Insights from Black Hat and DEFCON 2015: Where are SCADA Systems in Federal Government? (Hint: Just about everywhere)
In my previous blog entry, I described the different types of attacks that can be launched against Supervisory Control and Data Acquisition (SCADA) systems, including the ways attackers can monetize a SCADA system breach. Today’s blog provides examples of SCADA systems in the U. S. federal government.
When we think of SCADA, images of smoking chemical plants and roaring power plants usually come to mind. We think “commercial sector.” However, the reality is that SCADA systems are widespread and aplenty within the federal space.
Let’s start with the physical buildings that provide office space for an illustrative federal agency. Each location will typically have building management systems, which may also include security cameras and systems, fire and gas detection and suppression systems, etc. These are now typically network-connected at some level – often all the way down to the actual sensor. This is a SCADA network. And because for the longest time, SCADA security was not a concern, there are likely no robust countermeasures in place to protect the system or network from malicious access. What’s interesting is that many of the government’s building management systems are controlled by a third-party vendor and commute directly over the Internet!
Another security challenge results from government mandates to reduce power consumption. One way to conserve power is by implementing a smart grid, which provides a variety of operation and energy measures to condition electric power and control production and distribution of electricity. Currently, many civilian and military installation are pushing to install and manage these mini smart grids. Additionally, some larger facilities have full-scale power generating plants (including some that are nuclear powered) that are owned and operated by the government. All of these SCADA systems provide an attack surface for a rogue hacker or nation state to exploit.
Numerous SCADA or industrial control systems also exist in places that may not be obvious initially. For example, ships have complex control systems. Often, they have many different generations of a single system, because upgrades have occurred on one part of the ship system but not on another. Aircrafts also carry complex control systems, although upgrades are usually managed better. Still, this raises concern, because differing systems often have differing security controls applied to them, which may make them a target, though probably more from an insider than a remote attacker. However, remote communications are becoming more prevalent, which opens the door to outside attackers.
Drones represent another example of a SCADA system. Drones carry control systems on board and also send SCADA communications back to ground controls. With drones, we worry about malicious firmware getting into the drone as well as someone hijacking the communications link itself. Either of these could lead to the drone being hijacked.
So what can agencies do about this? A good first step would be to implement a product like NexDefense Sophia. Sophia safely and proactively detects deviations from normal automation or systems control operations that may signify an attempt to intrude or discover systems. It then alerts defenders before an adversary can breach or harm the system. By maintaining real-time insight and control over internal and external threats, Sophia better equips security professionals to increase compliance without sacrificing productivity, optimization or performance.
We will provide a technical deep dive into NexDefense Sophia in subsequent blogs. However, if you cannot wait, you can get more information here.