In light of President Obama's recent Executive Order on cybersecurity for critical infrastructure, security has become even more critical and most utility folks realize that utiltiies need to get very serious about it. The Cooperative Reserach Network has developed a guide on cybersecurity for utilities. And a new security standard for MultiSpeak was released in January 2013 that goes beyond secure sockets (SSL) and transport layer security (TLS) and implements message-level security.
If you haven't paid much attention to cybersecurity for utilities, a recent article about a gaping hole that would allow intruders to crash substations provides serious motivation to take cybersecurity more seriously.
A few months ago, two engineers, Adam Crain of Automatak and independent researcher Chris Sistrunk, discovered a potentially catastrophic vulnerability in the electric grid. They found that a flaw in multiple vendors' software that is used to monitor substations makes it easy for an internet intruder to disable substation monitoring and potentially cause a widespread power outage.
The engineers developed a program specifically to check for vulnerabilities in implementations of a widely-used communications protocol DNP3 that plays a crucial role in SCADA systems, where it is primarily used for communications between SCADA control centers, Remote Terminal Units (RTUs), and Intelligent Electronic Devices (IEDs). DNP3 allows remote substations to be monitored from a control center.
The first DNP3 program they targeted belonged to Triangle MicroWorks, which provides a DNP3-based data gateway for SCADA sytems. They found that Triangle was vulnerable to break in. They checked other vendors and found that they could successfully break into16 different SCADA vendors. They sent a detailed report to the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The research showed that some implementations were third-party components in other software packages. This vulnerability can be exploited remotely (over an IP-based implementation) as well as from the local system (through a serial-based implementation).
The engineers then checked other vendors and discovered that they could break into nine other vendors' systems. The vendors impacted are by what ICS-CERT calls the "DNP3 IMPROPER INPUT VALIDATION VULNERABILITY" are Alstom, IOServer, Kepware Technologies, MatrikonOPC, Schweitzer Engineering Laboratories, Software Toolbox, SUBNET Solutions Inc., and Triangle MicroWorks.
Inruders can
put either the master station or an outstation/slave into an infinite loop or Denial of Service condition by sending a specially crafted TCP packet from the master station or from an outstation on an IP-based network. If the device is connected via a serial connection, the same attack can be accomplished with physical access to the master station or outstation. The device must be shut down and restarted manually to reset the loop state. The IP-based vulnerability could be exploited remotely, but the serial-based vulnerability is not exploitable remotely. Local access to the serial-based outstation is required.
The result is that this type of attack prevents operators from seeing what is going on in substations.
It seems that this type of attack is difficult to prevent. Traditional firewalls are not designed to stop this type of intrusion because they have to let DNP3 traffic through. ICS-CERT recommends a virtual private network (VPN). Also apparenlty current cybersecurity regulations don't cover serial communications, even though serial communications are commonly used in substations especially with older equipment.
Comments