Re: Risk/Threat Assessments for Utility specific software/hardware

From: marjan.rajabi@farmersinsurance.com
Date: 01/23/03

  • Next message: Douglas E Baldwin: "Password storage - Reversible encryption in AD." 
    To: dbarn064@earthlink.net, pen-test@securityfocus.com
From: marjan.rajabi@farmersinsurance.com
Date: Thu, 23 Jan 2003 09:51:29 -0800

    David,

    Most water and electric utilities use SCADA systems, ie. Supervisory
    Control and Data Acquisition systems. These systems monitor and control
    Utility equipment such as transformers, circuit breakers, valves, etc...
    The SCADA application is a software package that is positioned on top of
    hardware to which it is interfaced, in general via process controllers,
    e.g. Programmable Logic Controllers (PLCs), or other commercial hardware
    modules. SCADA systems used to run on DOS, VMS and UNIX; in recent years
    many SCADA vendors have moved to NT and some also to Linux.
                                                                                               
     There are 2 parts in a SCADA system: the "client component" which caters for the man
     machine interaction (MMI) and the "data server component" which handles most of the
     process data control activities. The data servers communicate with devices in the field
     through PLCs, which are connected to the data servers either directly or via networks or
     fieldbuses that are proprietary (e.g. Siemens H1), or non-proprietary (e.g. Profibus).
     Data servers are connected to each other and to client stations via an Ethernet LAN. The
     data servers and client stations are NT platforms but for many products the client
     stations may also be W95/2000/... machines.
                                                                                               

    Here are some sources of information:
    http://www.computerworld.com/softwaretopics/software/resources/0,11188,KEY4_RLI1263,00.html
    http://atlas.web.cern.ch/Atlas/GROUPS/DAQTRIG/DCS/PRESENTATIONS/DCSWKS2000/salter.pdf
    http://ref.cern.ch/CERN/CNL/2000/003/scada/
    http://www.engineeringtalk.com/news/bjs/bjs100.html

    You may also want to do a Google search for the following terms: SCADA,
    EMS (Energy Management System), Utility Automation. Professional
    organizations whose websites you may want to search are IEEE and T&D
    (Transmission & Distribution).

    I hope this helps.

    Regards,

    Marjan Rajabi, CISSP

                                                                                                                
                          David Barnett
                          <dbarn064@earthli To: pen-test@securityfocus.com
                          nk.net> cc:
                                                   Subject: Risk/Threat Assessments for Utility specific
                          01/17/2003 02:12 software/hardware
                          PM
                                                                                                                
                                                                                                                

    A company I am consulting with does Water and Energy consulting work. I
    have built up a good relationship with them during my security assessment
    consultations. They are now trying to bid on Government work concerning the
    safety of Utility Companies. I was asked about my knowledge of vertical
    software such as Embedded OSes and their Utility software applications.
    Does anyone have any experience in this area, or can point me to any such
    information.

    Many thanks,

    David Barnett

    ----------------------------------------------------------------------------

    This list is provided by the SecurityFocus Security Intelligence Alert
    (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/

    **Disclaimer**
    This Memo and any attachments, may be confidential and legally privileged.
    If you are not the intended recipient and have received this in error,
    kindly destroy this message and notify the sender. Thank you for your
    assistance.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/

    Relevant Pages

    • Re: Great Blackout of 2003 Caused by MSBlast Computer Worm?
      ... Control and SCADA systems providers have not shown much ... having washed their hands of the security and stability functions ... This attitude among major manufactures of FA and SCADA systems has in the ... The only answer is for both vendor and client to take joint responsibility. ...
      (comp.security.misc)
    • [NEWS] HelixPlayer Based Players Format String
      ... Get your security news from a reliable source. ... media player for Linux, Solaris (versions for other operating systems are ... between 0x0822** - 0x082f** and with control of one pointer at a time ... $ An open security advisory #13 - RealPlayer and Helix Player Remote ...
      (Securiteam)
    • Re: why microsoft choose mfc rather than wtl?
      ... to lower security settings, etc. ... For a client to get ... the particular AX control is never accessed, shown, or downloaded. ... unethical to deliver an automobile to customers because it is possible ...
      (microsoft.public.vc.mfc)
    • Re: Linux security
      ... that is in Windows NT-based systems out of the box. ... Why do you want that fine level of control? ... level of control over security?" ... a file system is a different beast altogether. ...
      (Ubuntu)
    • Re: Homeland security suggests Real ID (and now it gets worse!)
      ... Torture Bracelet To Control Dissenting Americans? ... Homeland Security, weapons company express desire to use "Security Bracelet" in law enforcement, crowd control ... Why the terrorists wouldn't just remove the bracelet as soon as they boarded the plane isn't explained, but the perceived fallibility of the device isn't the issue - the heart of the matter is the fact that the Department of Homeland Security has publicly expressed an interest and is seeking funding to utilize the device against the "criminal element". ...
      (alt.support.chronic-pain)