informa
News

SCADA 'Sandbox' Tests Real-World Impact Of Cyberattacks On Critical Infrastructure

New testbeds would help operators test software patches as well
SAN FRANCISCO -- RSA CONFERENCE 2013 – The oil and gas industry now has at its disposal a SCADA security test laboratory for testing just how their environments would hold up -- or not -- to today's attacks. The so-called Industrial Control System (ICS) Sandbox, based in Montreal, aims to simulate real-world effects of attacks on critical infrastructure to help power plants and other operators better lock down their environments.

Representatives from academia, the power industry, and security vendor world have teamed up to offer the testbed environment to critical infrastructure operators in the U.S. and Canada, as well as Brazil, where a similar testbed is now under construction. The testbeds ultimately will be expanded to support other sectors of critical infrastructure.

"It's not only about how this machine got hacked and why it's not now available. It's what's the impact of that in the real world: Do I still get pressure? Do I still get electricity to these homes?" says Jose Fernandez, assistant professor of computer and software engineering at Ecole Polytechnique in Montreal, where the ICS Sandbox is located. "What happens in the real world [in an attack] is one of the gaps ... that is what we are trying to bridge with the test labs."

The ICS Sandbox, which was funded by Natural Sciences and Engineering Research Council of Canada (NSERC), went operational last year and includes some 100 machines, including servers, workstations, PLCs, sensors, electrical simulators, and commercial SCADA software. The testbed currently provides two training courses and will be expanded to support real-life test scenarios for operators who use it.

Canada's national energy infrastructure agency is building a prototype of the ICS Sandbox, and the Brazilian government is funding its own ICS Sandbox, as well, modeled after the Canadian one.

Fernandez says the ICS Sandbox blends IT and SCADA systems with malware and attacks, and simulates the physics of that combination on the power grid systems. "If [malware ultimately] cut this switch voltage on that particular sensor, it's going to change by this much .... now 10,000 of your customers are out of electricity: That's your impact."

The researchers behind the testbed say it's not Stuxnet that worries most critical infrastructure operators, but rather the everyday malware and bot infections that regularly threaten and infect SCADA systems, and just what impact that malware would have on power generation, for example. And the rollout of smart grid technology could exacerbate those risks, they say.

"The vast majority [of cyberthreats] in operational environments is just malware ... but in a very sensitive environment. A spam bot may cause a lot of collateral damage," for example, even though it wasn't meant to take down a system, says Tiago Alves de Jesus, a researcher with Carlton University's infrastructure resilience research group. "When the bot tries to send spam or send traffic, it may cause infrastructure problems."

But unlike in a traditional IT environment where you can just clean it up, patch, and reboot, SCADA environments can't recover that way, he says.

The ICS Sandbox can also be used to test out patches to SCADA products, its developers say.

Patching is a major conundrum in the SCADA space. Overall, only about 10 to 20 percent of organizations today actually install patches that their SCADA vendors are releasing, mainly because utilities and ICS organizations face risks of power shutdowns if a newly patched system goes awry.

[Industrial control systems vendors are starting to patch security bugs, but actually installing the fixes can invite more trouble. See The SCADA Patch Problem.]

Doug Powell, manager of SMI security, privacy, and safety for Canadian utility company BC Hydro, says operators need to see what their threat environments really look like. He says his company has its own internal test labs and hopes to share its data with the ICS Sandbox project.

"Ultimately, we're talking about risk management," says Powell, who spoke on a panel with Fernandez, Alves de Jesus, and representatives from security vendors TISafe and Modulo, who are involved with the ICS Sandbox project. "That's really a compliance discussion. Are we meeting compliance?"

Marcelo Branquinho, executive director for TiSafe, and Sergio Thompson-Flores from Modulo, say their firms have collaborated on a GRC tool for the SCADA world. "Energy companies in Brazil are implementing it. It's a tool that's managing risk and compliance in a SCADA environment," Branquinho says.

"What keeps us up at night is we haven't caught up in security in SCADA systems today," Ecole Polytechnique's Fernandez says. And with smarter infrastructure and increasing threats, "things are going to get worse," he says.

It's not all about Stuxnet, but the cyberweapon indeed was a turning point for SCADA operators. "Stuxnet taught us that there's a new player out there with new capabilities, new intentions. It taught us that there's malware out in the world that can be adapted, and it doesn't take a nation-state to adapt malware," BC Hydro's Powell says. "It tells us where we have to stand, what we have to worry about and to do. As an operator, I want the capability to detect a threat actor, know what doors I've left open, and what [threat] vectors are built into the system."

RSA Conference 2013
Click here for more articles.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: