THIS WEEK AT BLACK HAT, and starting today at Defcon, the buzz around process control and power grid hacking has been quite noticeable. Mike Davis and Tony Flick each presented talks on power grid security issues, whilst Travis Goodspeed discussed the latest vulnerabilities in the wireless radio networking hardware. Informal hardware hacking tutorials have abounded, so I decided to take a closer look.
One thing is clear; process control network administrators can no longer rely on “security by obscurity” to protect their infrastructure.
Process control systems, AKA SCADA, DCS, etc. are ubiquitous these days. Electrical power grids and electrical generation, HVAC and “smart home” systems, traffic signals and transportation safety systems, water management systems as well as electronics and pharmaceutical manufacturing systems are common applications of process control systems.
Process control systems can be quite basic, such as a simple on-off relay and timer. Sensors may just measure and report, or may feed into a controller, known as a PID. PIDs evaluate the changes measured and adjust the corrective actions to efficiently achieve the desired temperature, speed, pressure, location, power level, etc. In addition to one or more sensors, each node in a sensor or control network is typically equipped with a wireless communications device, a microcontroller, and some source of power.
Unfortunately, process control systems have a HUGE attack surface. To effectively manage risk, you must consider physical security, networking, hardware devices and software.
Because of their nature, sensor networks and process control devices are physically distributed and some devices may be accessible by the public or third party business partners. If the sensor device comes under the scrutiny of an experienced control software hacker or hardware reverse engineer then you have issues.
Hardware isn’t the only issue though. New networking protocols, such as EtherCAT have dramatically changed the communications capabilities of these devices, which may expose new vulnerabilities.
Also, software engineers need to better understand the special needs of these devices. They know how to code software for stand-alone computers, but they are less skilled targeting low-level devices. Good embedded systems engineers are apparently in short supply.
I’ll be discussing some of these issues over the next few posts, along with news from the hardware reversing and hacking demos this weekend at Defcon. See you there! S|A