Read an Excerpt
Techno Security's Guide to Securing SCADA
By Jack Wiles Ted Claypoole Phil Drake Paul A. Henry Lester J. "Chip" Johnson Jr. Sean Lowther Greg Miles Marc Weber Tobias James H. Windle
SyngressCopyright © 2007 Elsevier, Inc.
All right reserved.
Chapter OnePhysical Security: SCADA and the Critical Infrastructure's Biggest Vulnerability
Jack Wiles, (PPS, IAM, IEM) is a Security Professional with over 30 years experience in security related fields. This includes computer security, disaster recovery and physical security. He is a professional member of the National Speakers Association and has trained federal agents, corporate attorneys and internal auditors on a number of computer crime related topics. He is a pioneer in presenting on a number of subjects that are now being labeled 'Homeland Security' topics. Well over 10,000 people have attended one or more of his presentations since 1988. Jack is also a co-founder and President of TheTrainingCo., producers of the Annual Techno Security Conferences and the popular Techno Forensics conferences. He is in frequent contact with members of many state and local law enforcement agencies as well as Special Agents with the U.S. Secret Service, FBI, U.S. Customs, Department of Justice, The Department of Defense and numerous members of High-Tech Crime units. He was also appointed as the first President of the North Carolina InfraGard chapter that is now one of the largest chapters in the country. He is also a founding member and 'official' MC of the US Secret Service South Carolina Electronic Crimes Task Force.
Jack is also a Vietnam veteran who served with the 101st Airborne Division in Vietnam in 1967–68. He recently retired from the U.S. Army Reserves as a lieutenant colonel and was assigned directly to the Pentagon for the final seven years of his career. In his spare time, he has been a senior contributing editor for several local, national and international magazines.
Please don't let my opening chapter's title make you think that I'm starting this book off in a negative light. Believe me, I'm not. There are many positive things we can all do to help secure our most critical applications and resources. Some of the things I will discuss in this chapter have been on my mind since the mid '70s. I believe it's time that I put them in writing, and present my thoughts on what I believe could be the biggest potential hole in any security plan: Physical Security!
This chapter (as well as the rest of the book) isn't meant to be read as a complete story from beginning to end. I'm writing it as a collection of experiences and learned lessons from 30-plus years of working in the fields of physical and technical security. Some of the subject matter in this chapter is partially covered in chapters of mine in our other Techno Security's Guide series of books. I do believe that the readers of this book will most likely come from a different group of specialists than the readers of our other books. Throughout the book, you will also notice that several of our authors will address similar topics from their perspective and experience level. A good example of this will be the discussion of locks, keys, and bypass methods. I first became a locksmith in 1970 and worked in a locksmith shop for several years learning the trade. I'll share a lot of my thoughts on this critical subject throughout my chapter. Unlike the technical world where most things sitting on your desk are already obsolete, many of the locks used in our buildings (and in our homes) haven't changed at all in many, many years. Most of what I learned in the early '70s is still very applicable today when it comes to the common locks found on about 95 percent of the doors on the planet.
The reason that I rambled a little about locks at the beginning of my chapter is to let you know that some of the other authors in this book will have their own opinions and suggestions regarding these critical pieces of hardware. Marc Weber Tobias wrote one of our chapters, where he goes into great detail on High Security Locks and their possible vulnerabilities. Without question, Marc is considered one of the most gifted experts in the world today in understanding and researching the security offered by many types of locks. We are honored to have his work in this book. Be sure to read his chapter carefully, because some of the locks you're relying on to protect critical information and equipment might not be as secure as you think.
I'll be addressing a number of risks, threats, and countermeasures (there's that risk management talk again) throughout this chapter. Let's go ahead and get my thoughts on locks out there as my first in-depth topic on physical security.
The types of keys used in most buildings have remained virtually unchanged since Linus Yale invented them in 1861. Just about all of our homes and most businesses still use his pin tumbler locks for their primary physical defense. I have no way of knowing how often the master, grand master, and possibly great-grand-master key systems in buildings are changed. I do suspect that it's not very often. This can be an expensive process. Recently, I walked into a public rest room in a large office building and saw a full set of keys, including the building master key, hanging from the paper towel dispenser. I suspect that the janitor had just filled the towel rack and left his keys hanging there. Should they fall into the wrong hands, the person could own the building.
While using our social engineering skills during each penetration test, our team always tried to make friends with the cleaning crew. Sooner or later, we would need to ask a favor and borrow their keys for a few minutes. (Typically, their keys would open all of the doors on that floor and sometimes the entire building.) That was all it took for us to make a copy with the portable key machine we brought with us in a small bag. Very few people have any idea how keys (and the locks that they open) work. This is another area of physical security that has changed greatly during the past few decades. I became a bonded locksmith back in the '70s and found it fascinating. Back then, I couldn't even purchase lock picks or key blanks until I graduated from a credited locksmithing school and had proper identification. Now, about 30 years later, we have much more at risk in general, and anyone can purchase lock picks at several local hardware stores or from Internet-based stores, with no questions asked.
Regarding the use of lock picks to get into buildings and rooms, I don't suspect that many "casual" social engineers use them. They require a lot of that "practice, practice, and more practice" stuff that's required for any social engineering skill. The availability of these devices for anyone to purchase is something that corporate security specialists must consider as they plan their countermeasures.
Check All Locks for Proper Operation
On every one of our penetration tests, we found at least one lock (either interior or exterior) in the building that wasn't functioning properly. This provided us with easy access to buildings and rooms that we shouldn't have been able to get through so easily. If employees are trained for just a few minutes on how to check to see if the locks on the doors that they use every day are working properly, this vulnerability can be all but eliminated. Building maintenance teams should also take a close look at all locks at least twice each year. Slightly misaligned strikes on the doorframes are the most common problem that we find. This is a serious problem, in that it defeats the purpose of the dead bolt feature of the lock. It takes me less than a second with my trusty finger nail file to see if a particular lock has this problem. If it does, I'll know (and have the door opened) instantly.
A Little More about Locks and Lock Picking
Locks have fascinated me for almost 40 years now. In many ways, they are the hardware versions of the passwords and authentication devices that we use to gain access to our computers. They are also what I like to call the low-hanging-fruit of your perimeter security. Unfortunately, many times, they are the place where we spend the least amount of money. I'm going to try to convince you to spend a little more for a whole lot more protection when selecting locks for your office or home.
In preparation for this part of my chapter, I visited several chain stores just as school opened to watch people. Johnny and I both do a lot of people watching while we are out and about. It's fascinating. As I was looking around at the locks available in different stores, I watched as several people came over to the area and quickly picked up a lock or two for school. Most of them chose a Master brand combination lock that has been a standard for decades. That didn't surprise me. I also watched as several people purchased padlocks with keys. What every one of them did wasn't a surprise either: They purchased the CHEAPEST lock they could find. I watched this over and over again. Little do they realize that they got what they paid for.
Most of them picked up either a warded padlock, or a cheap pin tumbler padlock, none of which costs more than $5. These locks looked as strong as the better locks on the outside, but anyone who knows even a little about locks knows that these cheap locks aren't even going to keep the honest people honest. How about a quick lock awareness war story to give you an example of how easily the wrong type of lock can be bypassed:
Let's look at a few types of locks to help you learn which ones are better than others:
Figure 1.1 shows a pin tumbler Master brand padlock. It's the exact kind of lock we saw on most of the filing cabinets. Pin tumbler locks are also the most common type of lock we see on doors in homes and office buildings. These locks can be picked, but I've never been very successful with such endeavors.
The warded padlock (shown in Figure 1.2) that we found on one of the filing cabinets looked about the same, but it had a different keyway.
I was able to open this one in less than 10 seconds, and you could, too. Opening locks like this isn't even lock picking in my opinion. The pick sets for these are more like master keys.
In Figure 1.3, the key on the left is the key to the pin tumbler lock. The one on the right is to the warded lock. This is really basic information for anyone familiar with locks. My experience has been that most people aren't even a little familiar with what makes a lock reasonably secure (or very insecure). If they were, they wouldn't be out there buying the cheapest locks they could find as long as it looks strong.
So, are there any padlocks that are reasonably secure and not terribly expensive? My favorite has always been a lock that looks a little different, but has a lot of leave-me-alone features (see Figure 1.4). This lock, the Abus Diskus No. 24, is made in Germany and is quite secure for its $25 price tag. It's a pin tumbler lock with all five of its pins being mushroom-type bottom pins. There are people out there who can pick it, but I've never successfully picked a lock with any mushroom pins, much less one with all five pins being mushroom pins.
If we want to talk about the grand-daddy of all high security padlocks (in my humble opinion, and I'm not alone), we need to take a look at a lock that has been at the top of the list for several decades. My winner here would be my favorite (I have five of them myself) combination lock, the Sargent & Greenleaf 8077AD. It's a 1.5-pound fortress in so many ways. From the outside, it doesn't look all that impressive, but it is! Just enter the name S&G 8077 in Google, and countless articles will pop up about their strength and reliability. Just like anything else in life, you get what you pay for. These are not your $5 combination locks, however. The nongovernment model is still available in many places on the Internet, at prices ranging from $165 to $325 (or more). I do see them frequently on eBay at great prices and they're worth every penny. Figure 1.5 shows one of mine.
Excerpted from Techno Security's Guide to Securing SCADA by Jack Wiles Ted Claypoole Phil Drake Paul A. Henry Lester J. "Chip" Johnson Jr. Sean Lowther Greg Miles Marc Weber Tobias James H. Windle Copyright © 2007 by Elsevier, Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.