It is not a comfortable subject to broach, this type of testing, with our transportation clients. There are still may top operations officers in this industry balking at the notion of forming a close partnership with IT to protect critical infrastructure.
The simple truth, however, is that because of the advances in networking-and especially wireless technology-over the last few years, combined with the faster pace of communications and increasing sophistication of terrorist attacks, the transportation industry has more to lose than other industries in the case of an attack or system failure. This is because we are very dependent on transportation to move people, food, supplies, and other important things that keep businesses and individuals up and running in the day-to-day world.
The elements of this test are very straightforward, and all steps must be included for every test to provide the best read-out on how prepared the client organization is for specific emergencies.
External Testing
This testing is done in two ways: without the information provided by the client and with the information provided. The goal is to determine what an attacker can find out about the client's systems using only information that is publicly available over the Internet. This part of the assessment also looks for any references to the client SCADA network or infrastructure on the Internet.
Testing Using Dial-Up Access Provided by the Client
The objective here is to determine what an attacker can discover and connect to involving client systems in the recent past using dial-up-access modem banks or modems. The use of Citrix, with its huge presence in this area, makes this a high-risk area to look at.
Accessibility of the SCADA System from the Corporate IT Department
Here, the attempt is made to gain access to the SCADA environment from the corporate IT environment.
Internal SCADA Testing
During this stage, SCADA traffic is captured. Also at this stage, the firewall, router, and switch configuration are analyzed. Then, workstation and server hardening takes place by manually logging into VMS workstations. Finally, interviews are conducted with SCADA administrators, and security policies are also analyzed. These interviews are with key SCADA system administrators to determine how data information is linked back to the enterprise systems.
Key personnel will also be asked how SCADA information is shared with the enterprise IT network and other third-party networks, and personnel will be asked about remote access to the SCADA system. The testers then dig deeper into VPN concentrators, RAS, or modem banks that may be in use for remote access to the SCADA system from the enterprise IT environment or from home.
Host Operating Security
This is examined, and information is collected from each type of operating system in use within the SCADA environment in order to get a sample set that can indicate how the rest of the workstations and servers might be configured. Once the testers are offsite, this configuration information is compared to determine missing patches, default insecure operating system settings, and any potential opportunities to further harden the workstations and servers. Tools are used to discover potential vulnerabilities via scanning at the network, host, or application layer.
Once these are identified, the testers will perform exploits on like test or development systems in attempts to gain full control of the system. Screen shots of each part of this process will be provided to show the staff how these exploits were performed. If successful, the testers will attempt to gain administrator or root to gain full control of the system. Physical locations are also assessed for this test, in addition to the assessment of the entire perimeter of the client network.
Running Multiple Tests
Tests will be done on any other end devices available in the development environment to determine failure points at which they cease to function. Multiple denial-of-service attacks and session hijacking attempts will be made to discover if the communications protocol between the control room and these end devices is vulnerable to DoS or session injection or hijacking.
Once the final report stage is reached, we summarize the intent of the assessment in accordance with industry best-practices definitions and guidelines. The objectives of the assessment process are to assess all systems in accordance with the developed methodology and current standards and to discover and document all security-related vulnerabilities to the SCADA system in place for the client. Finally, the overall intent is to document security-related mitigation strategies that are feasible and sound.
In summary, we have seen an increase in concern in the transportation industry about attacks on these systems and lack of information on how to prepare. Speaking with our federal government clients, we find a great deal of interest in cybersecurity to prevent terrorism, but there is an unwillingness to commit to these tests, though attention is being paid to overall protection of the network environment.
Whether you are a transportation or utilities organization, you cannot afford to gloss over the importance of running regular SCADA testing to see how sound your infrastructure is at all levels and departments. Getting top officers on board to back this initiative is crucial, as they have a great deal to lose if the infrastructure fails, and there is nothing like being on the front lines to look at the real risks if these tests find dangerous vulnerabilities.
About the Author
Carole Crawford is CEO and president of The Saturn Partners, Inc., a company specializing in all forms of network and environmental security testing, policy development, and compliance assistance for clients in the public and private arenas. The company site can be found at www.saturnpartners.com; Carole's email address is cacrawf@saturnpartners.com.
