If you have been following SCADA news in the last month, you might have noticed an avalanche of reports and blogs on new security vulnerabilities in power industry equipment. So far, vulnerability disclosures for 9 products using the DNP3 protocol have been released by the ICS-CERT, with another 21 SCADA product disclosures reportedly on their way. Even the New York Times and Wired Magazine have picked up this story.
Now, more vulnerabilities in SCADA products is hardly news, so why all the fuss?
Finding Industrial Security Vulnerabilities in All the Wrong Places
All 25 vulnerabilities have been discovered by just two researchers, Adam Crain and Chris Sistrunk, using an impressive new security test tool that Adam developed under his AEGIS Project. The scary part is that Adam's tool is finding these vulnerabilities in SCADA master stations, rather than just in the RTU and IED slave devices past tools have tested.
This introduces a new world of attack possibilities against the power industry. Successfully attack an RTU in a substation and you might knock that station off line. Successfully attack a SCADA master and you can knock a whole system off line.
To make matters worse, these attacks work great over serial links, not just TCP/IP networks. Since NERC-CIP exempts serial communications from any security controls, the hundreds of millions of dollars the power industry has spent to date to secure the power grid could be for naught. Dale Peterson describes these problems well in his blog "Why the Crain-Sistrunk Vulnerabilities are a Big Deal".
The NERC-CIP Electronic Security Perimeter (ESP) is Full of Holes
Last week Darren Highfill posted a blog explaining that the situation is worse than many thought. The vulnerabilities in DNP3 masters don't even require that the attacker climb a fence:
The first place that most people have started talking about these [DNP3] devices is a substation. Too many engineers are searching for ways to make themselves feel better because there is a fence and/or a locked building keeping the bad guys out. Maybe even a camera, too… no half-way informed attacker is going to mess with a substation when they have much easier access to many more pad-mount and pole-mount devices in more remote and less noticeable locations. With no cameras.
Darren has a valid point – DNP3 communication links run into millions of physically insecure pad and pole devices around the world. Get at just one of these and you can control a much larger power system.
This scenario completely defeats NERC-CIP's vision of an Electronic Security Perimeter (ESP): a pull-up-the-drawbridge model where everything (and everyone) bad is kept out by a perfect electronic fortress. To be effective against these attacks, NERC's ESP now has to include the entire country. Like other bastion models of security that I have discussed in the past, the ESP concept is fatally flawed.
A Serious Technical Error?
Darren has done everyone a great service by drawing our attention to how easy it might be for an attacker to find a way into substation via a remote pole. Unfortunately, I believe he makes a significant technical error in his discussion, which I will discuss in my next blog article.
In the meantime, consider the fact that this is NOT just a DNP3 or a power industry problem. Any ICS protocol that uses a master/slave (aka client/server) polling scheme (i.e. 99% of them) will suffer from similar vulnerabilities in the masters (aka clients). This means that any industry that has remote assets in poorly secured locations could be vulnerable to Darren's proposed "client-side" attacks.
Think about these types of attacks the next time you drive by a sewage lift pump cabinet in a suburban neighborhood. Or when you see an oil well at the side of a prairie road. These are all potential backdoors into much larger critical infrastructures. All it will take is another well designed test tool to find those backdoors in the devices using other ICS protocols like Modbus, EtherNet/IP or PROFINET. That, plus a few people with malicious intent.
Webpage: Project Robus
Digital Bond Blog: Why Crain/Sistrunk Vulns Are A Big Deal
UtilSec Blog: Exactly Where Are All Your Field Assets, Anyway