Techno Security's Guide to Securing SCADA: A Comprehensive Handbook On Protecting The Critical Infrastructure [NOOK Book]

Overview

Around the world, SCADA (supervisory control and data acquisition) systems and other real-time process control networks run mission-critical infrastructure--everything from the power grid to water treatment, chemical manufacturing to transportation. These networks are at increasing risk due to the move from proprietary systems to more standard platforms and protocols and the interconnection to other networks. Because there has been limited ...
See more details below
Techno Security's Guide to Securing SCADA: A Comprehensive Handbook On Protecting The Critical Infrastructure

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK
  • NOOK HD/HD+ Tablet
  • NOOK
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$72.95
BN.com price

Overview

Around the world, SCADA (supervisory control and data acquisition) systems and other real-time process control networks run mission-critical infrastructure--everything from the power grid to water treatment, chemical manufacturing to transportation. These networks are at increasing risk due to the move from proprietary systems to more standard platforms and protocols and the interconnection to other networks. Because there has been limited attention paid to security, these systems are seen as largely unsecured and very vulnerable to attack.

This book addresses currently undocumented security issues affecting SCADA systems and overall critical infrastructure protection. The respective co-authors are among the leading experts in the world capable of addressing these related-but-independent concerns of SCADA security. Headline-making threats and countermeasures like malware, sidejacking, biometric applications, emergency communications, security awareness llanning, personnel & workplace preparedness and bomb threat planning will be addressed in detail in this one of a kind book-of-books dealing with the threats to critical infrastructure protection. They collectivly have over a century of expertise in their respective fields of infrastructure protection. Included among the contributing authors are Paul Henry, VP of Technology Evangelism, Secure Computing, Chet Hosmer, CEO and Chief Scientist at Wetstone Technologies, Phil Drake, Telecommunications Director, The Charlotte Observer, Patrice Bourgeois, Tenable Network Security, Sean Lowther, President, Stealth Awareness and Jim Windle, Bomb Squad Commander, CMPD.

* Internationally known experts provide a detailed discussion of the complexities of SCADA security and its impact on critical infrastructure
* Highly technical chapters on the latest vulnerabilities to SCADA and critical infrastructure and countermeasures
* Bonus chapters on security awareness training, bomb threat planning, emergency communications, employee safety and much more
* Companion Website featuring video interviews with subject matter experts offer a "sit-down" with the leaders in the field
Read More Show Less

Product Details

  • ISBN-13: 9780080569994
  • Publisher: Elsevier Science
  • Publication date: 8/23/2008
  • Sold by: Barnes & Noble
  • Format: eBook
  • Edition number: 1
  • Pages: 352
  • File size: 4 MB

Meet the Author

Jack Wiles is a security professional with over 40 years' experience in security-related fields. This includes computer security, disaster recovery, and physical security. He is a professional speaker, and has trained federal agents, corporate attorneys, and internal auditors on a number of computer crime-related topics. He is a pioneer in presenting on a number of subjects, which are now being labeled "Homeland Security" topics. Well over 10,000 people have attended one or more of his presentations since 1988. Jack is also a co-founder and President of TheTrainingCo., and is in frequent contact with members of many state and local law enforcement agencies as well as Special Agents with the U.S. Secret Service, FBI, IRS-CID, U.S. Customs, Department of Justice, The Department of Defense, and numerous members of High-Tech Crime units. He was also appointed as the first President of the North Carolina InfraGard chapter, which is now one of the largest chapters in the country. He is also a founding member of the U.S. Secret Service South Carolina Electronic Crimes Task Force. Jack is also a Vietnam veteran who served with the 101st Airborne Division in Vietnam in 1967-68, where he was awarded two Bronze stars for his actions in combat. He recently retired from the U.S. Army Reserves as a lieutenant colonel and was assigned directly to the Pentagon for the final seven years of his career.

Ted Claypoole is a Member of the law firm Womble Carlyle Sandridge and Rice, in Charlotte, North Carolina, in the Intellectual Property Transaction group, and a senior member of its Privacy and Data Management Team.

Phil Drake is Communications Manager for the Charlotte Observer in Charlotte, N.C.

Paul A. Henry, (MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI) is the Vice President of Technology Evangelism at Secure Computing®. Paul is one of the world’s foremost global information security experts, with more than 20 years experience managing security initiatives for Global 2000 enterprises and government organizations worldwide.

Lester J. "Chip" Johnson Jr. is employed by the SCANA Corporation, a $ 9 Billion, Fortune 500, energy-based holding company, headquartered in Columbia, South Carolina. Mr. Johnson serves in the Corporate Security and Claims Department as a Manager with responsibility for Investigations and Crisis Management.

Sean Lowther is the President and Founder of Stealth Awareness, Inc. (www.stealthawareness.com). Sean is an independent consultant who brings years of experience designing and implementing information security awareness programs at the highest level. He founded Stealth Awareness, Inc. in 2007. Sean worked at Bank of America for over seven years, managing the enterprise information security awareness program. The program received the highest rating from its regulators and was consistently rated "world class" by industry peer groups. Sean has worked with BITS, the Financial Services Roundtable Task Force on Privacy, prior to the enactment of the Gramm-Leach-Bliley Act. He produced the video "It's Not If, But When" for the Financial Services Sector Coordinating Council in partnership with the U.S. Treasury Department with the goal to improve critical infrastructure protection and Homeland Security.

Greg Miles,(Ph.D., CISSP#24431, CISM#0300338, IAM, IEM)is the President, and Chief Financial Officer of Security Horizon, Inc. Security Horizon is a Global, Veteran-Owned Small Business headquartered in Colorado Springs, Colorado.

Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He has authored six police textbooks, including Locks, Safes, and Security, (ISBN 978-0398070793), which is recognized as the primary reference for law enforcement and security professionals worldwide.

James H. Windle is employed as a Police Sergeant in Charlotte, North Carolina, where he serves as a certified bomb technician and is assigned as the Bomb Squad Commander and Arson Supervisor.

Read More Show Less

Read an Excerpt

Techno Security's Guide to Securing SCADA


By Jack Wiles Ted Claypoole Phil Drake Paul A. Henry Lester J. "Chip" Johnson Jr. Sean Lowther Greg Miles Marc Weber Tobias James H. Windle

Syngress

Copyright © 2007 Elsevier, Inc.
All right reserved.

ISBN: 978-0-08-056999-4


Chapter One

Physical Security: SCADA and the Critical Infrastructure's Biggest Vulnerability

Jack Wiles, (PPS, IAM, IEM) is a Security Professional with over 30 years experience in security related fields. This includes computer security, disaster recovery and physical security. He is a professional member of the National Speakers Association and has trained federal agents, corporate attorneys and internal auditors on a number of computer crime related topics. He is a pioneer in presenting on a number of subjects that are now being labeled 'Homeland Security' topics. Well over 10,000 people have attended one or more of his presentations since 1988. Jack is also a co-founder and President of TheTrainingCo., producers of the Annual Techno Security Conferences and the popular Techno Forensics conferences. He is in frequent contact with members of many state and local law enforcement agencies as well as Special Agents with the U.S. Secret Service, FBI, U.S. Customs, Department of Justice, The Department of Defense and numerous members of High-Tech Crime units. He was also appointed as the first President of the North Carolina InfraGard chapter that is now one of the largest chapters in the country. He is also a founding member and 'official' MC of the US Secret Service South Carolina Electronic Crimes Task Force.

Jack is also a Vietnam veteran who served with the 101st Airborne Division in Vietnam in 1967–68. He recently retired from the U.S. Army Reserves as a lieutenant colonel and was assigned directly to the Pentagon for the final seven years of his career. In his spare time, he has been a senior contributing editor for several local, national and international magazines.

Introduction

Please don't let my opening chapter's title make you think that I'm starting this book off in a negative light. Believe me, I'm not. There are many positive things we can all do to help secure our most critical applications and resources. Some of the things I will discuss in this chapter have been on my mind since the mid '70s. I believe it's time that I put them in writing, and present my thoughts on what I believe could be the biggest potential hole in any security plan: Physical Security!

This chapter (as well as the rest of the book) isn't meant to be read as a complete story from beginning to end. I'm writing it as a collection of experiences and learned lessons from 30-plus years of working in the fields of physical and technical security. Some of the subject matter in this chapter is partially covered in chapters of mine in our other Techno Security's Guide series of books. I do believe that the readers of this book will most likely come from a different group of specialists than the readers of our other books. Throughout the book, you will also notice that several of our authors will address similar topics from their perspective and experience level. A good example of this will be the discussion of locks, keys, and bypass methods. I first became a locksmith in 1970 and worked in a locksmith shop for several years learning the trade. I'll share a lot of my thoughts on this critical subject throughout my chapter. Unlike the technical world where most things sitting on your desk are already obsolete, many of the locks used in our buildings (and in our homes) haven't changed at all in many, many years. Most of what I learned in the early '70s is still very applicable today when it comes to the common locks found on about 95 percent of the doors on the planet.

The reason that I rambled a little about locks at the beginning of my chapter is to let you know that some of the other authors in this book will have their own opinions and suggestions regarding these critical pieces of hardware. Marc Weber Tobias wrote one of our chapters, where he goes into great detail on High Security Locks and their possible vulnerabilities. Without question, Marc is considered one of the most gifted experts in the world today in understanding and researching the security offered by many types of locks. We are honored to have his work in this book. Be sure to read his chapter carefully, because some of the locks you're relying on to protect critical information and equipment might not be as secure as you think.

I'll be addressing a number of risks, threats, and countermeasures (there's that risk management talk again) throughout this chapter. Let's go ahead and get my thoughts on locks out there as my first in-depth topic on physical security.

Key Control

The types of keys used in most buildings have remained virtually unchanged since Linus Yale invented them in 1861. Just about all of our homes and most businesses still use his pin tumbler locks for their primary physical defense. I have no way of knowing how often the master, grand master, and possibly great-grand-master key systems in buildings are changed. I do suspect that it's not very often. This can be an expensive process. Recently, I walked into a public rest room in a large office building and saw a full set of keys, including the building master key, hanging from the paper towel dispenser. I suspect that the janitor had just filled the towel rack and left his keys hanging there. Should they fall into the wrong hands, the person could own the building.

While using our social engineering skills during each penetration test, our team always tried to make friends with the cleaning crew. Sooner or later, we would need to ask a favor and borrow their keys for a few minutes. (Typically, their keys would open all of the doors on that floor and sometimes the entire building.) That was all it took for us to make a copy with the portable key machine we brought with us in a small bag. Very few people have any idea how keys (and the locks that they open) work. This is another area of physical security that has changed greatly during the past few decades. I became a bonded locksmith back in the '70s and found it fascinating. Back then, I couldn't even purchase lock picks or key blanks until I graduated from a credited locksmithing school and had proper identification. Now, about 30 years later, we have much more at risk in general, and anyone can purchase lock picks at several local hardware stores or from Internet-based stores, with no questions asked.

Regarding the use of lock picks to get into buildings and rooms, I don't suspect that many "casual" social engineers use them. They require a lot of that "practice, practice, and more practice" stuff that's required for any social engineering skill. The availability of these devices for anyone to purchase is something that corporate security specialists must consider as they plan their countermeasures.

Check All Locks for Proper Operation

On every one of our penetration tests, we found at least one lock (either interior or exterior) in the building that wasn't functioning properly. This provided us with easy access to buildings and rooms that we shouldn't have been able to get through so easily. If employees are trained for just a few minutes on how to check to see if the locks on the doors that they use every day are working properly, this vulnerability can be all but eliminated. Building maintenance teams should also take a close look at all locks at least twice each year. Slightly misaligned strikes on the doorframes are the most common problem that we find. This is a serious problem, in that it defeats the purpose of the dead bolt feature of the lock. It takes me less than a second with my trusty finger nail file to see if a particular lock has this problem. If it does, I'll know (and have the door opened) instantly.

A Little More about Locks and Lock Picking

Locks have fascinated me for almost 40 years now. In many ways, they are the hardware versions of the passwords and authentication devices that we use to gain access to our computers. They are also what I like to call the low-hanging-fruit of your perimeter security. Unfortunately, many times, they are the place where we spend the least amount of money. I'm going to try to convince you to spend a little more for a whole lot more protection when selecting locks for your office or home.

In preparation for this part of my chapter, I visited several chain stores just as school opened to watch people. Johnny and I both do a lot of people watching while we are out and about. It's fascinating. As I was looking around at the locks available in different stores, I watched as several people came over to the area and quickly picked up a lock or two for school. Most of them chose a Master brand combination lock that has been a standard for decades. That didn't surprise me. I also watched as several people purchased padlocks with keys. What every one of them did wasn't a surprise either: They purchased the CHEAPEST lock they could find. I watched this over and over again. Little do they realize that they got what they paid for.

Most of them picked up either a warded padlock, or a cheap pin tumbler padlock, none of which costs more than $5. These locks looked as strong as the better locks on the outside, but anyone who knows even a little about locks knows that these cheap locks aren't even going to keep the honest people honest. How about a quick lock awareness war story to give you an example of how easily the wrong type of lock can be bypassed:

Let's look at a few types of locks to help you learn which ones are better than others:

Figure 1.1 shows a pin tumbler Master brand padlock. It's the exact kind of lock we saw on most of the filing cabinets. Pin tumbler locks are also the most common type of lock we see on doors in homes and office buildings. These locks can be picked, but I've never been very successful with such endeavors.

The warded padlock (shown in Figure 1.2) that we found on one of the filing cabinets looked about the same, but it had a different keyway.

I was able to open this one in less than 10 seconds, and you could, too. Opening locks like this isn't even lock picking in my opinion. The pick sets for these are more like master keys.

In Figure 1.3, the key on the left is the key to the pin tumbler lock. The one on the right is to the warded lock. This is really basic information for anyone familiar with locks. My experience has been that most people aren't even a little familiar with what makes a lock reasonably secure (or very insecure). If they were, they wouldn't be out there buying the cheapest locks they could find as long as it looks strong.

So, are there any padlocks that are reasonably secure and not terribly expensive? My favorite has always been a lock that looks a little different, but has a lot of leave-me-alone features (see Figure 1.4). This lock, the Abus Diskus No. 24, is made in Germany and is quite secure for its $25 price tag. It's a pin tumbler lock with all five of its pins being mushroom-type bottom pins. There are people out there who can pick it, but I've never successfully picked a lock with any mushroom pins, much less one with all five pins being mushroom pins.

If we want to talk about the grand-daddy of all high security padlocks (in my humble opinion, and I'm not alone), we need to take a look at a lock that has been at the top of the list for several decades. My winner here would be my favorite (I have five of them myself) combination lock, the Sargent & Greenleaf 8077AD. It's a 1.5-pound fortress in so many ways. From the outside, it doesn't look all that impressive, but it is! Just enter the name S&G 8077 in Google, and countless articles will pop up about their strength and reliability. Just like anything else in life, you get what you pay for. These are not your $5 combination locks, however. The nongovernment model is still available in many places on the Internet, at prices ranging from $165 to $325 (or more). I do see them frequently on eBay at great prices and they're worth every penny. Figure 1.5 shows one of mine.

(Continues...)



Excerpted from Techno Security's Guide to Securing SCADA by Jack Wiles Ted Claypoole Phil Drake Paul A. Henry Lester J. "Chip" Johnson Jr. Sean Lowther Greg Miles Marc Weber Tobias James H. Windle Copyright © 2007 by Elsevier, Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

Foreword
Chapter 1: Physical Security: SCADA and the Critical Infrastructure's Biggest Vulnerability
Chapter 2: Supervisory Control and Data Acquisition
Chapter 3: SCADA Security Assessment Methodology
Chapter 4: Developing an Effective Security Awareness Program
Chapter 5: Working with Law Enforcement on SCADA Incidents
Chapter 6:Locked but Not Secure: An Overview of Conventional and High Security Locks
Chapter 7: Bomb Threat Planning: Things Have Changed
Chapter 8: Biometric Authentication for SCADA Security
Appendix: Personal, Workforce, and Family Preparedness
Index
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)