Yes sir. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geoff Shively Sent: Friday, August 15, 2003 4:25 PM To: [EMAIL PROTECTED] Cc: Andre Ludwig Subject: [SOCALWUG] Power outages related to DCOM Worm, WiFi accessible?
Power outages related to DCOM Worm, are SCADA and DCS WiFi Accessible? Some have said that they are accessible via WiFi and a potential attacker could break protection mechanisms thus gaining access to control and acquired data. Is there any truth to this, any SCADA, DCS, or HMI experts on the list? Furthermore, there has been allot of talk on bugtraq, full disclosure, and dsheild about the latest American power crisis being caused by malicious computer activities or worm. A bit of background on the systems that control power facilities. Distributed control systems (DCS) and supervisory control and data acquisition (SCADA) systems are the key elements of facility control. remote terminal units "RTU". SCADA runs under Win2000 / XP and the telemetry to the RTU is accessible via the Internet. SCADA (Supervisory Control And Data Acquisition) and DCS (Distributed Control Systems) are highly vulnerable to attack. An attacker could very well penetrate these systems to make changes or implement simple scripts to cause a legitimate operator to make unnecessary changes to a large scale power grid. These changes could result in massive failure causing an international power crisis. Be it from a worm or home grown hack, these latest power failures were unlikely to have been caused by a physical failure that would have surfaced by now. Power failures from the years past have brought about legislation and system changes that deal with most large scale issues as they arise to mitigate risk of large scale failure, whatever happened this time was a new problem the industry was not prepared for. We know that SCADA and DCS systems are supplied by one of 5 major vendors and these system are advertised on the vendors websites to run Microsoft Windows versions 95, 2000 and NT. Also advertised is DCOM and RPC support within these systems, RPC/DCOM recently became famous as the Lovsan/Blaster worm exploited this protocol to spread across the internet. With this said it is likely that an infected system infected a SCADA or DCS, and could be why we are seeing large scale outages across the country. This is not a Microsoft problem as many would like to say, though it is a problem with patch management. Below is documentation on the problem, the first one sums up the problem nicely (DCOM and SCADA white papers): http://www.automationtechies.com/sitepages/pid641.php http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/view/ http://www.scada-system.com/scada-software-windows.htm http://www.data-acquisition-software.com/index.htm Cheers, Geoff Shively, CHO PivX Solutions, LLC Are You Secure? http://www.pivx.com
