A Click through the CSSP “Secure Architecture Design” Page
While I think the Overview of Vulnerabilities is definitely good stuff (and in my wildest dreams I could never hope to draw diagrams that cool, Mac or no Mac) from a purists perspective, the clickable “Secure Architecture Design” image sometimes left me scratching my head.
Let’s click on control systems firewall.
So we get links to a definition, issues, associated attack methodologies, and recommendations. Good! (in my best Ricky Gervais accent)
(in my best accent)Now click on recommendations
“No Recommended Practices Identified”
Suprising, perhaps even shocking. It seems like this would be the first item to be completed. If nothing else, why not a link to NISSC Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks.
Now click on Associated Attack Methodologies
We get:
- SQL Injection Attack
- OPC/DCOM
- Back Door Attack Through Internet
- Man in the Middle Attack
So now I’m confused. These attack methodologies are what the “control system firewall” are supposed to mitigate. Or are they ways of penetrating or bypassing the node we clicked on? I assume the latter.
I’m not sure what “man in the middle attack” is doing here or why. But IMHO, MITM (or “monkey in the middle” as I’ve heard some folks call it) is one of the most often cited but least important attacks one should be concerned about, based on my experience analyzing and conducting them against protocols.
In many SCADA protocols you don’t have to get “in the middle” you just send the command to the endpoint!
But I’ll agree they “sound” scary. And I’m torn about the value of adding “SCADA Plugins” to Ettercap
Now on each of the attacks. There is an image file and a PDF. The image file is a lot more interesting and shows how the attacks happen (with lots of red arrows). I would link to them but they are using frames and JavaScript to pull up the docs, so it isn’t worth the time.
Some other observations about the “Secure Architecture Design” page:
- The links to the “control system” and “corporate firewall” and “firewall” are exactly the same.
- There are blue dots for IDS everywhere, but I didn’t ever find any content for them. Given that is one area where commercial security products have actually made some progress, I thought that might be mentioned.
- Many of the control system components have no “attack methodologies.” For example the PLC/IED/RTU.
Despite all these nits, I think this site has been sorely needed and there is good content here, even if the presentation is sometimes “eye candy.” This also took a lot of work to pull off. I don’t want to think how many hours of web development alone. I hope it continues to be developed and fleshed out.
I also really like the idea of a clickable architecture document with threats and countermeasures and rumor is my friends back at Cisco are working on some cool threat modeling tool written in ruby on rails but I haven’t seen it yet.
Author: Matt Franz
Posted: June 14th, 2006 under DHS, National Labs.
Comments: 2
Comments
Comment from Dale Peterson
Time: June 15, 2006, 10:37 am
Valid comments, criticisms and suggestions.
The site is expected to grow in content over time and this is the first incarnation. My estimate is this is less than 10% of what you will see on this site two years from now, but it is a good start.
I know the plan was to place the NISCC document and other high quality documents on the site. It may just be an author approval cycle issue. Of course you can always link, but since this is an official site they err on the side of caution.
Planned documents are available at the up and coming link on the site, and they are looking for reviewers.
Comment from Anonymous
Time: June 15, 2006, 1:28 pm
One of my pet peeves are security consultants who make mountains out of molehills, while ignoring the simple stuff.
Matt, you’re dead on with your criticisms. I suspect most SCADA system attackeers wouldn’t need to use MitM attacks for exactly the reasons you cited.
With consultants spouting nonsense like this, we engineers tend to get very grouchy and skeptical. Focus on the real threats. Don’t waste our time spouting esoteric attack methodologies.
When being pursued, there is no need to run faster than the bear. You only have to run faster than your fellow camper…
Write a comment