This type of testing is not a comfortable subject to broach with our transportation clients. There are still many top operations officers in this industry who balk at the notion of forming a close partnership with IT to protect critical infrastructure. The simple truth, however, is that with the advances in networking and especially wireless technology over the last few years, combined with the faster pace of communications and increasing sophistication of terrorist attacks, the transportation industry has more to lose than other industries in case of an attack or failure in their systems. This is because we are very dependent on transportation to move people, food, supplies, and other important things which keep businesses and individuals up and running in the day to day world.
The elements of this test are very straightforward, and all steps must be included for every test to provide the best read-out on how prepared the client organization is for which emergencies.
External Testing. This testing is done in two ways: Without the information provided by the client and with information provided. The goal is to determine what information an attacker can find out about the client systems using only publicly available information over the Internet. This part of the assessment looks as well for any references to the client SCADA network or infrastructure on the Internet.
Testing from a War Dialing Dial-Up Access Provided by the Client. The objective here is to determine what an attacker can discover and connect to involving client systems in the recent past using dial-up access modem banks or modems.
Accessibility of the SCADA System from the Corporate IT Department. Here the attempt is made to gain access to the SCADA environment from the Corporate IT environment.
Internal SCADA Testing. During this stage SCADA traffic is captured. Also at this stage the firewall, router, and switch configuration are analyzed. Then, workstation and server hardening takes place by manually logging into VMS workstations. Finally, interviews are conducted with SCADA administrators, and security policies are also analyzed. These interviews are with key SCADA system administrators to determine how data information is linked back up to the enterprise systems. Key personnel will also be asked how SCADA information is shared with the enterprise IT and other third party network, and personnel will be asked about remote access to the SCADA system, and then dig deeper into VPN concentrators, RAS, or modem banks that may be in use from remote access to the SCADA system from the enterprise IT environment or from home.
Host Operating Security. This is examined, and information is collected from each type of operating system in use within the SCADA environment in order to get a sample set that can indicate how the rest of the workstations and server might be configured. Once the testers are offsite, this configuration information is compared to determine missing patches, default insecure operating systems settings, and any other potential breeches in order to further harden the workstations and servers.
Tools are used to discover potential vulnerabilities via scanning at the network, host, or application layer. Once these are identified, the testers will perform exploits on like tests or development systems in the attempt to gain full control of the system. Screen shots of each part of this process will be provided to whom staff show that these exploits have been performed. If successful, the tester will attempt to gain administrator or root to gain full control of the system.
Physical locations are also assessed for this test, in addition to the assessment of the entire perimeter of the client network.
Running Multiple Tests. Tests will be done on any other end devices available in the development environment to determine failure points at which the device ceases to function. Multiple Denial of Service attacks and session hijacking attempts will be made to discover if the communications protocol between the control room and these end devices are vulnerable to DoS or session injection or hijacking.
Once the final report stage is reached, we summarize our intent of the assessment in accordance with industry best practices definitions and guidelines. The objective of the assessment process is to assess all systems in accordance with the developed methodology and current standards and to discover and document all security-related vulnerabilities to the SCADA system in place for the client. Finally, the overall intent is to document security-related mitigation strategies that are feasible and sound.
In summary, we have seen an increase of concern in the transportation industry about attacks on these systems and a lack of information on how to prepare. Speaking with our federal government clients, we find a great deal of interest in cybersecurity to prevent terrorism, but there is an unwillingness to commit to these tests, though attention is being paid to overall protection of the network environment. But whether you are a transportation or utilities organization, you cannot afford to gloss over the importance of running regular SCADA testing to see how sound your infrastructure is at all levels and departments. There is nothing like being on the front lines to see the real risks and dangerous vulnerabilities that these tests find. Getting top officers on board to back this initiative is crucial, as they have a great deal to lose if infrastructure fails.
About the Author
Carole Crawford is CEO/President of The Saturn Partners, Inc., a company specializing in all forms of network and environmental security testing, policy development, and compliance assistance for clients in the public and private arenas. The company site can be found at www.saturnpartners.com; Carole's email is cacrawf@saturnpartners.com.