#BSidesSF: Why SCADA security is such an uphill struggle

We've covered the troubles with SCADA security at length, but have yet to see a real consensus on how to proceed. Amol Sarwate, security research manager at Qualys, took a crack at making sense of things at BSidesSF Monday morning.


SCADA security arms race underway

Industry association aims to bolster SCADA security

Sarwate noted that a lot of the current threats still require physical access, like tampering with meters. But if you as an attacker know nothing about the full complexity of the system, you have no idea what the results of your vandalism will be. The complexities also make it hard for the good guys to see the full scope of vandalism.

Qualys researchers spent time exploring how to attack different protocols, including Modbus. Modbus.org describes the protocol this way:

Modbus Protocol is a messaging structure developed by Modicon in 1979. It is used to establish master-slave/client-server communication between intelligent devices. It is a de facto standard, truly open and the most widely used network protocol in the industrial manufacturing environment. It has been implemented by hundreds of vendors on thousands of different devices to transfer discrete/analog I/O and register data between control devices. It's a lingua franca or common denominator between different manufacturers. One report called it the "de facto standard in multi-vendor integration". Industry analysts have reported over 7 million Modbus nodes in North America and Europe alone.

While it's a strong protocol, Sarwate said it was never designed with security in mind. 

Qualys has been working on tools that can be used to do more vigorous vulnerability testing of SCADA control systems, including an open source ScadaScan tool. The wiki Qualys set up describes it this way:

ScadaScan finds SCADA slaves in the network. The tool works on the IP range that is provided on command line and currently supports enumeration of DNP 3 and Modbus slaves. In the Modbus mode the tool bruteforces the first unit ID (or slave ID) by sending ‘Modbus Read Register’ message. In the DNP mode the tool sends a DNP ‘Request Link Status’ message to DNP slaves. The tool can be used to map Modbus and DNP 3 slaves in scada network. The next release of ScadaScan will support scanning of SCADA Master and will have vulnerability detection capabilities for multiple SCADA Master Systems.

Outlining other reasons SCADA security is so hard, Sarwate said:

--SCADA master networks are sometimes connected to the corporate network or the Internet.

--User authentication tends to be poor. Lack of authentication was fine in the past, but with more master networks connected to the corporate network, it has become a serious risk, he said.

--Password management leaves much to be desired.

--Patching is nonexistent. Making matters worse, he said, there is little to no guidance from control system vendors regarding the effect patches could have on its technology.

--Another problem lies within something one might consider a strength: SCADA systems are built to last for many years. That long life allows for vulnerabilities to accumulate. 

His observations are consistent with what we've been hearing from other security experts in recent months, including the problem with authentication.

Security software researcher Billy Rios, for example, recently reported an authentication bypass flaw within Siemens software used to manage industrial control and critical infrastructure systems. 

Copyright © 2012 IDG Communications, Inc.

8 pitfalls that undermine security program success