SCADA: Air Gaps Do Not Exist

Monday, September 26, 2011

Craig S Wright


Since releasing a rebuttal concerning the nature of SCADA systems over the weekend, I have received a good deal of contacts offering me logs and other proof how the SCADA systems they are running and trying to secure are hopelessly breached.

This is not something I did not already know, but the number of people willing to risk their careers to say this did astound me.

It seems that there are many people who are not happy with the security stance being taken within their organisations around SCADA hosts. I have attached a few quotes from a couple emails below.

  • it's more dumb luck that nothing has happened and been publicised as of yet.”
  • It's not until these companies push back on the vendors and say that we need to patch systems, install AV, and do the very basic of security that it's going to happen. These vendors have everyone by the balls and aren't holding up their end .. It's like living in the 80's with these guys
  • Often it's the Sr mgrs that insist on access and create the hole - for the cool factor of monitoring ops from home
  • We need the ADSL link as we cannot access the PLC out of hours otherwise. Management thinks it is secure as it is just a home user account and not connected to the organisation officialsly.” [sic] [1]

Right now, my role is to evangelise security and teach, educate and make aware with a little time for some research thrown in. This is the tip of things and we will have a large push in just a few weeks at Charles Sturt University in security research and training where we are expanding an applied research based doctoral program in information security.

I am saying more than I am allowed to here already before the launch on the 7th of October, but we are expanding such that we will have over 100 doctoral students in information security and digital forensics at the school.

So, further in the nature of getting myself into trouble, I have decided to write a little personal anecdote. As anybody who has read my posts and more will quickly determine, I am outspoken and at times far from diplomatic, but these are never the things that had me in trouble the most.

It was usually silly things that I should have shut up about if I really cared for my career more than security that are the bane of my life. I do not usually wear a watch, but in this tale, I had one on. It was an interesting watch, it had a Bluetooth mobile and a 512MB USB hard drive but looked just like a normal every day watch.

A ways back, I was contracting through a company I owned with CSC and DFAT. Fun stuff such as “Advice on Information Technology Security” . That much is public information and that is about as far as it needs to be said and is as far as I will say as it is not at all important here.

Well to the story, I was working in a data centre and comms centre in Forrest. One of the fun places that have the blue cables in gas filled tubes and have loads of copper throughout as to create a faraday cage to DSD Tempest specs.

I did the normal stuff and wasted the normal long amount of time getting in through the man-trap and having the scanner go off many times as they are too sensitive. Side note, I have several chunks of metal in me that are now “me” due to the collections of broken bones I have accrued in the years I have walked this earth.

I did the pad down and wondered just how friendly the guard was getting. They took my phone, issued me with a laptop to work on (as I could not take my own in) and gave me the general spiel of how and what for the location I was working in that week. Basic things that I knew already like “if the person has more tinsel than a Christmas tree, do not bother him just agree”.

Well, the watch was left on and I forgot it. Completely by accident, but it was on all day as I was left alone in a data centre hosting A*** data for a number of 4 letter agencies. Here in Oz we have 4 letter agency names to demonstrate that we are good.

I did a full day playing with a number of Unix and VMS systems (real Unix and not Linux) and finished up. I did the pad down, left and was in a meeting room outside the secure area doing a debrief on what we had configured etc. when I was dumb enough to pipe up and say…

Oh, I forgot to say my watch has a hard drive in it…”

Shite, fan… I need not say too much.

I was still in my 20’s at this point, young and stupid (stupider than now even). I managed to spend a couple hours with a few people who did not seem really happy. I personally think it was too much starch in their laundry.

If I was smart, I would have shut up at that point and it would have passed. But being a 20-something at the time, after being told that I could not take a drive into this facility and that if I had left with it and not been stopped (so much for saying I had it) it would have been a felony, I was dumb enough to say, “what is the big deal. I can just send and receive data over the Net

The response was normal… “Don’t be daft kid, we are air gapped. Nothing goes in or out.” Now, if you ever want to see a Brigadier go funny colours just say what I did…

How do you think I got the firmware updates? We just made an SSH tunnel over TCP 53 and proxied HTTP to the Sun website.” Then there was a gap as this was explained in detail, all the time the colours on the faces were amazing.

Not naming names here and nor will I even when plied with drink, but basically, some of the CSC guys I worked with also did the Telstra tower and worked in TS and general systems. They needed to manage these and the budget only allowed them to do so much.

So, they had implemented TCP 53 outgoing from anything on the firewall. All the auditors missed this. It was simply DNS and so nothing was ever noted in a single report.

So, not that I have said as much as I could to make this clear and though in some ways I have said too much and can expect to end up berated yet again, I will say there are no air gapped systems.

  • Air gaps do not work.
  • Data diodes do not work.
  • If you are placing your trust in this, you are already done.

Even in TS cleared faraday controlled bases with no links, there are links. I have seem so many kludges connecting SIPPER and NIPPER networks in the US it is not funny and they have links to us here in Oz as well.

So, the things we do to try and ruin our careers.

In this anecdote from my past, I was in a TS datacentre and I still managed to become a potential data leak. In real systems that control critical infrastructure, the computers are run by corporations for the most part and the SCADA and PLC engineers are not trained in security (baring the rare exception).

They care that their systems are available, but are afraid that patching will break them (and at times this does occur as many SCADA systems only support obsolete versions of operating systems).

Unfortunately, many of these engineers also have late night calls concerning the systems that they manage and the VPN’s provided do not allow access to the SCADA systems. The answer, create a back-door. We can hide in the notion that people would not do this, but they will and do.

If we want to start securing systems, we need to start with the people. The human factor is not one that we can simply engineer into how we believe people should be. To make a system secure, we need to work with people, to understand their needs and provide them a safe way to do their jobs. If we do not do this and see security as a function of stopping access, people will simply continue to bypass our controls and we all lose.

In my days, I have managed to break many systems. No matter how good a pen-tester you think you are or how good a security person you are, your testing will end up breaking something one day. I have managed to take core banking applications offline for a day using just an nmap scan. The issue here is not that the system is frail and should not be scanned. It is not that it should not be tested. The issues is that a system that cannot even be scanned is critically vulnerable to attack.

If we stop security professionals from testing systems correctly, all we do is to have insecure systems. We need to ask, “what happens when a hostile threat breaches the network perimeter?” SCADA systems are connected now. Soon, with IPv6, everything will be connected. Air-gaps are not a solution.

Then, at least unlike Stephen Northcutt, I never managed to take down a battle ship. Maybe he can write about how he “broke” a naval battleship-control system. But that is a story he would have to tell…

NOw, back to the point.

Mr. Terban has again missed the point and is running about stating that if it has not occurred, it will not occur. He has said, “in order to have the “mass casualties” scenario he is crying about, the Stuxnet variants would have to be as varied as the number of makers of PLC systems out there. Just as the actual payload file to make a fire sale scenario happen would geometrically increase to have to become its own form of bloatware.”

Well, a number of years ago a rail organisation I was working for was infected by a worm. Luckily, the propagation rate was too high and it broke a few connections or it would not have been detected. The worm also added a RAT (remove access Trojan) to the systems it infected.

Nothing special such as Stuxnet was required and if the worm’s developers had been a little less aggressive in the scanning side of the worm, they could have remains undetected.

“Rail Vehicle Detection” is a rather critical part of a transport system. In fact, to take a quote from the engineering safety documents for this organisation “trains proceed solely on the authority of signal indications.”

Personally, I believe that a passenger train IS of concern. I see the possibility of derailing or colliding a train running at peak hour as a mass casualty scenario. In order to have mass casualties, the worm simply needs to target a single system. More importantly, it does not NEED to be completely automated as Stuxnet was. Stuxnet was a special example as this needed to have extremely fine control of systems.

There are a multitude of systems that simply need to be crashed, not controlled using an automated tool without human interaction. A human with control of a RAT does not need to write a variant for each system. They simply need to take control of the underlying operating system.

Lucky for the rail organisation, the RAT was simply designed to steal information and they made an error in how quickly it would propagate. It does not take too much thought to imagine what it would have been capable of. Right now, what we are saying that people would not create such a tool.

That people would not think of dropping a signal and derailing a train. Really! We have already seen what people are capable of in the last decades. Why should we think that crashing signalling device is unlikely? Does this even require a terrorist in the traditional sense?

The specifications for the signalling inputs to the Telemetry field stations are all available online. These are all public. Scenario, some young clueless idiot with computer skills and far too many Marvell comics thinks the idea of being a super villain is cool. Why is the idea of a cracker with no life and a grudge against society even a difficult concept to understand?

So, I guess it comes down to what we are classifying as mass effects? Mr. Terban has one idea that seems to mean meltdown and Chernobyl and not much less. Myself, derailing a morning rush hour commuter train is mass effect. Add to the chaos when passengers lose trust in the system and there are mass effects.

Has this occurred yet? Thank God no. Why, not as the systems are secure, but as a matter of pure luck. Yes, society will survive and recover from any incident. In NZ, they lost power for a week a few years back city wide. That did not collapse the country, but it did cost lives.

About the Author:

Craig Wright is the VP of GICSR in Australia. He holds both the GSE, GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Sturt University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.

[1] spelling as in the email received.

Possibly Related Articles:
Information Security
SCADA malware Stuxnet Network Security Infrastructure National Security Air Gap
Post Rating I Like this!
Krypt3ia Three points:

1) So much for "responsible disclosure"
2) DSS should be knocking at your door soon
3) You are only creating yourself and these topics target vectors (nice job)

You seem to be enjoying the attention, but at what cost? Are you the new Wikileaks? Any kind of access you may have now, you are likely about to lose.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.