D. Leversage and E.J. Byres, “Comparing Electronic Battlefields: Using Mean Time-to-Compromise as a Comparative Security Metric,” Communications in Computer and Information Science - Computer Network Security, Proceedings of the Fourth International Conference on Mathematical Methods, Models and Architectures for Computer Network Security, St. Petersburg, Russia, Springer, 2007, pp. 213-227.
Abstract: The ability to efficiently compare differing security solutions for effectiveness is often considered lacking from a management perspective. To address this we propose a methodology for estimating the mean time-tocompromise (MTTC) of a target device or network as a comparative metric.
A topological map of the target system is divided into attack zones, allowing each zone to be described with its own state-space model (SSM). We then employ a SSM based on models used in the biological sciences to predict animal behavior in the context of predator prey relationships. Markov chains identify predominant attacker strategies which are used to build the MTTC intervals which can be compared for a broad range of mitigating actions. This allows security architects and managers to intelligently select the most effective solution, based on the lowest cost/MTTC ratio that still exceeds a benchmark level. To read more click on the link below.
This paper is © Springer-Verlag Berlin Heidelberg 2007, http://www.springerlink.com/content/v24668k109447828
OPC Security Whitepaper #3 - Hardening Guidelines for OPC Hosts
Abstract: In this third whitepaper of the OPC Security Series, we outline how a server or workstation running OPC can be secured in a simple and effective manner.
Typically this “hardening” must be conducted in several stages. First the operating system (typically Windows) needs to be “locked down” in such a manner that will make it less susceptible to common O/S based attacks. Next, the specific OPC components must be hardened using the OPC and DCOM configuration tools found in Windows.Unfortunately, completing this stage successfully is more complex; our testing indicated that there are a number of OPC applications that do not properly follow the DCOM specifications for Windows software. 
Next, the system needs to be tested to ensure these changes still allow all OPC applications to function correctly. Since we found a number of cases where OPC vendors were not respecting DCOM security settings and requirements, this testing is critical before any security settings are deployed on live production systems. Lastly, verification of the fortifying effort is required to ensure no serious security holes have been left open.
These stages are expanded upon in a detailed Action Plan for Hardening OPC Hosts within this report. Specific examples are also provided for each task. In all, we believe by following these guidelines, the typical controls technician will be able to create a more secure and robust OPC deployment on their plant floor and OPC can continue to grow as a valuable solution in industrial data communications.
Read More
OPC Security Whitepaper #2 - OPC Exposed
Abstract: In this second whitepaper of the OPC Security Series, we describe the vulnerabilities typically found in OPC hosts, based on OPC’s current architecture and the typical underlying operating system. We also investigate common misconfiguration vulnerabilities found in OPC server or client computers both at the operating system and OPC application level. Finally, using these vulnerabilities we propose four possible risk scenarios for OPC-based attacks.
This sample of scenarios suggests several interesting conclusions. First, they highlight the fact that attacking OPC deployments does not require special skills or esoteric process controls knowledge. All the tools and information needed to carry out attacks can be downloaded from the Internet.
The second conclusion is that two core vulnerabilities, namely excessively open firewalls and overly permissive DCOM access rights, lay at the heart of many scenarios. If either vulnerability is addressed then the chance of these scenarios occurring is significantly reduced. What is especially interesting is that these vulnerabilities could be considered within the control of the knowledgeable OPC end user. Finally, since the typical OPC host configuration is strongly influenced by the guidance provided by the software vendor, we discuss the quality of installation utilities and guidance provided to end-users by the OPC vendor community. In general we find that the guidance from vendors on OPC security could be significantly improved.
The good news is that there are well-proven operating system hardening practices in the IT security community which we believe can be adopted by the controls community to significantly reduce these risks. In addition there are a number of DCOM specific security settings that can also be applied by the knowledgeable end-user. We will discuss these solutions in our final report in this series, OPC Security Whitepaper #3 – Hardening Guidelines for OPC Hosts which is scheduled to be released June 12th.
OPC Security Whitepaper #1 - Understanding OPC and How it is Deployed
Abstract: This whitepaper is the first in a series on the security of OPC (OLE for Process Control) and focuses on providing an overview of the widely-used industrial communication standard and how it is actually used in industry. Based on the results of end-user surveys and interviews, it shows that the way OPC is being used may be putting the operations of major industries at risk. Companies are using it for mission critical applications, operating it over potentially insecure networks and don’t understand how to secure properly.
Over a quarter of the end-users surveyed reported that loss of OPC communications would result in a shutdown of their company’s production. While a few users remarked that they had deliberately structured their systems to minimize any safety and operational effects if loss of OPC-based information should occur, others stated the opposite; “We control the motor drives by OPC with the DCS. If we lose the OPC we stop the production!”
The other bad news is that approximately 20% of the companies reported deploying OPC over the site business networks and corporate Intranets and 12% used OPC over the Internet, most without encryption. Since these networks are often connected to the Internet they are inherently less secure than the control networks found on the plant floor. The use of OPC over non-control systems networks leads to the distinct possibility of DCOM-based attacks disrupting critical operations.
Whitepaper #2 outlines the risks and vulnerabilities incurred in deploying OPC in a control environment. Whitepaper #3, to be released June 12th, summarizes current good practices for securing OPC applications running on Windows-based hosts. All three papers are intended to be read and understood by IT administrators and control systems engineers/technicians rather than OPC programming or security experts.
E.J. Byres, D. Hoffman and N. Kube; “On Shaky Ground - A Study of Security Vulnerabilities in Control Protocols”, 5th American Nuclear Society International Topical Meeting on Nuclear Plant Instrumentation, Controls, and Human Machine Interface Technology, American Nuclear Society, Albuquerque, NM, November 2006
Abstract: The recent introduction of information technologies such as Ethernet® into nuclear industry control devices has resulted in significantly less isolation from the outside world. This raises the question of whether these systems could be attacked by malware, network hackers or professional criminals to cause disruption to critical operations in a manner similar to the impacts now felt in the business world.
To help answer this question, a study was undertaken to test a representative control protocol to determine if it had vulnerabilities that could be exploited. A framework was created in which a test could express a large number of test cases in very compact formal language. This in turn, allowed for the economical automation of both the generation of selectively malformed protocol traffic and the measurement of device under test’s (DUT) behavior in response to this traffic.
Approximately 4000 protocol conformance tests were run against two major brands of industrial controller. More than 60 errors were discovered, the majority of which were in the form of incorrect error responses to malformed traffic. Several malformed packets, however, caused the device to respond or communicate in inappropriate ways. These would be relatively simple for an attacker to inject into a system and could result in the plant operator losing complete view or control of the control device. Based on this relatively small set of devices, we believe that the nuclear industry urgently needs to adopt better security robustness testing of control devices as standard practice.
Read More
