Sep 27, 2007
SCADA (Supervisory Control and Data Acquisition) protocols are protocols that connect computers to various pieces of machinery, such as automatic valves in water treatment plants, lathes and drills in automated machine shops, and other semi-autonomous hardware in such a way that it acts the way big plants do in the movies. The idea is that you can remotely control various functions of the equipment so that you don't need an engineer on site all the time, they can run things remotely from a computer terminal. There's just one problem: Most SCADA protocols weren't meant to run across the public Net. They were originally intended to be used on isolated data networks, say, in oil refineries or sewage treatment plants. They don't do much in the way of authentication (most anyone can inject a command if they can reach the appropriate network segment), there's no encryption, and often there's no way of filtering commands based on their address of origin (if an automatic flamethrower is at IP address 188.8.131.52 and the designated controller is at address 184.108.40.206, a cracker at IP address 220.127.116.11 could probably transmit a command to the flamethrower and turn it on).
During a recent test, the Department of Homeland Security was able to coax a generator into flaming out during an experiment called AURORA, which was recently declassified. What they probably did was set up a small SCADA network and inject bad commands into it. The embedded controller in the generator, which probably doesn't have much in the way of error checking (like a lot of embedded systems, actually) accepted the commands and happily wrecked the generator by changing the phase at which it ran. O. Sami Saydjari of the US government think tank Professionals for Cyber Defense was quoted as saying that a sufficiently wicked organization with a couple of million US dollars and a few years could wreak havoc this way. I hate to inform him, but all it would really take is someone with enough time on their hands to search for SCADA systems on the Internet and a bit of Perl knowledge to do the same thing. As if that's not enough, this is certainly not the first time that a power generation system of any kind was compromised.
If you've heard this rap before, I've mentioned it once or twice, most recently from a presentation on the topic of SCADA fuzzing by Ganesh Devarajan at the LayerOne conference earlier in 2007.