Cyber watch

So says Ira Winkler, a penetration-testing consultant, who along with his team of experts took a day to set up the tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company’s desktop computers.

By the end of a full day of the attack, they had taken over several machines, giving the team the ability to hack into the control network that was overseeing power production and distribution.

Winkler says he and his team were hired by the US-based utility, which he would not name, to test the security of its network and the power grid it oversees. The company called off the test after the team took over the machines.

“We had to shut down within hours,” Winkler says, “because it was working too well already. We more than proved that they were royally screwed.”

The problem is pervasive across the power industry, he says, because of how power company networks evolved. Initially their supervisory, control and data acquisition (SCADA) networks were built as closed systems, but over time intranets and internet access have been added to the SCADA networks.

Individual desktops have internet access and access to business servers as well as the SCADA network, making the control systems subject to internet threats. “These networks aren’t enclosed anymore. They’ve been open for more than a decade,” Winkler explains.

Deep penetration

The penetration team started by tapping into distribution lists for SCADA user groups, where they harvested the e-mail addresses of people who worked for the target power company. They sent the workers an e-mail about a plan to cut their benefits and included a link to a web site where they could find out more. When employees clicked on the link, they were directed to a web server set up by Winkler and his team.

The employees’ machines displayed an error message, but the server downloaded malware that enabled the team to take command of the machines. “Then we had full system control,” Winkler says. “It was effective within minutes.”

Winkler says SCADA systems are inherently insecure because they are software running on standard operating systems on standard server hardware, making them subject to all the vulnerabilities of those systems.

Fran Howarth, principle analyst at information technology analysts Quocirca concurs. “It is a no-brainer that terrorist are going to go after utilities. You can knock out an entire economy for a serious amount of time and you can cause enormous economic damage in the process. Our research shows that utilities in the US, the UK and Germany have been waking up to this threat and are active in writing their own specific software, but elsewhere very little appears to be happening,” she says.

In the UK, RWE, Europe’s second-largest power generator, has stepped up security for the systems that control operations at its UK power stations in response to UK government guidelines for members of the critical national infrastructure. RWE bought a new network security system from Industrial Defender sits on top of the SCADA.

Growing threat

Previously, power generators ran stand alone SCADA systems but privatisation meant that, to be competitive, the firm’s energy trading systems had to link into the real-time systems used to control the generating turbines. This opened the SCADA network to threats such as viruses and hackers.

Power companies’ desire to not risk interrupting service with software upgrades that could improve security perpetuates the inherent weaknesses in utility network systems in the Middle East, says Winkler.

“I tend to think that the systems in the Middle East are inherently vulnerable based on what I’ve seen of SCADA systems elsewhere in the world. The problem is that there is no financial incentive to do anything and utilities also don’t want to acknowledge that issues need to be addressed and are hesitant to admit that problems exist.”

“If something does happen then they claim that it’s the work of some evil cyber-genius…you have knights and dragons and when bad things happen people tend to think it’s because the dragon is extremely powerful when in fact the dragon can be clueless,” he adds.

Risk assessment

Winkler believes the threat that hackers pose to utilities in the Middle East is particularly acute. “All military and intelligence agencies in the region are looking at this; I would be very disappointed if they weren’t. Looking at Dubai specifically and the UAE, Iran has a chip on its shoulder and it has a very good cyber capability. I would imagine that Iranian intelligence has a few guys trying to subvert targets of interest and that would include utilities, the power systems of radar sites and so on. Al Qaeda is also very active in using computers, so there is the potential for serious damage,” he says.

Jeff Bardin, director of risk management at security consultants EMC, believes the threat to utilities is more likely to come from a hostile state rather than from a terrorist group. “The utilities in the GCC are unlikely to be threatened by groups such as Al Qaeda as they use the internet as a tool for communication, fund-raising, stealing credit cards and recruiting, the internet is the main avenue for getting its message across. An attack on utilities would have to include quite a botnet, similar to the one Russia used earlier this year to attack the government networks in Estonia and Georgia, I don’t think any terrorist group has that capability at present,” says Bardin.
 

Winkler says power companies need to adopt SCADA software that is better tested for vulnerabilities and engineered for rapid patching when flaws are found. They also need to segment their networks so a breach from the Internet cannot reach the SCADA network.

“IT security guys tend to say that SCADA is infallible but a lot of SCADA systems are embedded with Linux or Windows 95 and this means they can’t be patched if something goes wrong. It’s a serious issue and it’s getting worse,” says Mike Smart, product manager at Secure Computing.

Utilities at risk

Secure Computing recently conducted a survey looking across all sectors in the US and in Europe.Respondents to the study were asked to indicate the state of readiness against IT threats in eight different industries.

Only the financial services sector was considered to be adequately ready to defend against attack and the utilities sector emerged as the most vulnerable target. Utilities in the Middle East are more advanced because they are newer to it. But although newer systems generally speaking have less vulnerability, it might actually increase it in many cases,” adds Smart.

Secure Computing advised critical infrastructure operators to perform ongoing vulnerability assessments, carefully monitor network automation and control systems, and share more information with each other about potential threats and cyber attacks.

Seeking solutions

Industrial Defender Security Consultants provide a range of risk assessment services to utilities, specialising in process control and SCADA system security assessment. The company has a cyber-risk mitigation technology platform designed specifically to monitor and protect both new and legacy process control and SCADA systems.

The systems are designed to passively monitor and protect without impacting the availability and reliability of the control system and network, while the company’s security analysts remotely monitor and manage over 160 process control networks across 21 countries.

Todd Nicholson, chief marketing officer of Industrial Defender, says there is growing demand for system security solutions and training in the Middle East as although the stringent compliance standards in North America are not yet present everywhere, a lot of customers are now following US standards anyway. “They don’t need the standards but they are using them as a benchmark for best practice and for training staff,” he adds.

In the MENA region, Paramount, a provider of products and services for securing the information assets of businesses, recently floated a new business division for SCADA and process control security and has signed a partnership agreement with Industrial Defender.

Paramount CEO Pramchand Kurup says: “The key criteria when protecting data networks is to ensure that it is simple to implement, that it is scaleable, that it is product network agnostic so that it can work with ABB, Siemens or whatever. Once people realise the risk then things will start moving. It’s like the chief security officer at Bank of America said: ‘I think I’m an important person because my CEO worries about nine different things every day and I’m there on at least five of them.”

“We need to evengelise,” says Kurup, “utilities in the Middle East are not in any particular hurry to install these systems and it might take some time before the message reaches them. There is a lack of awareness of the risks even though it is something that we should probably have done two years back when SCADA started to become IP based,” says Kurup.

But Kurup believes that local utilities will eventually start to recognise the need to protect their networks with utilities in Kuwait, Bahrain, Abu Dhabi, Oman and Saudi Arabia the most likely buyers of security systems.

Protecting the GCC

Dr Rocky Termanini is the Dubai-based vice president for technology at MERIT International Security Consulting of the US says: “Most of the sub-stations in the region are vulnerable because they are running older generations systems that have holes in them like Swiss cheese, such as Microsoft NT. If you can knock out a sub-station the impact will cascade and bring a major part of the utility network down for six or seven hours. The aim of a hacker is to bring about a DDOS (distributed denial of service) that could bring a sub-station to its knees. Similarly a cyber attack on water infrastructure would cause widespread panic and chaos in the UAE,” says Termanini.

“This will cause a major problem for hospitals, traffic lights, power, ATM’s, air con and cause widespread panic in the country. The UAE has a lot of jealous enemies and people are certainly going to try that,” he adds.

Termanini says he plans a series of meetings with senior government officials in the UAE to highlight the scale of the danger, “It is necessary to put an early warning predictions system in place, a national grid that is able to track penetration, as the damage from an attack could be minimised if an attack on a sub-station could trigger other satellite systems to shut down or to do something else quickly. As things stand, an attack on one substation could potentially threaten the entire network. The problem is that I don’t think anyone is really imagining what the consequences could be at the moment,” says Termanini.

Termanini says that the cost of putting an early-warning system in place could be high. “It can be done in stages but it would cost around US $3 billion for a complete early warning system to protect the energy infrastructure in the UAE.”

There is a tremendous technological stampede going on at the moment but the security has not yet caught up with it,” he adds.