TMCnet News
Scada\ s fatal flaw [ArabianOilandGas.com](ArabianOilandGas.com Via Acquire Media NewsEdge) Vulnerability in Scada systems makes them an ideal cyber-attack target, and those attacks could trigger catastrophic environmental disasters Supervisory control and data acquisition systems (Scada) that are used in the oil & gas industry to run automated rigs and pipelines have an inherent and easily exploitable vulnerability left over from when the systems were running on analogue, according to industry experts. The vulnerability is in the underlying Scada protocol being utilised in Scada systems. "When we went from the old analogue systems, to digital communication between terminals, the manufacturers didn't reinvent how those programmable logic controller messages [digital computers used for automation of electromechanical processes], were being communicated, they just took the messaging protocols that they had in the past and put them into digital," said Nicolai Solling, director of Technology Services at security advisory firm HelpAG Middle East. That means that one of the basic issues with Scada communication is that there is no way of authenticating messages inside Scada systems, so if malware enters the Scada infrastructure, which has the ability to manipulate those messages, there is no way that the systems will know that this is happening. That means that in the actual start up protocols and the way that things talk to each other are very vulnerable to attack." Attackers target the energy sector to steal intellectual property on gas field exploration charts, for example, but the sector is also a major target for sabotage attacks, which will not generate direct profit for the attacker. Such disruptive attacks do already happen and may lead to large financial losses. State sponsored agents, competitors, internal attackers or hacktivists are the most likely authors of such sabotage. The effect of such a cyber-attack is really unlimited, according to Mike Ahmadi, CISSP, global director of business development at security and robustness testing solutions company Codenomicon. An attack could shut down safety systems, for example, and cause ruptures, fires, and massive oil spills. A cyber-attack on a Scada system running an intelligent, or IP-enabled oil rig could, for example, manipulate how the drill operates, change the speed and drilling pressure and make it operate outside of safe parameters, causing massive drill bit failure and potentially an environmentally catastrophic oil spill. "We have already seen the impact of when drilling goes wrong with the Deepwater Horizon leak in 2010, when the drill broke and leaked oil for months, it had a big effect on the environment," said Solling. Article continues on next page ... [[page-break]] While Deepwater Horizon was not the result of a cyber-attack, the scale of the disaster serves well to illustrate just how disasterous a carefully crafted cyber-attack could be on oil & gas infrastructure. Potentially, a cyber-attack on an automated oil rig, for example, utilising this vulnerability, can also have a huge bottom line effect on an oil company because drilling is the most expensive part of operating an oil company, so if something happens it is going to be costly. "It is difficult to envisage to what extent a well-targeted cyber-attack can impact real time operations," said Feroz Qureshi, business development manager, Middle East, at process automation experts Honeywell Process Solutions. "Thanks to the publicity that attacks like Stuxnet have gained, hackers and criminals have started discovering that Scada/ICS products could be attractive targets. Ability to modify control parameters could, in a cyber-attack, create havoc with implications seen anywhere between loss of data to compromising operations of a refinery as an example. The positive news is that this would be possible only if malware gets in. Developing malware for such highly targeted attacks and planning them requires in-depth knowledge about the Scada/ICSS systems and very specific skill sets." According to Ahmadi, both older and newer Scada systems have no authentication, which means that malware and man-in-the-middle attacks can easily intercept and modify PLC messages. Two Russian researchers who piloted a project that researched Scada vulnerabilities, called the Scada Strangelove project, identified more than 150 zero-day vulnerabilities in Scada, industiral control systems and programmable logic controllers, basically the programmes that run the oil rig and pipeline systems. Scada in general is assumed to be more vulnerable by virtue of the openness and flexibility required by the solution. This is changing now, to some extent, with more measures taken both by end users and vendors, according to Honeywell. "Scada systems have come a long way today. With the growing awareness about cyber security within the end user community after recent incidents the process automation industry has taken this up and improved the overall network security for Scada systems," said Qureshi. But these measures may just not be enough to protect against the inherent system vulnerabilities, which can cost millions to fix. "If you can first identify Scada vulnerabilities, you can protect the system somewhat at the perimeter. These are bandaids at best, however," said Ahmadi. Experts have said there is still a long way to go before these systems become fully secured, and at the moment, there is no patch or quick fix to mitigate these vulnerabilities. For an oil & gas company facing a vulnerable legacy Scada infrastructure that will be very expensive to replace or update, the question is whether it is worth it. Many oil & gas companies seem to have an 'it won't happen to me' attitude (c) 2014 ITP Business Publishing Ltd. All Rights Reserved. Provided by Syndigate.info, an Albawaba.com company |