The past week at BlackHat and Defcon released a whirlwind of activity in the media, and a few of the articles involved critical infrastructure and SCADA Security. Nico Sell with BlackHat press arranged for a press meeting, and we were able to participate in a press event specifically dealing with the number of recent security findings related to SCADA systems and PLCs/RTUs. We continued to send out the message that embedded devices such as PLCs and RTUs simply do not have the level of security commensurate with the level of risk represented by the functions that these devices serve in the SCADA system. We have a security briefing coming out soon that will go into more detail on this topic.
Elinor Mills, with CNET News, took some time to sit in our 2-day course and was amazed to see that the embedded devices did not have any authentication or encryption. Basically if you can ping these devices, the game is over. When she saw how easy it was for us to turn the lights ON and OFF by simply sending a few packets to the PLC, the lights went on in her head. She then asked if any of these devices were accessible right now over the Internet. I told her that we often find PLCs and RTUs directly connected to the Internet, and during a break in the class, Tom Parker and I found several Modicon PLCs on the Internet. They have little embedded web servers, so if they were assigned a public routable IP address, you simply type their IP address in your browser, and you immediately have access to the inner workings of the embedded controllers. She wrote an article about this on CNET News, and the link is listed below:
Michael Gross, who recently wrote a detailed article about the background leading up to the Stuxnet virus, also wrote an excellent article entitled "Enter the Cyber Dragon" about the many cyber attacks seemingly originating from China. In this article, we were cited as a resource based on the work that we are doing in the Oil and Gas sector to help our clients secure their critical SCADA systems. Michael's article which is running in the September issue of Vanity Fair, can be found here:
While our policy is to never release the names of our clients to the press, or the specifics relating to our research in the field of SCADA Security, we do like to help get the word out to as many as possible when the topic is broad enough to not compromise the integrity of our work. Even though I have been working in this field since 2001, it often surprises me as to how little most people know about SCADA Security. I'm hoping that with some of the recent press and media focus, that we can elevate the urgency and need for enhanced security, especially for those mission-critical systems that we count on for our nation's economy and well being.