Scared of SCADA

I was asked this week about the CIA‘s announcement to a SANS Institute conference that money has been extorted outside the US for “cyberattacks” have been used to extort money by threatening to (or even demonstrating an ability to) disrupt the supply of power to “multiple cities”.

Potential attacks on SCADA (Supervisory Control And Data Acquisition) systems have been a major concern in national security circles for many years, and it’s not the first time that SANS have commented on the topic. Rob Rosenberger, on the other hand, was scathing (he usually is).

Rosenberger can sometimes be accused of not letting accuracy get in the way of satire, but on this occasion he has a point. Effectively, all that’s been disclosed here is that the CIA believe that at least one unnamed country has been subjected to attacks on power facilities that they believe to have been delivered over the internet (which
could mean almost anything: we don’t have enough even to determine whether “the internet” in this case means “the internet” or some other form of external connection.). We don’t know where or when. We don’t know what sort of attacks. We don’t know if they were aimed directly at SCADA systems, or at other supplementary or support systems within facilities (which are, perhaps, likelier to be directly connected to the wild and woolly internet).

Clearly, enquiring minds would like to know which countries are having these problems, and round here, one or two people have wondered aloud about the UK. Perhaps influenced by the UK’s highly publicized problems at present with lost sensitive data, unencrypted laptops and so on. Political alliance factors apart, SCADA security has been a preoccupation of both countries for quite a few years. There have been reports of UK law enforcement and security services involvement in developing defences against DDoS attacks and extortion demands from time to time, but they tend to be in more lucrative sectors like online gaming. In fact, even Bruce Schneier, who has a pretty good nose for “security theatre”, has made much the same point, though not in a UK context.

The trouble here is that Those In The Know are passing on a warning so generic that it reminds me of the way a virus hoax was described some years ago by (I think) Iolo Davidson on alt.comp.virus. Something like “Fire! Fire! Don’t know when, don’t know where! Fire!” This warning may be based on real events, but functionally, it doesn’t amount to any more than “Be careful out there!”

It’s not as though there isn’t some good proactive work out there. In the US, the FERC (Federal Energy Regulatory Commission) has approved some relevant security standards, after some years of assessment, which certainly should be useful. There again, the UK security services (CPNI) have been publishing good practice guides on Process Control, Firewall Deployment and so on for SCADA for a good while. It’s a large part of their job to try to protect the Critical National Infrastructure, by providing information and other services to the agencies and companies who own and maintain it. We could, of course, debate how _successfully_ they do that job, but that’s as much about politics as it is about technology.

A tip of the hat here to Davey Winder, who indirectly started me thinking about this topic. He has a piece on related topics coming out in his ‘Real World Computing – Security’ column in PC Pro issue 163, which is due out at the end of February or beginning of March. I don’t know what he’s going to say, but I expect it to be worth reading. 🙂