FEATURE

qualifications that apply to providers customer assets, or a distinct datacentre References

joining regulated public cloud services. zone. And there must be full account-
This will help engender confidence that ing and audit of their actions – eg, every 1. Jericho Forum: ‘Position Paper –
there is adequate oversight within such a administrative action should be recorded Collaboration Oriented Architectures’,
cloud. Independent Security as a Service and traceable to the administrator respon- Version 2.0, November 2008, 10 July
offerings may also come with an audit sible. Again, with Security as a Service, a 2009 http://www.opengroup.org/
service as a subscription option. separate security operations centre could jericho/COA_v2.0.pdf
Service management: An inevitable independently oversee and audit service 2. http://www.cloudsecurityalliance.org
issue with any outsourcing or public sub- management operations. 3. Cloud Security Alliance: ‘Security
scription arrangement is how in control Guidance – Critical Areas of Focus
of the administration of the service are the Summary in Cloud Computing’, April 2009,
providers? There are several aspects to this: 10 July 2009 http://www.cloudsecu-
a) From where are the services being The age of cloud and virtual comput- rityalliance.org/guidance/csaguide.
administered (eg, via a global ‘follow ing is presenting new challenges and pdf
the sun’ arrangement)? the re-emergence of old challenges in
About the Author
b) How much can you trust the service new guises. The message is twofold:
administrators, and how competent potential customers need to do their Kevin Sloan MEng M.Inst.ISP MIET is
are they? homework and select the right solution a principal consultant at Amethyst Risk
c) What controls are in place to manage for their requirements; and many of the Management, which delivers a range of
privileges and enable accounting of technology issues posed by cloud com- business and technical risk management
administrator actions? puting and virtualisation can be solved services that help organisations identify,
These are key points to research during by adapting traditional approaches so understand, reduce and manage risk. He
the procurement phase. Regardless of the that they work with the diffused nature has a background in electronics, micro-
business requirements, there should be of cloud architectures. processor applications, firmware, software,
some form of technical trust and privi- Assuming that industry delivers on the and data communications, and specialises
lege management in place. This issue is promise of cloud computing, there is no in Information Assurance (IA). Kevin has
accentuated in virtualised environments: reason to think that it is something that more than 28 years’ experience in the ICT
administrators will have the ability to should be avoided on security grounds. It industry with information and communica-
allocate storage and processing resources, is instead a significant opportunity for the tions security experience spanning the last 20
including the ability to remove barriers safe and secure computing of tomorrow. years. He is qualified by CESG to undertake
and cause data leakage between compart- An essential enabler will be the develop- IA activities for many UK government cus-
ments. It’s essential to provide a set of ment of a future standard against which tomers and has been a key player on several
rules for the segregation of duties among this model can be secured – an equivalent significant UK transformational government
administration domains: administrators to PCI DSS, and something that will and information-sharing projects. He also
should be limited in what they can do doubtless emerge out of the emerging has broad experience with commercial cli-
– eg, they may be limited to a group of work of the Cloud Security Alliance.2 ents in the UK and overseas.

The SCADA challenge: securing

critical infrastructure
Steve Gold
With Microsoft about to unleash Windows 7, the tiny number of companies still together, including the business
using legacy Windows 98 systems and software is almost certainly going to dwindle world, starts to falter.
still further. It may come as a surprise that there are organisations still using Windows This is why many utility companies
98 at all. In fact, this is generally limited to one sector – utilities. And paradoxically, the world over continue to use Windows
this obsolete operating system supports some highly critical operations. 98-driven IT systems that were devel-
oped for an embedded firmware envi-
It’s a seemingly incongruous fact that while Put simply, if their IT networks go ronment in the 1990s.
the OS, and the applications that run on it, down, we, as a country, are poten- Most of these systems were devel-
are now seriously outmoded, the gas, elec- tially in big trouble. Without power, oped for the Supervisory Control And
trical and water organisations using it are heating and water, the national Data Acquisition (SCADA) platform, a
regarded as a critical national infrastructure. infrastructure that holds all our lives computer control system at the heart of

18
Network Security August 2009
 FEATURE

many industrial automation and tech- In addition, the ISA Security Compliance meaning the OS cannot be patched or
nology systems. Institute (ISCI) has been working to for- updated as with a conventional compu-
First emerging in the 1960s and devel- malise SCADA security testing, which ter system. “This makes them vulnerable
oping fully when PCs arrived in earnest should bear fruit later this year. This means to a number of well-known hacker and
in the late 1980s, SCADA systems are that the utility industry will soon have a set malware toolkits, so the IT security sys-
normally found in industrial uses such of common benchmarks against which it tem protecting a SCADA-driven system
as energy power plants, electricity supply can measure its protection systems. has to be 100% proof against both mod-
grids, chemical plants and other industrial In parallel with these moves, the ern and old security threats.”
systems that require a high degree of com- SCADA industry has evolved a number Secure Computing has developed three
puterised control – but which also require of private testing companies such as sets of signatures (flavours) for its fire-
total and absolute systems availability. the Achilles certification program from wall technology:
Wurldtech Security Technologies and the 1. SCADA:ICCP: The Inter-Control
Hacker attack ‘Music’ certification from Mu Dynamics. Centre Communications Protocol
Plans call for a set of standards – defined (ICCP or IEC 60870-6/TASE.2) is
But defending SCADA systems – which by the ISCI’s ISA SP99 Working Group now being specified by utility firms
typically tend to be embedded operating 4 – to supersede these initial industry to support WAN-based exchanges of
system-driven environments – is a tricky consortia efforts, but this will probably not data between utility control centres,
task in these hacker and malware-infested happen much before the end of 2010. utilities, power pools, regional control
times. This is because many SCADA centres, and non-utility generators.
systems were developed in the early days Easy customisation 2. SCADA:MODBUS: Modbus is a
of computing, before viruses had hit the serial communications protocol for
headlines and long before the electronic According to Mike Smart, senior prod- use with SCADA-based programma-
threats we now face. uct marketing manager with Secure ble logic controllers, which Secure
In the US, most SCADA-driven sys- Computing, despite SCADA being a Computing says have become the
tems have had dial-up remote access/ highly specialised area of IT security, it is most common method of connecting
supervisory modem connections added a relatively easy task to customise exist- industrial electronic devices.
to them, meaning that – with authen- ing high-availability firewall technology 3. SCADA:DNP3.0: The DNP3.0
tication and encryption (eg, RADIUS) to protect the IT resource. (Distributed Network Protocol) is a
added to the usual ID/password mix – Smart’s company – now part of set of communications protocols used
they are well secured against any form the McAfee IT security group – has between components in process auto-
of hacker attack. In the UK and Europe, developed three signature file types for mation systems. Mainly used in electric-
however, remote access was added to SCADA-specific protocols into its Secure ity and water supply grids, the technol-
many SCADA systems – many of which Firewall offering, which was formerly ogy was developed to allow communi-
are coded for the Windows 98 platform known as Sidewinder. As a result, says cations between various types of data
– much later in the day, meaning that an Smart, Secure Computing is now able to acquisition and control equipment.
IP connection to a SCADA-based sys- offer its firewall technology to the utility
tem is much more commonplace. industries, as well as to chemical compa- An alternative approach
Because IP connections are so inte- nies that transport dangerous products,
gral to the internet, defending an allowing them to control their critical Check Point Software Technologies,
IP-connected SCADA environment, network components. meanwhile, has followed Secure
often connected to a Windows 98 plat- However, while Secure Computing’s Computing down the road of customis-
form, has become something of a black SCADA offerings are based on the firm’s ing existing commercial applications,
art. A number of IT vendors – including firewall technology, Smart admits it’s a although Dorit Dor, the company’s presi-
Byres Security, Check Point, Industrial long way from an off-the-shelf product. dent of products, says that it is important
Defender, Innominate, N-Dimension “It’s a highly customised technology,” to understand that SCADA is mainly
Solutions and Secure Computing – have he says, adding that the problem fac- used for automated environments where
developed a tightly focused range of ing IT managers tasked with protecting there are not many people involved.
specialised industrial firewall and VPN SCADA systems, is that they tend to be “The problem then becomes one of
solutions for IP-based SCADA networks. based on an embedded operating system, securing the occasional times when you

19
August 2009 Network Security
 FEATURE / EVENTS

want to access that system remotely. The “Many of the SCADA

question is, how do you open the system systems installed in industrial EVENTS
up to remote access without compromis-
ing the security?” says Dor.
applications, including the
critical energy distribution CALENDAR
According to Dor, while every com-
systems, were constructed
pany claims that its email and internet 17 - 21 August
between 15 and 20 years ago,
access is essential, maintaining uptime on SANS What Works in
most SCADA-based systems is genuinely
when the threat was more
physical than electronic” Virtualisation and Cloud
essential. Check Point’s approach with Security Summit
SCADA, she explains, has been to look at As well as the usual array of hacker Location: Washington DC, USA
the issue from two very specific angles. and malware-driven attacks, Nicholson
Website: http://tinyurl.com/lgakvb
“The first is, what commands are says there is also the problem of insider
going to traverse the gateway? Once threats, including the potential for
23 - 28 August
you know this, you can begin to pro- employees to make mistakes. “We’ve
GFIRST National Conference
tect those command streams,” she says, come across situations where an intern
Location: Atlanta, GA, USA
adding that the second approach is to is updating the anti-virus signatures on a
Website: http://www.us-cert.gov/GFIRST/
protect a single device that is remotely main IT system and somehow manages
accessible across the internet. “Here to get into the SCADA security side of
you’re talking about using VPNs, things. That can really mess things up 28 August - 4 September
encryption and authentication to ensure and lower the security until the problem SANS Virginia Beach
total and utter security,” says Dor. is discovered,” he says. Location: Virginia Beach, VA, USA
Dor says that most of the SCADA systems Because of these issues, Nicholson Website: http://tinyurl.com/kokxev
in use in the UK and US involve legacy IT, argues in favour of carefully customised
although around 10% of these systems each and installed IT security systems for 30 August - 4 September
year are being replaced with more modern – SCADA-based networks and says that, FOSAD 2009
and therefore IP-based – connections. even where a non-embedded operating Location: Bertinora, Italy
system is involved, securing a SCADA Website: http://www.ieee-security.org/
The US perspective platform can still be a headache. Calendar/cfps/cfp-FOSAD2009.html
Industrial Defender’s approach, he
In the US, Foxborough, Massachusetts- says, is to cover three main areas of secu- 31 August - 4 September
based specialist Industrial Defender is rity with SCADA: defend the electronic InSpec 2009
one of the major players in the SCADA security perimeter, protect the network, Location: Auckland, New Zealand
protection industry and has a number and protect the host environment. Website: http://sesar.dti.unimi.it/
of utility and government customers Interestingly, despite the fact that many InSPEC2009/
around the world, says the firm’s chief SCADA systems involve the use of legacy
marketing officer, Todd Nicholson. kit, Nicholson says they are still internally 15 - 17 September
Industrial Defender, he says, has more networked, typically using basic 10Mbps 5th International Conference
than 3,000 deployments of its SCADA technology. The problem with this older on IT Security Incident
IT security protection technology world- networked technology is that it tends to Management & IT Forensics
wide and its systems now protect around be a lot more delicate than modern net- Location: Stuttgart, Germany
25 per cent of the UK’s electricity power working systems, which means it can be Website: http://www.imf-conference.org
generation and grid systems. knocked offline very easily, even due to
“Many of the SCADA systems something as simple as the wrong con-
20 - 24 September
installed in industrial applications, figuration files being loaded.
COSAC 2009
including the critical energy distribution According to Nicholson: “The bottom
Location: County Kildare, Ireland
systems, were constructed between 15 line is that you simply cannot tinker
Website: http://www.cosac.net/
and 20 years ago, when the threat was with such systems as you would with a
more physical than electronic,” he says. modern network.”
As a result, he explains, many of the con- 21 - 22 September
About the author Gartner Information Security
trol systems are ‘air-gapped’, meaning that
they never originally had any form of com- Steve Gold has been a business journalist Summit
munications contact with the outside world. and tech writer for 24 years, specialising Location: London, UK
Today, however, many of these older systems in ICT, business matters, the internet and Website: http://www.gartner.com/it/page.
are starting to be connected to the internet, communications for most of that time. He jsp?id=787512
leap-frogging the dial-up modem phase, and is widely regarded as an authority on com-
this is where security risks enter the frame. munications and IT security.

20
Network Security August 2009