27 July 2010

Why SCADA Networks Are Vulnerable To Attack - Part 1: Unintended Consequences

This multi-part series discusses the security vulnerabilities of the sensor/actuator controls at the heart of SCADA, smart grid and energy management systems, and proposes a means of containing, if not fully addressing, the limitations of these systems.

* * * * * * *

In the 1980s the proximity access card was introduced to the building security market. Until that time, gaining access to high security facilities – including many government agencies – required one to physically insert a magnetic stripe or Wiegand card into a reader.

Proximity card readers from Schlage, Sielox, Indala, and others overcame the inconvenience of swiping a card by using radio energy to sweep the area in front of the reader.
Users needed only to place their wallet, purse, valise, or ID badge near a reader and the radio energy would be picked up by their proximity card.

A tuned circuit internal to the card would resonate when within range of the reader, generating a unique radio signature that would be captured and analyzed by the access control system. If the signature matched that of a valid card already programmed into the system, access would be granted. Simple, elegant, and convenient, proximity card systems quickly grew in popularity.

Problem was, this innovative technology had profound, unintended consequences. It allowed the surreptitious identification of people with access privileges to high security facilities. One could use radio energy to sweep a crowd of people and, by virtue of their proximity card, pick out persons of interest based on their signatures generated by their proximity cards. At a time when the Cold War was steamy hot and espionage was rampant, the proximity card was a new-found tool for adversaries.

The unintended consequences of a new technology are not usually discovered until after it's in use, sometimes widespread use, by which time available remediation options might be limited or very expensive. Such is the case with SCADA, smart grid, and energy management systems, which are now front and center in the effort to better manage energy consumption and lower greenhouse gases. Unintentionally vulnerable to manipulation and unauthorized access, these systems can literally turn out the lights, stopping a utility or enterprise cold in its tracks.

Photo: www.brightsecuritygroup.com)