The VIKING project held its final dissemination workshop late last year, the day before the start of the SANS SCADA conference in Rome. VIKING stands for Vital Infrastructure, Networks, Information and Control Systems Management. That doesn’t tell the story of what the project is all about, but it shows you can always come up with a memorable acronym if you try hard enough!
VIKING is an EU funded private/public project whose objectives are stated on its site. The objectives are stated in a very business-like way which doesn’t really do justice to the way that the project has been run. Let’s just take one of the objectives: “To investigate the vulnerability of SCADA systems and the cost of cyber attacks on society.” This objective could have been achieved by writing a dry report running into hundreds of pages but instead (or maybe as well as that) they’ve created a very accessible video which sums this all up. The video is a shade over five minutes long. The best thing about this video is that you don’t need to be a cyber security expert to understand what’s going on or the significance. You could show this to a high level executive or even your grandmother and they would both understand the significance.
The video sums up in five minutes what many commentators in this field have struggled to get across in presentations that last for hours. It presents a realistic scenario where everyday software (social media) and a lack of proper control and training can expose a control system to attack. The real beauty of this story is the next part, where the video goes on to show how the attack could be made and the effects it would have. In this case the system under attack controls a power transmission grid and the attacker uses the operator interface to close down parts of the grid. The immediate consequence is a collapse of the grid meaning that everyone on that grid loses power. In many countries grid equals country! Finally the video describes the difficult process of re-energizing the grid and an analysis of the impact on society, expressed as millions of euros.
For a security professional it would be easy to look at the video, point at the specifics of the attack and say it could easily be prevented. You could argue that the control system should not be connected to external networks like the company intranet or that the operator should not have access to the Internet via the intranet. In some cases control systems are truly ‘air gapped’ from all other networks but this is becoming increasingly rare. Control systems are becoming much more integrated with business systems so that the business can have up to date information about the status of the process where the money is actually made.
Criticizing the operator for using social media from a control system workstation is more legitimate. And does the operator really need Internet access to do his job? Maybe he does but he shouldn’t be accessing social media sites however boring it is on the night shift. That doesn’t mean it’s entirely the operators fault though. If he really does need Internet access, he should have been trained about using it in a work setting. If he doesn’t need access he should know, again from training, that he should report the fact that the Internet is accessible if he discovers that by accident.
To focus on the details of the particular attack in the video misses the point though. A number of other attack scenarios could have been selected with the same end result. The door will always be open, without a proper cyber security program involving technology, training and procedures. So send the link to anyone in your organization who needs to quickly gain an understanding of the nature and seriousness of the threats faced by control systems worldwide. The higher the better – you can bet that the person explaining a blackout to a TV news team will be closer to the CEO than the operator in the video!