Do We Know Enough About Cyber Warfare?

Can Any Level of Security Detect a Backdoor Approach to a PLC Program, or to a SCADA Screen Control Program?

By Jeremy Pollard

As reported by ControlGlobal.com and other media outlets, Stuxnet apparently was written by the U.S. government with assistance from a branch of the Israeli government.

What about other potentially harmful cyber warfare code snippets that have yet to be written? Cyber warfare can and will inflict physical damage to the targeted process, but it doesn't have to be a big target. So now, factory floor automation devices get recognized.

We should be fearful. To be clear, I have no proof of anything, and I am not suggesting that anything covert actually is happening.

I do PLC/SCADA and DAQ work for some local townships around where I live. The control code and alarming involve the major areas of chlorination, and alarming operators when certain activities are out of bounds. I have exclusive remote access to all systems from my office, as do some of the operators, using a Route1 MobiKEY (for security).

Not that I ever would, but I could affect the water quality of these townships by making changes to control the chlorine set point remotely.

The newest pump station was programmed by a third party that uses foreign control software peeps. You might have heard that the U.S. Air Force cancelled an order for 7,000 iPads because part of the kernel was written by a company in Russia. Security was the issue.

So imagine if someone wanted to do something unimaginable to our little hamlets. It certainly could happen.

My first thought about Stuxnet was that it targeted known code. And in a way it did. So what if, just what if, a company wrote PLC and/or SCADA code that had a back door? Remote access is a hot topic app right now. But can any level of security detect a backdoor approach to a PLC program, or to a SCADA screen control program?

Offshoring has been part of the programming biz for a while now. Is every line of code checked? Is it certain that no extraneous code exists? How about a SCADA script that seems innocuous, but really is a "bot"? I bet we wouldn't know.

This would put a local system, regardless of size, in the hands of foreign entities. I don't think that the rewards for doing that would be big enough, but if we as a society are falling for the line, "We have received a message from your computer, and you have a major problem with it," then why think that we wouldn't fall for the most likely scenario in any control system, like a blinking window that tells us all systems are a go? Ignore the smoke on the horizon; it doesn't mean anything.

Cyber warfare comes in various forms. Physical damage is one thing, but financial damage is another. Just look at what the U.S. financial system has done to Europe. Greece has legal proceedings underway against Goldman-Sachs.

We've been talking and writing about web-enabled devices, and remote access to plants using iPads, iPhones, BlackBerries and other devices. Are we really so confident that our levels of security and checks and balances are good enough to let us think it's OK to do this?

ControlGlobal.com blogger Joe Weiss wrote about a water SCADA system hack. The IP address of the attacker was traced back to Russia. There was physical damage, and logons were ripped off. Who is to say that part of the infiltration wasn't done from the inside? Maybe I wrote the code and sold the backdoor key to my buddy Vladimir.

We can't rely on things if we don't know we really can. We need to be sure about the things we do and be deliberate. We need to have checks and balances in place to monitor all activity so that it wouldn't matter if I put a back door in.

So why would a water utility's IT group even allow a Russian IP (guess they weren't that smart to proxy it) to connect to their system? And, not that it means anything, but the foreign programmers for the newest pump house were Russian. Hmmm.

Thanks to Control Editor in Chief Walt Boyes for his input on this.