Over the next few weeks I’ll highlight some of the papers that will be presented at the SCADA Security Scientific Symposium (S4), January 23 - 24 in Miami Beach, registration link. Let’s start with a paper that has so much of what we try to accomplish at S4.

Here is a paper with some great theoretical work and dramatic demonstrations from a researcher, Eyal Udassin from C4 in Israel, the community has never seen or heard from before.

This paper is a good counterpoint to the Aurora demo, Congressional hearings, and NERC CIP kerfuffle. Imagine a control system that has followed every recommended security practice and guideline document available in the industry. Does this mean the risk of a successful cyber attack on the control system is zero? Of course not because we are dealing with software and software has bugs that often lead to vulnerabilities.

Eyal’s paper looks at two possible attack vectors that are available even in a well secured system: field sites and corporate network. The field site imagines a scenario where an attacker has gained access to an Ethernet port at a remote, possibly unmanned field site and launches attacks only using the ports/services required by the field site equipment.

The corporate scenario describes the almost ubiquitous situation of a historian or other information sharing system on a DMZ between the corporate network and control center network. This scenario also assumes a perfectly configured firewall.

To bring these scenarios home, and remove the FUD sayers, Eyal has documented and demonstrated a successful attack on a popular system for each of these scenarios. Systems are compromised using only access that would be allowed through the firewalls deployed with the vendor’s best practice. The write up in the S4 program is deliberately a bit vague until the disclosure issues have been addressed, but I have seen the impressive details.

This paper highlights the importance of security in the software development lifecycle and fits in well with our S4 keynote speakers who will be announced in November. The whole idea that NERC CIP, NIST SP800-53 or Congressional efforts will prevent something like Aurora from happening is absurd. These efforts will reduce the risk and are important, but thinking we will ever get a bulletproof system where this just can’t happen is delusional.

Look at the effort that Microsoft puts on developing secure code, and while making substantial progress, has not achieved or even anticipates achieving secure code. Our concern is that security is almost non-existant in a large portion of control system vendor software development lifecycles, and the community needs to raise the bar on vendors like it is doing to asset owners. This paper and others at S4 lead us to unfortunately believe even more in our prediction that control system applications are filled with larger than normal number of latent vulnerabilities.