil.
(User Datagram Protocol) A protocol within the TCP/IP protocol suite that is used in place of TCP when a reliable delivery is not required. , IP, HTTP HTTP
in full HyperText Transfer Protocol
Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol. , Modbus, TFTP (Trivial File Transfer Protocol) A lightweight version of the FTP protocol that has no directory browsing or password capability. Employing UDP rather than TCP for transport, TFTP is typically used to transfer firmware upgrades to network equipment such as , and the Windows-specific NETBIOS protocols.
Highlighted vulnerabilities from Table 1 include the router. It is running a Web server that is susceptible to a denial of service attack if the attacker attempts to access a particular script. Such an exploit would enable the attacker to carry out an availability attack on power generation as described previously. The computers running the Windows operating system are extremely vulnerable to numerous attacks. In particular, the use of the Network Basic Input/Output System (operating system) Basic Input/Output System - (BIOS, ROM BIOS) The part of the system software of the IBM PC and compatibles that provides the lowest level interface to peripheral devices and controls the first stage of the bootstrap process, including installing the operating (NETBIOS) has several vulnerabilities. NETBIOS provides the ability to share files or folders across a network through Windows network A local area network (LAN) made up of Windows clients and servers. Starting with Windows for Workgroups 3.1 in 1992, all versions of Windows have built-in networking. See Windows and NetBEUI network. shares. Although extremely useful, improper configuration of network shares may expose critical system files or may provide a mechanism for a nefarious user or program to take full control of the computer.
For example, a specific vulnerability associated with NETBIOS is the "null session connection." This is a mechanism that allows an anonymous user to retrieve information (such as user names/passwords and file shares) over the network or to connect without authentication. It is used primarily by Windows to account for various critical system operations. When one computer needs to retrieve system data from another, the account opens a null session to the other computer to perform the desired tasks. Unfortunately, attackers can also log in as the null session. Therefore, if working in a Windows domain environment, you can minimize the information that attackers obtain, but you cannot stop all leakage.
Other significant problems found with the computers running Windows primarily revolved around user accounts. One account had no password, making it a trivial matter for an attacker to gain access to this machine as that user. Once attackers have access as a user, they can masquerade as that user anywhere on the network where that user has permissions. Worse, an attacker can attempt a "user to administrator" exploit on the system in order to gain administrator access. Other accounts had passwords that had never been changed and were breakable. Finally, there were a few unused accounts on the system. These accounts should, at a minimum, be disabled or deleted if possible. Leaving unused accounts on the system leaves another avenue of approach open for the attacker to gain access.
Finally, the computers running Windows stored passwords in both the legacy LAN An older local area network. It typically refers to Token Ring and FDDI, but may also refer to a slow 10 Mbps Ethernet. See legacy network. manager (LM) format and the newer, more secure NTLM NTLM NT LAN Manager (Microsoft Windows) scheme. In order to support backwards compatibility backwards compatibility - backward compatibility with older Windows systems, the LM format is the default method of storing passwords. However, it has been shown that password-cracking programs can easily break the encryption of passwords stored using the LM format because of the poor implementation of the encryption algorithm A formula used to turn ordinary data, or "plaintext," into a secret code known as "ciphertext." Each algorithm uses a string of bits known as a "key" to perform the calculations. The larger the key (the more bits), the greater the number of potential patterns can be created, thus making .
All of the vulnerabilities found on the computers running the Windows operating system would subject the power plant's information system to the first two attacks described previously. A malicious attacker could either cause plant inefficiencies or temporarily disable power generation by gaining access to either the computer running the database or the computers used for displaying information (i.e., Boiler1-Boiler3) and modify the data so that the operators take imprudent im·pru·dent
Unwise or indiscreet; not prudent.
im·prudent·ly adv. actions or send incorrect data to the controllers.
The proprietary plant control system is a set of control system computers for the plant and combines the functionality of a loop controller, a process logic controller (PLC), and a distributed control system A distributed control system (DCS) refers to a control system usually of a manufacturing system, process or any kind of dynamic system, in which the controller elements are not central in location (like the brain) but are distributed throughout the system with each component (DCS (1) See also DSC.
(2) Digital Cross-connect System) A network switching and grooming device used by telecom carriers. See digital cross-connect. ). The system serves as the storage location for the boilers' sensors and control information. The system has an auto-configured human-machine interface (HMI (Human Machine Interface) The user interface in a manufacturing or process control system. It provides a graphics-based visualization of an industrial control and monitoring system. ) and monitoring software located on the Boiler1-Boiler3 computers. The power plant's data acquisition computer uses a software package that contains a database with the current configuration of the boilers. The controllers can be configured remotely from this computer using software. Configurations and control information are transferred over the network from the database to the monitoring software using the Modbus protocol. Finally, the proprietary controllers run a web server to send graphical control measures to Web browsers The following is a list of web browsers. Historical
Historically important browsers
In order of release:
The proprietary controller user's manual describes the methodology for connecting the system to an ethernet network and also states that "security is of paramount importance" but does not give any specifics besides mentioning that a firewall should be employed to protect the internal network from the Internet. It does not contain configuration options or details such as firewall recommendation, configuration considerations, and other security precautions that would minimize risk. We could find no mention of a risk analysis in any of the documentation.
We found serious vulnerabilities associated with the proprietary control system and the Modbus protocol it uses to transfer data across the communication network. Each controller has a Web server running on it that allows the plant operator to log into it and adjust settings via a standard Web browser The program that serves as your front end to the Web on the Internet. In order to view a site, you type its address (URL) into the browser's Location field; for example, www.computerlanguage.com, and the home page of that site is downloaded to you. . These Web servers are susceptible to a specific attack (cross-site scripting See XSS. ). A cross-site scripting attack is possible when a Web server (in this case, one of the proprietary controllers) returns content that includes unsanitized user-provided data (such as username The name you use to identify yourself when logging into a computer system or online service. Both a username (user ID) and a password are required. In an Internet e-mail address, the username is the left part before the @ sign. For example, KARENB is the username in karenb@mycompany. and password). An attacker could create a request to the Web server (in the form of a standard URL URL
in full Uniform Resource Locator
The process of logging in is also called booking. , and continues business as usual. The attacker meanwhile has the plant operator's credentials and can log in to the boiler controller as if they were the plant operator. This attack may intercept user input, read data from the controller and send it back to the attacker's computer, or allow code to be run on the target system, possibly giving the attacker root or administrator access (Howard and LeBlanc 2002). Once an individual gains this level of access on a platform, he or she can perform any operation that would be possible by an administrator of that machine. Such operations include reading or writing data to the controller's memory. This vulnerability would allow the attacker to execute any of the three attacks previously described.
The proprietary controllers use a messaging protocol The rules, formats and functions for exchanging messages between the components of a messaging system. The most widely used messaging protocol is the Internet's Simple Mail Transfer Protocol (SMTP). called Modbus to exchange information. Modbus is an application protocol that was initially designed as serial-line master/slave architecture between control devices. It has recently evolved to use a modern ethernet-based network using the TCP/IP protocol as the underlying transport/network protocols (Figure 3). The Modbus application server listens by default on port 502 (Dube and Camerini 2002; Modbus 2003).
The Modbus protocol provides communication between computers using function codes that provide both read and write services. A client device (either a workstation or another device) requests a read or write from/to a specific memory location on a controller, and the service replies with either the specific data requested and/or writes the data to its specified memory location that ultimately controls the air/fuel mixture and boiler sensors. Encryption is not used, so all transactions are transmitted in the clear and can easily be captured and modified with network monitoring tools. An example packet was sent from a controller to the data acquisition computer. All reads and writes to registers on the controller could be observed, and, if we had desired, the data could have been modified. The request for comments (RFC (Request For Comments) A document that describes the specifications for a recommended technology. Although the word "request" is in the title, if the specification is ratified, it becomes a standards document. ) describing the Modbus protocol specifically states that it "does not discuss security issues and is not believed to raise any security issues not already endemic to Modbus communications. Since Modbus/TCP is based on TCP/IP, it is not inherently secure." The vulnerabilities described that are associated with the proprietary controllers and the Modbus protocol would allow a cyber warrior to execute any of the three attacks described previously.
[FIGURE 3 OMITTED]
There are several technological solutions that one could employ to reduce risk in the system and significantly increase the probability of detecting attacks and being able to respond appropriately. This technology includes such tools as intrusion, detection systems, firewalls, honeynets, integrity maintenance systems, etc. However, overwhelming the people who maintain these systems with new technology is not always the correct answer, especially when their ultimate responsibility is to operate a plant. Because of this thought process and our assumption that the power plant's network is part of a much larger network that provides a defense in depth and whose security is constantly monitored by computer security specialists, our recommendations merely provide what we believe to be the minimum technical solutions required to reduce the risk of an attack to an acceptable level.
First, a firewall that segments the internal network from the agent-based system and the external network must be installed and configured. It should be configured to block all traffic except for the port required by the agent-based software to perform its analysis. No traffic originating from outside of the network should be allowed into the internal network. This "deny all" policy will prevent attacks against the NETBIOS, http and Modbus protocols from a remote attack, assuming that the protocol used by the agent-based protocol is secure and the firewall is configured correctly.
All services/ports that are not required must be closed. This prevents all exploits against those services. A good example of this is the NETBIOS service. Since there is no requirement to run Windows "domains" or to allow file shares in this architecture, disabling dis·a·ble
tr.v. dis·a·bled, dis·a·bling, dis·a·bles
1. To deprive of capability or effectiveness, especially to impair the physical abilities of.
2. Law To render legally disqualified. NETBIOS will preclude the exploits against this protocol. The router's port 80 (Web) can be disabled and configured from a HyperTerminal setup instead to preclude a denial of service attack.
There are a few security countermeasures that the designers of the agent-based system will want to include in their final implementation. Integrity maintenance software should be installed on all systems in order to detect any attempts to modify files. In order to secure the transmissions between the agent-based system and the database, a protocol such as secure sockets layer (networking, security) Secure Sockets Layer - (SSL) A protocol designed by Netscape Communications Corporation to provide secure communications over the Internet using asymmetric key encryption. (SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. ) or IPSEC should be used with the data that are stored in the database, encrypted using a strong encryption An encryption method that uses a very large number as its cryptographic key. The larger the key, the longer it takes to unlawfully break the code. Today, 256 bits is considered strong encryption. As computers become faster, the length of the key must be increased. algorithm.
The final two recommendations are strongly tied into the policy and training of the people who use the system. The first recommendation is that software patches to operating systems and applications remain current. Although it is ineffective against unpublished vulnerabilities, software patching will preclude known vulnerabilities A bug in software that has been identified. It typically refers to bugs that have been used for malicious purposes. For example, bugs in Web server, Web browser and e-mail client software are widely exploited by attackers. . Furthermore, system administrators must properly configure the operating and application systems and ensure that the policies are set for the best security posture. For example, disabling the Windows LANMANAGER authentication mechanism will ensure that only the more secure and stronger encryption implementation found in NTLM is used. Several security checklists exist for system administrators to ensure their systems are locked down as much as possible.
Users of the systems must have strong passwords A password that is hard to detect both by humans and by the computer. Two things make a password stronger: (1) a larger number of characters, and (2) mixing numeric digits, upper and lower case letters and special characters ($, #, etc.). See password. , and these passwords must be checked with password-cracking software. Most forms of authentication, as well as file and data protection, rely on user-supplied passwords. Every account that is required must have strong passwords, and administrator accounts should be especially protected. Any application that is installed for the first time must have the password immediately changed, as the underground hacker has a database of default passwords for a myriad of applications.
Finally, as is often quoted in sports, the best defense is a good offense. Vulnerability assessments from an external source should be performed on a regular basis in order to ensure maintenance of the system is taking place and that patches to thwart new vulnerabilities are current.
Policy Recommendations. Again referring to Figure 1, we see policy and people identified as security countermeasures. In general, policy must be established and enforced in order to minimize the risk of connecting the power plant's internal network to the Internet. Clearly defined roles and responsibilities to defend cyberspace Coined by William Gibson in his 1984 novel "Neuromancer," it is a futuristic computer network that people use by plugging their minds into it! The term now refers to the Internet or to the online or digital world in general. See Internet and virtual reality. Contrast with meatspace. are important for managers, system administrators, and users. The network architecture must be documented, and critical systems such as proprietary controllers and databases must be identified, and the additional security measures to protect these systems should be documented. A rigorous, ongoing risk management process must be established and enforced.
Policy should include procedures for both users and administrators. Some examples include how often passwords are changed, where log files are stored (on the host machine or off site), how often logs are reviewed, when systems are backed up, and procedures for recovery. Passwords should be changed periodically (e.g., every three to six months) in order to prevent an attacker who has acquired the password accounts through other attacks time to crack those passwords. Given enough time, a majority of passwords can be cracked unless they are very strong. Forcing users to change passwords frequently results in bad passwords or re-used passwords. Administrators should have an alternate account for normal logging in to the systems and should use their administrator's accounts judiciously. A formal procedure should be in place for conducting a vulnerability assessment similar to the one outlined in this paper. Additionally, the policy should address how often training should occur for both users and administrators.
People Recommendations. Looking closely at security measures and countermeasures, it is apparent that policy, technology, and people together have a synergistic effect Synergistic effect
A violation of value-additivity in that the value of a combination is greater than the sum of the individual values. on the security of an information system. Of these three elements, people are the most important. We believe that one of the main problems in the security of a SCADA network is that the people running the system, although well versed Versed® Midazolam Pharmacology A preoperative sedative in the mechanical and electrical components of the system, often have little or no knowledge of how to secure the information technology. Most of the recommendations involve keeping up with the latest software patches. This involves training the system administrators to remain current with the latest vulnerabilities, running vulnerability assessment tools, and applying the latest patches. Note that such a methodology will not stop unknown attacks that a full-fledged cyber warrior may launch, but these measures will preclude easy attacks.
More education and training is required. People must build, install, configure, and maintain the technical aspects of information systems. If technology is implemented improperly or is used without the correct policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental to support it, these technologies can actually reduce the overall security of an information system. Finally, it is people who must hire, retain, and sometimes fire other people who use and maintain these information systems. Without education and training in such matters, information security measures are nearly worthless.
Based on our findings, a more in-depth security of the Modbus protocol and the proprietary system is required. Clearly, the Modbus protocol is vulnerable to attack and anyone could easily inject or modify data. The application should be encrypted using a strong encryption algorithm and a mutual authentication Mutual authentication or two-way authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both scheme should be put in place. In order to clearly identify the capabilities of the proprietary control system and which aspects of the boiler system it can control, more analysis is required. The purpose of each memory location requires investigation in order to determine which physical aspects of the boiler control system can be influenced. It is clear to us that modifying or injecting packets destined des·tine
tr.v. des·tined, des·tin·ing, des·tines
1. To determine beforehand; preordain: a foolish scheme destined to fail; a film destined to become a classic.
2. for a controller can temporarily disable a system. What is not clear is the physical damage that may be caused by such an attack. From a vendor's standpoint, more work is required to determine what steps an administrator of a proprietary system should take in order to properly secure their system. The manual should include these steps. After the implementation of the agent-based system and our recommendations, a reevaluation of security should take place.
In this study we conducted a risk assessment of a real power plant's supervisory control and data acquisition (SCADA) systems. The methodology described and the recommendations proposed may be applied to any critical infrastructure with a requirement for remote administration and/or data collection. There are several vulnerabilities associated with the current network such that a motivated cyber attacker could cause, at a minimum, inefficiencies in the system or disable it or, in the worse case, cause physical damage. Our recommendations include technical, policy, and training recommendations. Additionally, we conducted a cursory cur·so·ry
Performed with haste and scant attention to detail: a cursory glance at the headlines.
[Late Latin curs examination of the Modbus protocol and determined that because data transmission is unencrypted, it is vulnerable to passive and active eavesdropping Secretly gaining unauthorized access to confidential communications. Examples include listening to radio transmissions or using laser interferometers to reconstitute conversations by reflecting laser beams off windows that are vibrating in synchrony to the sound in the room. , session hijacking The term Session Hijacking refers to the exploitation of a valid computer session - sometimes also called a session key - to gain unauthorised access to information or services in a computer system. , man in the middle, and replay attacks. Work needs to continue on improving the security of this protocol.
Protecting information is not an all or nothing endeavor. One must balance the desired functionality and performance required in an information system along with security. There is no "secure" or "non-secure" technical solution. Security includes the entire environment to include technology, the policies, and the people--and it is not free. One must determine what level of risk is acceptable and then make every effort to minimize that risk with appropriate security solutions. We would argue that in a critical infrastructure, such as a power plant, where the cost of physical damage is immeasurable monetarily, one must make every effort to secure the information system from a cyber attack.
The primary author would like to acknowledge Colonel (Dr.) Daniel Ragsdale for sparking his interest in information assurance and critical infrastructure protection.
Dagle, J., S. Widergren, and J. Johnson. 2002. Enhancing the security of supervisory control and data acquisition (SCADA) systems: The lifeblood life·blood
1. Blood regarded as essential for life.
2. An indispensable or vital part: Capable workers are the lifeblood of the business. of modern energy infrastructures. IEEE (Institute of Electrical and Electronics Engineers, New York, www.ieee.org) A membership organization that includes engineers, scientists and students in electronics and allied fields. Power Engineering Society Winter Meeting, New York City New York City: see New York, city.
New York City
City (pop., 2000: 8,008,278), southeastern New York, at the mouth of the Hudson River. The largest city in the U.S. , NY.
Dube, D., and J. Camerini. 2002. Modbus application protocol: Internet draft Internet Drafts (or I-Ds) is a series of working documents published by the IETF. Typically, they are drafts for RFCs, but may be other works in progress not intended for publication as RFCs. . Retrieved February 7, 2003, from http://www.ietf.org/internet-drafts/draft-dube-modbusapplproto-00.txt.
US. 2003a. Executive order on critical infrastructure protection. Retrieved January 29, 2003, from http:// www.whitehouse.gov/news/releases/2001/10/2001101612.html.
US. 2003b. The President's Critical Infrastructure Protection Board. The National Strategy to Secure CyberSpace. Retrieved February 7, 2003. http://www.whitehouse.gov/pcipb/. United States White House.
Gellman, B. 2002. Cyber-attacks by al Qaeda feared. Washington Post, June 27, p. 4.
Howard, M., and D. LeBlanc. 2002. Writing Secure Code. Redmond, WA: Microsoft Press.
Maconachy, W.V., C.D. Schou, D. Ragsdale, and D. Welch. 2001. A model for information assurance: An integrated approach. 2001 IEEE Information Assurance Workshop, West Point, NY.
Modbus. 2003. Modbus.org home page. Retrieved February 15, 2003, from http://www.modbus.org/default.htm.
Skoudis, E. 2002. Counter Hack. Upper Saddle River Saddle River may refer to:
In 1913, law professor Dr. PTR PTR Pointer (as used in DNS records; an address points to a name)
PTR Proton Transfer Reaction
PTR Pupil/Teacher Ratio
PTR Public Test Realm (gaming, World of Warcraft) .
Welch, D. 2002. Adversary threat taxonomy taxonomy: see classification.
In biology, the classification of organisms into a hierarchy of groupings, from the general to the particular, that reflect evolutionary and usually morphological relationships: kingdom, phylum, class, order, . IEEE Information Assurance Workshop, West Point, NY.
Scott D. Lathrop
Christopher L. Gates
Darrell D. Massie, PhD, PE
Member ASHRAE ASHRAE American Society of Heating, Refrigerating & Air Conditioning Engineers
John M.D. Hill, Ph.D.
Scott D. Lathrop and John M.D. Hill are senior research scientists at and Christopher L. Gates is with Information Technology and Operations Center The facility or location on an installation, base, or facility used by the commander to command, control, and coordinate all crisis activities. See also base defense operations center; command center. , United States Military Academy United States Military Academy, at West Point, N.Y.; for training young men and women to be officers in the U.S. army; founded and opened in 1802. The original act provided that the Corps of Engineers stationed at West Point should constitute a military academy, but , West Point, NY. Darrell D. Massie is with Intelligent Power & Energy Research Corporation, Fort Montgomery Fort Montgomery could mean any one of several sites bearing that name.
For the American Revolutionary War site near West Point on the Hudson River, see Fort Montgomery (Hudson River)
For the site on Rouses Point on Lake Champlain, see Fort Montgomery (Lake Champlain). , NY.
Table 1. Discovered Computer Nodes with Vulnerabilities Computer TEP/ Name OS Purpose UDP Ports Router Proprietary Enables routing of TCP-80, 520, network traffic UDP-53, 67, 69, 520 Boiler1-Boiler3 Windows Displays boiler TCP-135, 139, information and UDP-135, 137, provides an interface 139 for controlling boiler settings Boiler data Windows Database collecting TCP-135, 139, acquisition boiler sensor information UDP-135, 137, 139 Proprietary Unix Collects and stores boiler TCP-80, 502 controllers sensor information and controls boilers Computer Name Vulnerabilities Identified Router Crashes if a remote attacker accesses a script on it Boiler1-Boiler3 It was possible to log into the remote host using a NULL session. Several local accounts have never changed their passwords and have passwords that never expire; most accounts are unused. One account had no password. Boiler data Same as Boiler1-Boiler3 acquisition Proprietary Web server is vulnerable to a cross-site controllers scripting attack. Modbus protocol subject to session hijacking, man-in-the-middle attacks, and replay attacks Table 2. Discovered Open Ports Transmission Ports Protocol Purpose 80 TCP Web traffic 135, 137, TCP/UDP NETBIOS (Network Basic 139 Input/Output) protocol. 502 TCP Modbus 53 UDP Domain name server 67 UDP Bootstrap protocol 69 UDP Trivial file transfer protocol 520 UDP Router