Insight into the SCADASEC Community: Tales from the Trenches

Royal Canadian Mounted Police / Public Safety / Emergency ManagementProtecting Canada's Critical Infrastructure2010 Control Systems Security WorkshopThursday, April 15, 2010

Bob Radvanovsky, CIFI, CISM, CIPSrsradvan@infracritical.com

Creative Commons License v3.0. 1

What is Infracritical?

• Started as a ‘grassroots’ / basement company (quite literally)– Data center is located within the basement of its principal founder.– Consists of a strategic thinker, an OPSEC professional, and an engineer.

• Focus is on strategic ‘future-thought’ including research on CIP and homeland security– Includes SCADA security, user awareness, and education.

• Clearinghouse for individuals to research ideas regarding CIP and homeland security issues / topics– Outcome are whitepapers, journals, books, etc.

• Purpose is to create a stable / open environment for information sharing and research, as well as provide resources for independent researchers

2

What is the SCADASECmailing list?

• Incepted Wednesday, February 6, 2008

• Started based on the need to share information about ‘industrial control systems’ security– At the time the list was created, nothing publicly existed.

• Started as a ‘grassroots’ group consisting of several individuals from IT and control systems communities

• Not formally created (not incorporated – not yet)– Currently working on formally creating SCADASEC.

3

What is the Mission of the SCADASEC mailing list?

• To discuss and formulate ideas, concepts and theories about/regarding security of critical infrastructures as well as industrial control systems, and what impact(s) may result from their disruption

• Discussions are strategic in nature (non-specific)

• Discussions are non-commercial – no advertising

• Some discussions considered “Minus-1 Day”(1)

41. Discussions on SCADASEC have led to “Zero Day” vulnerabilities found in several ICS architectures.

SCADASEC as anIntelligence Resource

• Provides email distribution through non-digested and digested modes(digested modes once per day)

• RSS feeds available for top 30 daily discussions from digested distro

• RSS feeds taken from other sources and incorporated into daily (once per day) RSS “feed blasts” (similar discussions elsewhere about SCADA)

• Email discussions are archived locally and available for further research

• Search engine available for general public (Google engine)

5

Search Engine Capabilitiesof the SCADASEC list

• Searchengine isbuilt onthe sameserveras themailinglist

• URL: http://mlsearch.infracritical.com

6

The example here is searching based on the keyword “brazil”; there were heated debates about the recent Brazilian power outage in late 2009

7

• Cultural, social and philosophical diversities pose a challenge between those from the Information Technology and the SCADA / Industrial Control Systems security communities

• Informal “cease fire” reached between factions; both sides still passionate about their positions (“we’re right; the other side is wrong”)

• Constantly play “referee” between factions (and certain members)

• SCADASEC is considered a “No Man’s Land” – a safe haven sanctuary to openly discuss and debate various topics

Challenges Encounteredon the SCADASEC List

8

• SCADASEC is non-commercial – no advertising

• SCADASEC is non-classified – no classified and/or CUI/FOUO information

• SCADASEC is neutral and unbiased

• SCADASEC is international – critical infrastructures/control systems are used throughout the World, not just the U.S. or Canada

• Everyone has a fair chance at discussing/debating their concepts or theories (some more than others), as long as they “play nice”

Policies of theSCADASEC list

9

• Most of the participants are representing themselves as individuals (partially for legal reasons); keep it fair, keep it real…

• Discussions can have company signatures (some are more verbose than others), but try and keep signatures as short as possible

• The ONLY advertisements allowed are for conferences and/or educational workshops (includes book announcements, too)

• Notifiers are allowed to post ONE posting for their conference

• Notifiers are allowed to post ONE UPDATE – that’s it!

SCADSEC isNon-Commercial

10

• Everything discussed on SCADASEC is “open source”; meaning, all information is “OSINT” and is publicly obtainable (via Google)

• NO sensitive information (U.S. “Controlled Unclassified Information”) allowed whatsoever; any such information found is censured

• NO intelligence information (U.S. “For Official Use Only”) allowed whatsoever; one incident had posting regarding discussion of documents obtained through security flaw on U.S. WaterISAC web site; incident was contained and censured, authorities were notified

• NO corporate intellectual property and/or confidential information allowed whatsoever; any such information found is censured

SCADASEC isNon-Classified

11

• Certain individuals feel that SCADASEC is their personal mailing list for their specific agendas; unless they are paying Infracritical, it is for everyone, not just one individual

• Everyone is entitled to their opinion

• No one person is right – or wrong; in most circumstances or scenarios presented, there is no one right answer or solution

• Neither the owner, nor the moderators, have any strongly biased opinions on any of the topics presented or discussed

• No slander, no name-calling – play nice – or find another “sandbox”

SCADASEC isNeutral and Unbiased

12

• SCADASEC has representation from most major countries:– U.S., Canada, U.K., Australia, New Zealand, Japan, Brazil, Germany,

Italy, France, Argentina, Singapore, Hong Kong, Malaysia

• SCADASEC has representation from the following sectors:– Energy, Transportation, Water/Wastewater, Food/Agriculture,

Emergency Management, Government, Critical Manufacturing

• SCADASEC has representation from many military, intelligence and federal/national law enforcement groups (not named - *shhhh*)

• SCADA security, like Critical Infrastructure Protection, has far-reaching impacts across borders than traditional Public Safety/Homeland Security

SCADASEC isInternational

13

Accurate statistics available to general public;information is shown in graphical format only – no specific datapoints

14

http://news.infracritical.com/xmlstats.php?s=scadasec(2)

2. http://news.infracritical.com/xmlstats.php?s=scadasec&m=12&y=09 returns info for December 2009.

• Approx. 1023 users [as of 14-Mar-2010], growing by 1-4 pp/D– SCADASEC “hit” 1000 members just 3 days prior to our Two Year Anniversary

• Approx. 50 users active (roughly 5% ± 1.5% of total membership)– SCADASEC has a record number of 53 participants in one month [Jun 2008]

• Average number of monthly postings is between 150-450 per month– SCADASEC had a record number of 452 postings in one month [Jun 2008]

• Average number of daily postings is between 5 and 15 per day– SCADASEC has a record number of 102 postings in one day [12-Mar-2010]

Some InterestingStatistics about SCADASEC

15

• Some recent statistics:– Dec 2009 – 165 postings, average 5.32 p/D– Jan 2010 – 224 postings, average 7.23 p/D– Feb 2010 – 169 postings, average 5.45 p/D– Mar 2010 – 282 postings, average 9.09 p/D

• Recent topics included:– Recent Brazilian power outage in 2009– Los Angeles (U.S.) signaling computer breach– Smart Grid Initiative (SGI)– SCADA certifications– Cloud computing– Virtualized environments– RSA conference (2010)

Some InterestingStatistics About SCADASEC

16

• SCADASEC provides a public venue that most organizations have either tried or cannot do (policy/legal restrictions, laws, et. al)– Private, third-party entity that is outside realms of industry and govt.

• SCADA/control systems provide the backbone to infrastructures– Output from infrastructures strongly dependent upon how secure our

SCADA / control systems are operationally.

• “Domino Effect” – if one area is impacted, others may be, too…– If Energy is disrupted, this will impact Transportation, etc., etc.

• Like CIP, SCADASEC is far-reaching, knowing no borders…

How does SCADASECrelate to/with CIP(3)?

173. http://books.google.com/books?id=oPi2SNHhowcC&printsec=frontcover&dq=radvanovsky&ie=ISO-8859-1&cd=4#v=onepage&q=&f=false.

• “CIP” does NOT mean “cybersecurity” (CIP ≠ cybersecurity)– Although “cybersecurity” is subset to “CIP”, it isn’t the only factor that

makes CIP “critical infrastructure”; it combines all aspects of security.

• The term “cybersecurity” is nebulous and confusing; are they talking about IT security or are they talking about SCADA security?– Both industry and government need to differentiate between IT and

SCADA security; SCADA security is its own class, despite integration issues between IT and non-IT environments.

• CIP is about protecting an overall organizations’ operations, not necessarily it’s assets (physical or logical)(4) -- meaning ‘holistic’.

Are there any Issueswith SCADASEC and CIP?

184. http://books.google.com/books?id=oPi2SNHhowcC&printsec=frontcover&dq=radvanovsky&ie=ISO-8859-1&cd=4#v=onepage&q=&f=false.

• Changes implemented in “SCADA Land” cannot be easily undone as with “IT Land”– In an IT environment, patches or firmware fixes are simply backed out;

with SCADA environments, this might mean production shutdown for several hours – to several days – depending on complexity of issue(s).

– Vulnerabilities found on or announced on the SCADASEC list pose a challenge for containment and proper handling of such information.

• SCADASEC mailing list hopes to address some of the socio-economical / geo-political issues surrounding these differences– Until more formalized educational capabilities exist – for now –

SCADASEC fills a niche market.

Are there other Challengeswith SCADASEC?

19

Photos of Infracritical’s Data Center

20

Second server from bottom houses SCADASEC, along with 12 other mailing lists, both publicly and privately operated.

Infracritical’s data center consists of legacy equipment that was donated; approx. 30 servers active at any time.

Questions?Bob Radvanovsky, (630) 673-7740

rsradvan@infracritical.com

A copy of this presentation may be found at our web site:

http://www.infracritical.com/papers/scadasec-2010.zip

Creative Commons License v3.0. 21