A
Hello Everybody on the list,
Todays article on C-NET which I found interesting is
Wireless networks wide open to hackers
By Robert Lemos
Special to CNET News.com
July 12, 2001, 10:35 a.m. PT
If time permits, please visit the C-NET site and look at the article.
I have put some points regarding problems in I&C with newer technologies!
-------------------------------------------------------------------------
MAYHEM WITH NEWER TECHNOLOGIES
MAYHEM:
This article deals with the negative aspects of some of the latest
technologies that are now available.
Why Mayhem? Why believe that things will go wrong?
Simply because we are the I&C lot. We design systems to take care of the
worst possible scenarios. We are the people who deal with alarms, trips,
other such issues in the plant that ensure that in case something goes
wrong the plant is put to a safe state. We ask for redundancy and TMR so
that a calamity is avoided on failure of a device. We put intrinsic
safety barriers between our inputs/outputs and the unsafe area. We laid
procedures so that the I/P converter cannot be opened in the field
unless it is totally isolated from within the control room-MCC areas.
And because so many other "because's" we talk of Mayhem first before we
accept a system.
Today, in this Cyber-age and the forthcoming era's we will, in addition
to the present day issues, deal with safety issues from outside of the
plant. This safety will also relate to cyber crimes like:
1.. Snooping for getting our technical expertise and process
improvements.
2.. Economic attacks from competitors. Shutdown of your plants at
unexpected times can make you fail "on time deliveries" and give undue
advantage to your competition. Shutdowns can also increase your cost of
production thereby giving the competition an edge.
3.. Economic attacks from enemies of your country.
4.. Attacks by enemies during a war or from terrorist organizations.
The attacks will be financed beyond your imagination. Someone can get
more than a million dollars for a password for a few hours! Damage
caused can be unimaginable. Ecological damage and crippling of the whole
complex, death and damage to the entire locality are some of the
consequences that are possible.
Wireless LAN and Mayhem.
The latest in the addition of gizmos to attack your control room is the
wireless LAN. Your old ISA and PCI, LAN card which use cables are going
to be replaced by newer cards with wireless Radio technology. With these
LAN cards point of sight is not a problem. "No More cable clutter", the
advertisement reads, and shows a PC with cables hanging and another one
with no cables.
Well you are happy that you no longer need to have cables to maintain and
your computers talk without wires. But the same technology can be
used by well financed crackers to connect to your system. And to top it
all you have made their jobs even easier provided they have the right
kind of radio equipment.
They do not have to spend hours on decrypting your data. You are going
to be sending all the data including passwords, challenges and other
things from one computer to another on wireless and all that needs to be
done,is this radio frequency needs to be tapped.
Once this data is trapped then your entire system is laid bare open to
the perpetrator of the crime. Once this data is analyzed, then your
system can get wireless signals from the cyber-criminal, which can be
used to do any thing that the perpetrator pleases.
I doubt if you could prohibit use of radio transmitters in your city,
and if such a radio signal is emitted from a device, weather proof will
exist to catch the culprit.
Even if you analyzed your trip commands, you may find that it was the
operator in the system (because the culprit may use the same TCP/IP
address) who gave the command. You can trace the command, the operator
and the time, with logs and nail him without getting a whiff of the
actual perpetrator!
WAP and Mayhem:
Another new addition to the list of new devices are WAP enabled devices
which allow data to be shared by users carrying PDA's and mobile phones.
Mobile phones have been successfully tapped previously. In fact I
believe that that was the way, a famous betting SCAM was exposed in
India. I suppose that there is no reason why a good Scanner cannot tap
the frequency within a few moments. Once the data has been tapped, then
Mayhem can be effected.
WAP Procedures?
Another thing is that PDA's, Mobile phones and other WAP devices are
personal items that are generally used by multiple persons.
a.. What kind of procedures are you going to lay to ensure that your
"WAPped" employee's child does not play with your plant when your
employee is having his morning shave in his underwear or having a bath
without one?
b.. What procedures to protect his wife from searching for some of her
messages in his WAP device and pressing the wrong keys?
c.. If my credit card is lost and I file a complaint etc., then the
password and other things are changed and I get a insurance cover
against misuse. In case your employee loses his WAP device, what are the
procedures laid to ensure that plant access from his WAP is immediately
disabled?
d.. What are the means to track the simple minded person who finds it
and sees some good pictures, plays with these pictures and hands it over
to the competent authority, all with good intentions?
e.. What integrity checks are you going to put in place that someone
does not sell his WAP device for 250,000$ on a Friday night when your
I&C engineer is out of town, and reports it as lost?
f.. What tactics to ensure that it is not actually stolen from him on
a Friday evening bash?
g.. And many such other procedures required that you can or cannot
think of.
Web Enabled SCADA? Anyone?
I suppose that everyone is aware of how bad security on the internet is.
You can load the best Operating system, tons of security tools, encrypt
your data only to find that some thirteen year old kid, who stumbled
into a security hole in your operating system, that you are
unintelligent enough, not to understand even when explained to you, has
filled your computer with junk data!!!
You load the next patch or let your computer guys handle this stuff. But
nevertheless, your system was open for some precious moments. That is
all that is required to cause mayhem.
Other Mayhem Scenes.
You can create mayhem scenarios for your valves, motors and other
devices that are web enabled or wireless technology based.
Methods of attacks:
I&C always had its skeptics. People who wanted (and some still do want)
a PLC with a key-switch for putting it on Run Mode or Program mode. To
them this is the ultimate safety feature and once the PLC is in run mode
it is "trusted" to do its work and no one can tamper with the user
program. Though theoretically, it is possible that the logic for the
key-switch, is just checking for a binary "1" in some reserved area of
memory, which can be successfully hacked and changed, the possibility is
quite remote. Also good designs will ensure that the main program cannot
be changed. Again, there are elaborate procedures for securing this
"key" to the PLC, or only authorized personnel have it and it never
leaves the site.
Of late, it seems that I&C field has been taken over by IT personnel.
Though this IT "savvy'ness" has helped a lot in lowering overall costs
and also made good usage of popular software's and utilities possible,
on the other hand reliability has been often left in the background.
I&C and IT scenarios on failure are different. Mission critical for IT
means that the web server does not fail, else several thousand people
may not be able to chat, receive mails and so on. And with the best
technologies available, recently, even MSN could not provide all the
services for almost a week. For I&C, the scenario is entirely different.
Economic loss, though a worry, is the least of the concerns on the list.
Now, you may wonder how that mayhem creator halfway across the world
knows your process or what are the chances that he even knows the logic
and fail-safe procedures used in your system. The thing is that he does
not need to know all your plant specifics.
In case your PLC system can be programmed from your PC and anyone gains
access to your PC, then all he needs to do is read your configuration
files and turn on all your outputs or a part of them in any sequence and
all your interlocks get bypassed. In most cases, even the "emergency
stop" would also get bypassed. Thus on a calamity you will not even be
able to stop the system.
Most of your SCADA and DCS systems work on a database. Now the database
for a particular system is standard which is generally ODBC etc.
compliant. Now copy the data files into another computer and run another
version of the application and open the application. The database shows
the details of your plant, the alarm limits, the alarm messages, the
comments, the item name, the access name and so on. Now these tools that
help you run the process, make the system easily understandable to the
cracker. In case of most SCADA systems and systems on Windows systems,
there is DDE compatibility. The cracker can give a command like item
name, access name and value from Excel directly to your device driver or
to your SCADA application. Similar procedure may be possible for OPC.
You may not even get the trip data on you logs and assume it to be a
system failure.
There are innumerable ways that your system can be compromised to cause
economic loss to you, once access is gained to your system. The cracker
can also write a command so that he blocks several commands from your
system while allowing other ones. In other words, he can block your
"stop" command!
I&C systems like many DCS etc. have ftp and telnet enabled, which makes =
even glaring uses, a simple possibility.
Your entire I&C performance is based on the way safety has been
implemented in your system. In some configurations care may have been
taken for the remotest of failures and some may have compromised on some
features due to cost or technology constraints.
A standard is required to give you safe means of connecting to the big
bad e World.
Safe Connectivity for I&C systems.
All this does not mean that you cannot share data with your higher level
systems. You can make limited use of WAP systems. The Scheme below
allows you to have safe connection to the e World.
Divide your I&C into three Areas.
1.. The inner Ring Devices. The devices in the inner ring do not have
WAP capability, are not web enabled and are not wireless in nature.
2.. The Outer Ring Devices. The Devices in the Outer ring can have as
many features as required.
3.. The interface Devices. The Connection between the inner ring and
outer ring is through I/O devices which are Discrete and Analog in
Nature. Note that there is no intelligent path between the interface
device and the inner ring, though an intelligent digital path may exist
between the Interface Device and the outer ring devices.
INNER RING:
All the field devices that control the process should be included in the
Inner ring. It is possible that due to non criticality some devices can
be connected to the outer ring, but in order to have a uniform system
avoid putting any I/O device on the outer ring. The PLC's, DCS, SCADA,
TMR and other systems used to control and ensure safety of the plant
fall in the inner ring. In case there is an APC or Database Server that
is used for controls then the same can be in the inner ring.
Outer Ring Devices:
Outer Ring devices can be MIS devices, systems that interface to I&C
systems for passing data to and from ERP systems or other higher end
systems.
You can put a couple of Scanners or data loggers etc. on the Outer Ring
due to its non criticality, but this could one day lead to other devices
coming into the outer ring.
Interface Devices:
Interface devices connect the inner and outer rings. One of the chief
properties of the Interface Devices is that they do not connect
intelligently (RS232 or RS 485 or Ethernet or such communications) to
the Inner ring. The connection to the inner ring is by means of Analog
signals (4 to 20 mA, 1 to 5V etc.) and Digital I/O's like contacts etc.
This data is connected on the inner ring to some I/O cards and processed
as per regular I/O processing. There are limits on values so that rogue
values do not enter the system.
The Interface devices can connect via ethernet or communication to outer
ring devices, they can also be a part of the outer ring devices and do
the processing of received data.
With such a scheme, you can connect your plant to the outside world and
the worst case scenario is limited to a plant trip or theft of data.
Even internet access limits your liability to loss of data and in some
cases to safer trips. Again things depend on implementation.
Anand krishnan Iyer
[email protected]
*****************************************************************
YES! You can get digests, or limit messages by topic. See
http://www.control.com/control_com/alist/ for details.
Before posting, please read http://www.control.com/control_com/alist/faq_html.
The Automation List is managed by Control.com Inc.
Todays article on C-NET which I found interesting is
Wireless networks wide open to hackers
By Robert Lemos
Special to CNET News.com
July 12, 2001, 10:35 a.m. PT
If time permits, please visit the C-NET site and look at the article.
I have put some points regarding problems in I&C with newer technologies!
-------------------------------------------------------------------------
MAYHEM WITH NEWER TECHNOLOGIES
MAYHEM:
This article deals with the negative aspects of some of the latest
technologies that are now available.
Why Mayhem? Why believe that things will go wrong?
Simply because we are the I&C lot. We design systems to take care of the
worst possible scenarios. We are the people who deal with alarms, trips,
other such issues in the plant that ensure that in case something goes
wrong the plant is put to a safe state. We ask for redundancy and TMR so
that a calamity is avoided on failure of a device. We put intrinsic
safety barriers between our inputs/outputs and the unsafe area. We laid
procedures so that the I/P converter cannot be opened in the field
unless it is totally isolated from within the control room-MCC areas.
And because so many other "because's" we talk of Mayhem first before we
accept a system.
Today, in this Cyber-age and the forthcoming era's we will, in addition
to the present day issues, deal with safety issues from outside of the
plant. This safety will also relate to cyber crimes like:
1.. Snooping for getting our technical expertise and process
improvements.
2.. Economic attacks from competitors. Shutdown of your plants at
unexpected times can make you fail "on time deliveries" and give undue
advantage to your competition. Shutdowns can also increase your cost of
production thereby giving the competition an edge.
3.. Economic attacks from enemies of your country.
4.. Attacks by enemies during a war or from terrorist organizations.
The attacks will be financed beyond your imagination. Someone can get
more than a million dollars for a password for a few hours! Damage
caused can be unimaginable. Ecological damage and crippling of the whole
complex, death and damage to the entire locality are some of the
consequences that are possible.
Wireless LAN and Mayhem.
The latest in the addition of gizmos to attack your control room is the
wireless LAN. Your old ISA and PCI, LAN card which use cables are going
to be replaced by newer cards with wireless Radio technology. With these
LAN cards point of sight is not a problem. "No More cable clutter", the
advertisement reads, and shows a PC with cables hanging and another one
with no cables.
Well you are happy that you no longer need to have cables to maintain and
your computers talk without wires. But the same technology can be
used by well financed crackers to connect to your system. And to top it
all you have made their jobs even easier provided they have the right
kind of radio equipment.
They do not have to spend hours on decrypting your data. You are going
to be sending all the data including passwords, challenges and other
things from one computer to another on wireless and all that needs to be
done,is this radio frequency needs to be tapped.
Once this data is trapped then your entire system is laid bare open to
the perpetrator of the crime. Once this data is analyzed, then your
system can get wireless signals from the cyber-criminal, which can be
used to do any thing that the perpetrator pleases.
I doubt if you could prohibit use of radio transmitters in your city,
and if such a radio signal is emitted from a device, weather proof will
exist to catch the culprit.
Even if you analyzed your trip commands, you may find that it was the
operator in the system (because the culprit may use the same TCP/IP
address) who gave the command. You can trace the command, the operator
and the time, with logs and nail him without getting a whiff of the
actual perpetrator!
WAP and Mayhem:
Another new addition to the list of new devices are WAP enabled devices
which allow data to be shared by users carrying PDA's and mobile phones.
Mobile phones have been successfully tapped previously. In fact I
believe that that was the way, a famous betting SCAM was exposed in
India. I suppose that there is no reason why a good Scanner cannot tap
the frequency within a few moments. Once the data has been tapped, then
Mayhem can be effected.
WAP Procedures?
Another thing is that PDA's, Mobile phones and other WAP devices are
personal items that are generally used by multiple persons.
a.. What kind of procedures are you going to lay to ensure that your
"WAPped" employee's child does not play with your plant when your
employee is having his morning shave in his underwear or having a bath
without one?
b.. What procedures to protect his wife from searching for some of her
messages in his WAP device and pressing the wrong keys?
c.. If my credit card is lost and I file a complaint etc., then the
password and other things are changed and I get a insurance cover
against misuse. In case your employee loses his WAP device, what are the
procedures laid to ensure that plant access from his WAP is immediately
disabled?
d.. What are the means to track the simple minded person who finds it
and sees some good pictures, plays with these pictures and hands it over
to the competent authority, all with good intentions?
e.. What integrity checks are you going to put in place that someone
does not sell his WAP device for 250,000$ on a Friday night when your
I&C engineer is out of town, and reports it as lost?
f.. What tactics to ensure that it is not actually stolen from him on
a Friday evening bash?
g.. And many such other procedures required that you can or cannot
think of.
Web Enabled SCADA? Anyone?
I suppose that everyone is aware of how bad security on the internet is.
You can load the best Operating system, tons of security tools, encrypt
your data only to find that some thirteen year old kid, who stumbled
into a security hole in your operating system, that you are
unintelligent enough, not to understand even when explained to you, has
filled your computer with junk data!!!
You load the next patch or let your computer guys handle this stuff. But
nevertheless, your system was open for some precious moments. That is
all that is required to cause mayhem.
Other Mayhem Scenes.
You can create mayhem scenarios for your valves, motors and other
devices that are web enabled or wireless technology based.
Methods of attacks:
I&C always had its skeptics. People who wanted (and some still do want)
a PLC with a key-switch for putting it on Run Mode or Program mode. To
them this is the ultimate safety feature and once the PLC is in run mode
it is "trusted" to do its work and no one can tamper with the user
program. Though theoretically, it is possible that the logic for the
key-switch, is just checking for a binary "1" in some reserved area of
memory, which can be successfully hacked and changed, the possibility is
quite remote. Also good designs will ensure that the main program cannot
be changed. Again, there are elaborate procedures for securing this
"key" to the PLC, or only authorized personnel have it and it never
leaves the site.
Of late, it seems that I&C field has been taken over by IT personnel.
Though this IT "savvy'ness" has helped a lot in lowering overall costs
and also made good usage of popular software's and utilities possible,
on the other hand reliability has been often left in the background.
I&C and IT scenarios on failure are different. Mission critical for IT
means that the web server does not fail, else several thousand people
may not be able to chat, receive mails and so on. And with the best
technologies available, recently, even MSN could not provide all the
services for almost a week. For I&C, the scenario is entirely different.
Economic loss, though a worry, is the least of the concerns on the list.
Now, you may wonder how that mayhem creator halfway across the world
knows your process or what are the chances that he even knows the logic
and fail-safe procedures used in your system. The thing is that he does
not need to know all your plant specifics.
In case your PLC system can be programmed from your PC and anyone gains
access to your PC, then all he needs to do is read your configuration
files and turn on all your outputs or a part of them in any sequence and
all your interlocks get bypassed. In most cases, even the "emergency
stop" would also get bypassed. Thus on a calamity you will not even be
able to stop the system.
Most of your SCADA and DCS systems work on a database. Now the database
for a particular system is standard which is generally ODBC etc.
compliant. Now copy the data files into another computer and run another
version of the application and open the application. The database shows
the details of your plant, the alarm limits, the alarm messages, the
comments, the item name, the access name and so on. Now these tools that
help you run the process, make the system easily understandable to the
cracker. In case of most SCADA systems and systems on Windows systems,
there is DDE compatibility. The cracker can give a command like item
name, access name and value from Excel directly to your device driver or
to your SCADA application. Similar procedure may be possible for OPC.
You may not even get the trip data on you logs and assume it to be a
system failure.
There are innumerable ways that your system can be compromised to cause
economic loss to you, once access is gained to your system. The cracker
can also write a command so that he blocks several commands from your
system while allowing other ones. In other words, he can block your
"stop" command!
I&C systems like many DCS etc. have ftp and telnet enabled, which makes =
even glaring uses, a simple possibility.
Your entire I&C performance is based on the way safety has been
implemented in your system. In some configurations care may have been
taken for the remotest of failures and some may have compromised on some
features due to cost or technology constraints.
A standard is required to give you safe means of connecting to the big
bad e World.
Safe Connectivity for I&C systems.
All this does not mean that you cannot share data with your higher level
systems. You can make limited use of WAP systems. The Scheme below
allows you to have safe connection to the e World.
Divide your I&C into three Areas.
1.. The inner Ring Devices. The devices in the inner ring do not have
WAP capability, are not web enabled and are not wireless in nature.
2.. The Outer Ring Devices. The Devices in the Outer ring can have as
many features as required.
3.. The interface Devices. The Connection between the inner ring and
outer ring is through I/O devices which are Discrete and Analog in
Nature. Note that there is no intelligent path between the interface
device and the inner ring, though an intelligent digital path may exist
between the Interface Device and the outer ring devices.
INNER RING:
All the field devices that control the process should be included in the
Inner ring. It is possible that due to non criticality some devices can
be connected to the outer ring, but in order to have a uniform system
avoid putting any I/O device on the outer ring. The PLC's, DCS, SCADA,
TMR and other systems used to control and ensure safety of the plant
fall in the inner ring. In case there is an APC or Database Server that
is used for controls then the same can be in the inner ring.
Outer Ring Devices:
Outer Ring devices can be MIS devices, systems that interface to I&C
systems for passing data to and from ERP systems or other higher end
systems.
You can put a couple of Scanners or data loggers etc. on the Outer Ring
due to its non criticality, but this could one day lead to other devices
coming into the outer ring.
Interface Devices:
Interface devices connect the inner and outer rings. One of the chief
properties of the Interface Devices is that they do not connect
intelligently (RS232 or RS 485 or Ethernet or such communications) to
the Inner ring. The connection to the inner ring is by means of Analog
signals (4 to 20 mA, 1 to 5V etc.) and Digital I/O's like contacts etc.
This data is connected on the inner ring to some I/O cards and processed
as per regular I/O processing. There are limits on values so that rogue
values do not enter the system.
The Interface devices can connect via ethernet or communication to outer
ring devices, they can also be a part of the outer ring devices and do
the processing of received data.
With such a scheme, you can connect your plant to the outside world and
the worst case scenario is limited to a plant trip or theft of data.
Even internet access limits your liability to loss of data and in some
cases to safer trips. Again things depend on implementation.
Anand krishnan Iyer
[email protected]
*****************************************************************
YES! You can get digests, or limit messages by topic. See
http://www.control.com/control_com/alist/ for details.
Before posting, please read http://www.control.com/control_com/alist/faq_html.
The Automation List is managed by Control.com Inc.