Ralph Langner, one of the bright lights in the European SCADA Security community, attended the CCC annual meeting in Berlin right before the new year. There was a Hacking SCADA presentation.
Begin Ralph’s Report
The Chaos Computer Club’s annual meeting is the place to go when looking for black hat hackers, at least from their European Chapter. A presentation titled “Hacking SCADA. How to own critical infrastructure” for this audience would certainly give an impression about the black hats’ state of the art, so I reasoned. The presentation was done by two fellows from Italy, Raoul “Nobody” Chiesa and “Mayhem” Alessio Pennasilico. More than the cool nicknames indicated that the presenters put some effort on being recognized as members of the hacker community.
Most of the one hour presentation consisted of stuff that all of us learned in elementary school. Exhibit D was a reference to “The Register” about trusty old Vitek (where would our profession be without him). The audience was also educated about the Siberian gas pipeline explosion, Davis-Besse, etc. pp. All these nice references flipped by, topped with AIC vs. CIA, raising so many memories. Now one of the two occasions when the presentation went about hitting its subject (“Hacking SCADA”) was a short video by Eric Byres, showing Eric explain how a hacker would go about manipulating a Modicon PLC by searching the required information on the Internet. The second (and last) time that the presenters briefly touched the subject of their presentation was a reference to a “case study” they had done in a small Italian manufacturing company, where they managed to DoS what appeared to be an Allen-Bradley CompactLogix L32E. All and all, the little technical detail that could remotely be associated with “hacking” boiled down to less than ten minutes, with half of it consisting of Eric’s video, and the other half of an occasional blind-shot DoS of one specific PLC that doesn’t have much of a record in critical infrastructure.
So how does all this relate to “owning critical infrastructure”, one might reasonably ask. Here’s how. You need to drink enough Italian grappa, which the presenters passed along generously before and after the presentation, and which they enjoyed themselves throughout the presentation (no kidding). If you try hard enough, you might end up in some kind of Die Hard 4.0 fantasy with yourself as the hacker mastermind. After all, if you managed to DoS one lousy compact PLC —- sorry, Rockwell –, you might as well control the power grid and water utilities, which may appear to be all the same under the influence. But even if you don’t, you still have a chance convincing some asset owner to hire you as a security consultant. This was what made up the final fifteen or so minutes of the presentation when the audience was introduced to the presenters’ “Cristal project”.
Now here’s the good news: Asset owners, you don’t need to worry about hackers. When they talk about “owning critical infrastructure”, they’re just sharing their wildest dreams. In reality, they have nothing in their hands. Zero. Nada. Niente. It will take several more years until the hacker community has learned to master various flavours of PLCs with their different protocols and vulnerabilities. It will take further years until they get to things like OPC and furnish advanced attack methods against it. And by the time they come up with decent exploits for the various SCADA applications that we use today, most CxOs will already be retired. We have heard over and over again that the IT folks aren’t particularly good at securing SCADA environments. Guess what, they aren’t good at attacking them either. However our hackers do think nobody will notice because the stuff is all so complex. That’s what I call “insecurity by obscurity”.
End Ralph’s Report
Interesting report. Thanks Ralph. I’m not as optimistic that the hacker community will progress as slowly as Ralph predicts.