Thursday, November 19, 2009

Smarter Grid. Struggling SCADA?

In June of this year, the FBI arrested a hacker named Jesse McGraw (aka "GhostExodus") for installing malicious software on a couple of systems at a hospital in Texas. He didn't crack some protocol or breach a server, he allegedly walked around in his security guard uniform and a "hoodie" with a USB drive carrying malware. An ultimate insider.

The entire episode can be found in a very readable account at the website of the somewhat eponymously named Wesley McGrew, who actually located and identified McGraw after a relatively short period of social network mashing, Googling, and just good, old-fashioned rational thinking. ( For those of you with eye-strain from concentrating on the Smart Grid Security Blog, there is also a very good podcast interview with McGrew by Michael Farnum at An Information Security Place.)

The story has been told in multiple places, and was widely covered in local media at the time, but in doing some research today on SCADA vulnerability and exploitability, there were items in the complaint, in the write-up, and in the comments (some of them quite scathing) from the hacker's cohorts to McGrew's account of the events, that made me think of the SCADA security challenges associated with the new Smart Grid environment in some different and more urgent ways.

What Once was Old is Old Again
It is not news that components of SCADA systems can be older and have been designed for reliability and stability on mainly protected networks populated with trusted people. In discussing his motivations for researching the attacker, and for calling the authorities, McGrew cites his current doctoral research in information security, particularly in SCADA security. When he discovered that the attacker had installed botnet software on a hospital HVAC system, his level of urgency shot up. He feared that even modest corruption of that system could cause real danger to patients, at one point referring to SCADA systems of the type as a sort of "rickety ensemble" of old and new pieces, which could not be expected to withstand much tinkering.

He is not alone in this expectation. In a presentation back in 2007, delivered at HITBSecConf2007 Malaysia, called "Hacking Scada", other statements supported this fear, including the fact that ordinary anti-virus software could be expected to crash many SCADA systems due to the increased load, and that simple utlities like "ping" had been shown to bring those assets down.

As an IT person coming to utilities, I had expected vulnerability, but did not expect the real fragility in these important systems.

I was also surprised to learn that many of the front-ends ( HMI or Human-Machine Interface systems) of these newer SCADA implementations are actually created on-site. Think of it as a Do-It-Yourself graphical user interface. This is necessary, in as much as most of them are actually doing extremely custom things. The presence of different sensors, different arrangements, different control structures, demand that the interface itself be created in a way that is very much tailored to the environment that is actually going to be managed.

I learned this while researching the new importance of the internet protocol and even web-oriented interfaces, as components in the HMI interfaces of these systems. Packages actually ship with IDEs (Integrated Development Environments) containing libraries and widgets necessary to create useful, functional, and hopefully intuitive representations of the complex system of sensors, RTU's, PLC's, and more. It is not clear how seriously security is regarded in the creation of these custom interfaces, or how simple it can be to enable security controls available through the IDE's. It appears that there exist few standards and fewer tools relating to their certification.

Getting Warm in Here?
As it was with attacks and breaches in the early days of the Internet, the facts surrounding the means of identifying the actual attack and attacker are discouraging.

Based on the reporting from the hospital...which existed in's hot there...the air conditioning system had failed multiple times, and they didn't check for, or find, the remote control software on the HVAC system. Instead, a researcher hundreds of miles away had gotten an unrelated message from a hacker, did some research, and discovered from pictures of the HMI screens that the system had been corrupted.

Admittedly, information security may be relatively new to the traditional SCADA user, but there needs to be better tooling, or better integrity assurance, or just better education and awareness to make some information security analysis more standard.

IT Hacking Ignorance
It could be that the most dangerous reality of this article could be summed up in the uninformed actions of the attacker, and the reactions of others to his arrest. The malicious software that was delivered through a USB drive into an exposed USB port, was a botnet, remote control software, and the attacker was planning a "massive" denial of service attack from all of his controlled machines.

I think it is pretty clear that this guy did not know how unstable this system would become, or how important HVAC is in a hospital in Texas. Operating room environmentals, pharmaceutical storage temperatures, patient recuperation, are all intimately connected to those systems. It is literally life and death. It is hard to imagine from the descriptions of the attacker and his attack that he construed his incursion as being as dangerous as it was. Similarly, the ignorance of many of the comments on his arrest miss this entirely, presenting their view of the attack as being that he "hacked an air conditioner or something".

Whether it be in the minds of the internal resources who do not think about information security and an HVAC system, or external attackers who do not understand the complexity, seriousness, and importance of these newly interconnected SCADA systems, the fundamental disconnect on action and effect need to be made much more visible.

The reliance of SCADA-enabled systems like HVAC on their actual software, and the reliance of the utilities and customers on these SCADA systems is a connection that is becoming obvious as the Smart Grid expands the number and the exposure of these systems to all.

Images Courtesy:


No comments: