Simple CC Example
We are working on an architecture and policy project with a client that is deploying new PLC’s in a SCADA network. Communication will be all IP. So very natural questions for the PLC vendor (who is a leading vendor) are what are the security functions, what are the configurable security parameters, and what is the recommended secure configuration for your product?
The vendor is highly interested in making the sale, but is unable or unwilling to provide the information. My guess is the information does not exist in any formal format. Probably spread out in a variety of documents or in the developers minds or notes from years ago.
Well the Common Criteria has assurance requirements related to documentation. For example there is an Administrator Guidance Document required in the Protection Profile that inclues:
- A list of all security parameters and recommended secure settings of these parameters.
- All security events the field device generates and the related administrative action that should be taken. For example, an event indicating the audit log is almost full and how to save and clear the log.
- A list of assumptions about user behavior that are necessary for secure operation.
- A list of requirements for the IT environment the field device will reside in.
How great would it be to get this info from a SCADA vendor!
Author: Dale Peterson
Posted: May 23rd, 2006 under PCSRF.
Comments: 3
Comments
Comment from Ray Potter
Time: May 24, 2006, 8:22 am
This would be a fantastic start, and I think you’re correct regarding the vendor’s inability to provide information on the configurable security parameters and the recommended configuration. It’s doubtful they have this in a clean, concise format because they haven’t had to provide it in the past and, well, it’s more back-end work to produce such design docs that traditionally may not be of relevance or significance to the end user. Or they may just not know!
[# A list of assumptions about user behavior that are necessary for secure operation.
# A list of requirements for the IT environment the field device will reside in.]
I think what you’ll find is that there will be inconsistent perceptions/requirements from different sites/end users. Most may accept such lists as due diligence on the part of the vendor, but there will be folks who have their own interpretations about what the assumptions/threats/objectives should be. Opening up that line of analysis will draw both support and (hopefully constructive) criticism from the end users, and that’s when the SCADA vendors will start to feel more pressure.
Comment from Anonymous
Time: May 25, 2006, 2:47 pm
How about a statement that said PLC is not secure enough to unleash in a typical IT environment?
The problem here is that most SCADA system managers do not know enough about security to manage such a device, even if it did exist. Remember what things were like when DOS first introduced the tree oriented directories? We still had far too many users who would put everything in the root because they simply didn’t appreciate the power of a directory structure.
And so it is with security models and SCADA systems. A good security model implies that the user understands the system well enough to know when they’re bumping in to a security problem. Well, gosh, as Matt Franz just showed you on May 21, even experts get tripped up by this stuff.
So if experts get tripped up, then why suggest that we apply this to the end users? No, what we need before this goes big time are a few well understood security models and practices for SCADA systems. Gin those up, and then we’ll talk about security in PLC software…
Comment from Anonymous
Time: May 30, 2006, 6:46 am
“How great would it be to get this info from a SCADA vendor!”
Probably. OR it would simply exhibit that the device / the vendor is naked under his pants.
Take one example. A big European PLC manufacturer equips his PLCs with the option to “secure” the PLC program with a password. No information is given on how the password is encrypted for upload on the PLC. We fiddled around for three hours and hat the algorithm cracked.
Write a comment