• Overview
• Advice for CEOs
• Automated Testing of SCADA Protocols
• A Study of Security Vulnerabilities in Control Protocols
• Security Incidents And Trends In Scada And Process Industries

The changing threat

Interestingly, the IT world appeared to experience the same shift. For example, Deloitte & Touche’s 2003 Global Security Survey, examining 80 Fortune 500 financial companies, found that 90% of security breaches originate from outside the company, rather than from rogue employees5.

Although there is no definite answer as to why this dramatic change took place in late 2001, there are a few possible explanations. First, as noted earlier, control systems have historically operated in an isolated environment where control devices typically did not communicate with outside systems. The move to integrated business communications systems and the widespread use of commercial off-the-shelf (COTS) technologies like Ethernet and TCP/IP have meant this isolation has broken down, especially since 2000, when the Y2K crisis drove a massive upgrading of many systems.

The emergence of automated non-email worm attacks starting with Code Red on July 19, 2001, has meant that many of the intrusions have become nondirected and automated, and the control system may have become just a target of opportunity. Since control systems rarely use or allow SMTP traffic, earlier malware that used email as a vector were unlikely to penetrate the plant floor. On the other hand, protocols such as RPC and SQL are ubiquitous in control environments, allowing the worms using these vectors easy access.

This second interpretation seems to be supported by a closer look at the external incidents between 2002 and 2006, of which 78% (Fig. 4) were the result of common viruses, Trojan horses, or worms. Particularly interesting is the fact that of these 36 malware attacks, only one (a Sobig-driven incident) used SMTP as its sole propagation technique. Three worms (Slammer, Blaster, and Sasser) accounted for over 50% of the incidents and these use the SQL Server Resolution Service (UDP Port 1443), the RPC Service (TCP Port 135) and the Microsoft-DS service (TCP port 445) respectively, to propagate to new victims.

One last item worth noting is that the majority of these worm events occurred months or years after the worm was widely known in the IT world and patches were available and proven for control systems. This indicates to us a lapse in security policy rather than technology, a point we will revisit later.

Fig. 4.The percentage total of each external incident type category, 2002 to 2006

« Prev | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | Next »