Behind any great SCADA breach stands an even greater database breach
Once in a while we find the terms SCADA systems and security breach in the same news piece. The mere coupling of these two terms together is enough to send a shiver through most people's spines. SCADA ((Supervisory Control and Data) systems are the driving force behind the most basic services of modern civilizations: power plants, dams, water systems and traffic control systems. Thus, an attack aimed at such systems can severly impair a modern nation in the worst case.
The most recent incident involving security vulnerabilities in SCADA system showed up last week, as news broke up regarding a worm attacking WinCC software from Siemens. Putting aside the smoke screens and the FUD spread around this story allows us to understand the true nature of "SCADA attacks" and point out the tools that would help organizations deflect them.
To begin with, the initial infection vector used an unpatched Windows operating system vulnerability. This vulnerability is weaker than most recently announced vulnerabilities, as it only allowed the attack to be launched through a media physically conntected to a workstation. This vulnerability allowed the attacker to execute arbitrary code on the compromised workstation. This particular attacker chose to "attack" the WinCC software. The vulnerability eploited by the attacker was actually a factory set password to the system's database. Thus, the attack code did not actually interface with the code of the WinCC software but rather with the database server it uses. An analysis of the code shows that the attack consisted of extracting information from the database and sending it over to an attacker controlled server. Much the same way, the attacker could have changed the password on the account in the database server, putting the system out of service or tampering with the contents of the database, yielding unimaginable effects.
So, while "SCADA" security is an enigmatic domain, database activity monitoring and security is actually a pretty established one. It means that if we take the mistery out of SCADA security and apply a component by component security measures we could actually make our SCADA systems secure. In fact, by using a database firewall enterprises could have mitigated this recently described attack altogether!
This is not the first time we've discussed this approach to SCADA security and it will probably not be the last one. While SCADA systems do pose a different threat profile with respect to the consequences of an attack and some unusual IT components, at the bottom line this are modern IT systems relying for their management on standard operating systems, standard commercial database and most often a web interface. Let's use the good tools we have to protect those.
Amichai
Good analysis. I am not however entirely comfortable with your "when you have a hammer everything looks like a nail" approach to threat analysis.
The Siemens Wincc software is used for visualization and interfaces with SCADA data but the vulnerability in the attack you describe has nothing to do with Wincc or SCADA - it has to do with the user keeping a default database admin password.
This is not a particular good example of an attack on a SCADA system and certainly not a good example of typical SCADA system vulnerabilities.
To the best of my knowledge and experience with SCADA systems in process manufacturing and two large energy operators in Central Europe - the key SCADA vulnerabilities are related to the fact that the control systems are almost always connected to the company enterprise network.
The key asset is not the database but the nuclear power plant itself. This is a much bigger, much more valuable and much more strategic asset than a database.
Once an attacker gains access to the enterprise network, he will try and gain access the SCADA control systems in order to take control of the power control systems. In an attack like this - there will be some network surveillance, enumeration and as you mentioned attempts to use default vendor passwords.
Best regards
Danny Lieberman
Danny on data security http://www.software.co.il/wordpress