One of the real challenges in securing SCADA networks, especially over a shared or exposed WAN, is the SCADA protocols do not authenticate the source of the communications or the data integrity. If an attacker can access the WAN, she can send commands to a field device or responses to a control server. This vulnerability may not result in one of the highest risks today in many SCADA networks today, but as the community gets the basics in place hopefully we can address this vulnerability.

Over the last couple of weeks I’ve heard updates on three projects to address this vulnerability:

PNL

The most interesting project is out at PNL where they have developed a protocol that does just what I mentioned earlier, it authenticates the source of all requests and responses and verifies the data has not been modified in transit. Originally it was called Secure DNP3, but the security protocol is now generalized.

There are some cool features such as setting authentication to occur periodically or by function code. You may not care if polls are authentic, but writes and reboots affect integrity and availability and warrant security. Mark Hadley gave me a briefing at PCSF, and PNL will be giving a presentation and demo of the solution at the KEMA event in August.

It is a bump in the line solution with visions of being integrated into PLC’s and other field devices. In this game, the first solution to get widely integrated into PLC’s probably wins. PNL and the other national labs may have an advantage over small security vendors in getting the ears of large PLC manufacturers.

Digital Authentication Technogies (DAT)

DAT has received multiple SBIR contracts from government agencies for a “physics based authentication” technology. DAT has explained the physics to me a couple of times, and I still can’t get it. The idea is the DAT receiver can tell where it is based on the surroundings such as the room shape and contents of the room, and this it is not GPS which they say can be fooled.

DAT is looking to apply this technology to secure field communications so a field device could not be moved? They use other factors besides location. I don’t have much else to say on this, but it is certainly very different than any other approach based on limited info. It will be interesting to see if they can interest a field device vendor in this bleeding edge technology.

Langner Communications

I’ve been e-mailing and chatting with Ralph Langner of Langner Communications in Hamburg, Germany for years now. Maybe someday we will meet. I put him on a short list of people in the SCADA security community that has a lot of ideas, and since he can code, those ideas quickly come to market as free tools or products.

Ralph’s latest is the i-Plant Total Control. This solution consists of an industrial computer, a Siemens Microbox 420 running hardened XP, sitting in front of your PLC’s and a web based management interface. The devices in front of the PLC are passive and understand the Modbus and Siemens field protocols. These devices report information back to the management system based on how they are configured.

What could they report? Changes by unauthorized users or systems. Configuration changes (for you Cisco folks think of this as CiscoWorks RME). Reboots. Logs being full. All the information is brought back to the manager and displayed in a GUI that has more of a control system look and feel than an IT look and feel. We may eventually see this type of technology in SCADA systems, but in the interim this is a possible solution for monitoring the security of field devices.