Download

Protecting Critical Infrastructure: Process Control and SCADA • Chapter 6 231This is scary; just think about war drivers, people who drive around trying to connect toopen or weakly secured wireless networks.This would probably represent the mother loadfor them.They could pull up with a high-gain antenna and see all kinds of radio frequenciesfloating around one of these environments. Unfortunately, they don’t just want to look; theywant access.Therefore, serious attention needs to be paid to securing these wireless networks.Theyneed to be encrypted. Hopefully they employ Media Access Control (MAC)address filtering and don’t use the Dynamic Host Configuration Protocol (DHCP). If thisisn’t the case, though, the ability to access these wireless systems would be trivial. Again, ifyou can access the network, it’s fairly easy to start sniffing traffic and see the type of commandsor traffic floating around.This would allow an attacker to spoof sources and send falsifiedcommands and data back to the MTU, wreaking havoc on the organization.The otherconsideration with wireless hackers is that they are not always trying to destroy systems, butif they do get onto a SCADA network and don’t know what they are doing and start scanning,even if not with malicious intentions, they could cause severe damage unsuspectingly.We have looked at some of the challenges and threats out there. In the next section, wewill hear from an industry expert who will explain to us through an interview his experienceswhen dealing with the protection of SCADA systems.Interview: SCADA Penetration TestingThe following interview was conducted January 2007 with Gabriel Martinez, CISSP.Martinez is a security expert with more than 12 years in the industry providing securityconsulting services to nearly every vertical, including government, the Department ofDefense (DoD), intelligence, healthcare, and financial. In addition, he has experience withthe power and utilities industry. He has also spoken at several conferences on the topic,including the American Gas Association. He brings numerous real-world examples that tie inwith what we have been discussing thus far.Colby: Can you tell me a little about your background as it relates to SCADA?Gabriel: I have performed many security risk assessments for companies in the power andenergy space. We would break up the assessment in several phases. First, we begin theassessment with a penetration test focused on externally exposed systems, simulating anInternet-based attack.The second phase would focus on testing from within the organization.We would test the access gained from two perspectives: someone just plugging ina laptop, and from a legitimate user.This really gave us the insider threat perspective. Andfinally, we would review any security policies and technical security controls in place.In general terms, the external systems tended to be relatively secure, but on the inside itwas very much a different story. We used to describe it as a hard-shell candy; hard andcrunchy on the outside but soft and chewy on the inside.