Electricity for Free? The Dirty Underbelly of SCADA and Smart Meters

More documents

Recommendations

Info

SCADA, how can I own thee, let me count the waysThe Operational DMZ network is the last line of defense before any traffic hits the SCADA andIndustrial Process Control systems, and in many cases, the servers, workstations, andapplications in this middle area are all authorized and trusted by the SCADA systems. Bydissecting the vulnerabilities in this level of the network, we can determine how thevulnerabilities at this level in the architecture can be exploited.Our technicians and analysts had to first filter the SCADA vulnerability dataset for only thosefound in the Operational DMZ (Security Level 3), and then assigned a classification to eachvulnerability based on the type of exploit that could be used to take advantage of thevulnerability. The classification dataset naturally fell into 16 different categories, and the resultsare disclosed in the table and chart below:Exploit Type % CountArbitrary Code Execution 3.52% 658Arbitrary File Access 3.03% 567Arbitrary File Overwrite 1.23% 230Authentication 1.08% 201Configuration 16.08% 3004Cross Site Scripting 15.04% 2809Denial Of Service 12.11% 2263Disclosure 8.07% 1508File Inclusion 0.99% 185Injection 0.80% 149Input 1.80% 336Overflow 11.45% 2139Privilege Escalation 3.50% 654Remote Code Execution 0.48% 90Remote File Inclusion 10.19% 1903SQL 10.64% 1987100.00% 18683pg [ 16 ]
The underlining systems that control and monitor the generation, transmission, and distributionof electric power are utilizing similar computer networking components and architectures asEnterprise IT networks, yet they do not receive the same level of security maintenance orlifecycle planning.These systems often are at least a year out of patch cycle, typically do not have any loggingenabled, and rarely utilize any monitoring defense techniques like IDS, network, or host eventmonitoring. This does not even touch the topics relating to the security of the field devices,which are also very fragile and can be made to crash with simple PING commands. SeeAppendix A for detailed results from the testing we did with an Ethernet-connected PLC.Now that we have exposed the dirty underbelly of the SCADA and Control Systems that governthe generation, transmission, and distribution of power, it is often a wonder why we haven’t seenmore incidents and security events with these systems. With that in mind, we next turn to thesystems that are responsible for the tracking and billing for the usage of power to answer thequestion: Electricity for Free?pg [ 17 ]
Page 1 and 2: sorryElectricity for Free?The Dirty
Page 3 and 4: IntroductionSCADA Systems control t
Page 5 and 6: Typical Generation System Diagrampg
Page 7 and 8: Typical Transmission System Diagram
Page 9 and 10: Typical Distribution System Diagram
Page 11 and 12: Our assessment approach was designe
Page 13: SCADA Vulnerability StatisticsHavin
Page 20 and 21: Appendix A - Test Results with Comm
Page 22 and 23: We used the programming software to
Page 24: Appendix C - Some Smart Meter Vendo

Electricity for Free? The Dirty Underbelly of SCADA and Smart Meters

Create successful ePaper yourself

Delete template?

Save as template?