I will be previewing one S4 2009 paper each week. Digital Bond’s SCADA Security Scientific Symposium is Jan 21-22 in Miami Beach with an advanced control system security course on Jan 20th. For more information on the event and registration check out these links:

• Agenda at a Glance
• See the full agenda with detailed paper descriptions
• Register to be a physical or virtual S4 attendee

Leveraging Ethernet Card Vulnerabilities in Field Devices

This is a Digital Bond paper at S4 and represents our most bleeding edge work this year. We are not releasing specifics prior to the event, but let me give you an idea of the impetus for the research.

In most cases the first and easiest point of access to a field device for a cyber attacker is the Ethernet card on that PLC, RTU, PAC, etc. [Note: this paper only applies to Ethernet enabled field devices. Of course there is still a huge percentage of serial only field devices deployed.] Most research to date has focused on two areas. One, the fact the most control system protocols do not authenticate the source or integrity of the request. If you can logically access the field device you can monitor and control the sensors and instruments connected to the field device. And two, fuzz testing of the protocol stack can cause a denial of service or worse in many field devices. Research has basically stopped at this point because it seemed to be enough to convince the community that the field devices are insecure. But could an attacker do more damage than control or crash a field device at the time of attack?

In this paper we investigate successful exploits of controllers via a number of means and scenarios of how these attacks could be leveraged in an attack. We spent a lot of time identifying a variety of methods to compromise/own the exposed Ethernet cards, imagining what an attacker would want to do, and then verifying it on multiple field devices from a variety of vendor field devices in our lab. What could and would an attacker do if they owned one, ten or a hundred of field device Ethernet cards in a control system? And finally, what should a vendor do to secure their field device?

Other S4 Previews

• S4 Keynote: Dr. Ross Anderson – The Economics of Control System Security
• Jamming and Interference Induced Denial of Service Attacks on IEEE 802.15.4 Based Wireless Networks
• Hardware Vulnerabilities in 802.15.4 Implementations
• Estimating 0days in Control Systems
• Security Metrics for Cyber Security Assurance