Here’s the experiment. You take a piece of automation equipment, place it on the Internet, and then track what happens to it. That is exactly what some folks at “infracritical” did. The experiment was called Project RUGGEDTRAX – SCADA / ICS Analysis. Their findings are attached in this PDF document shared under the Creative Commons 4.0 license. Thanks to infracritical for for making this material available for all.
Ruggedtrax-findings-21oct2014-prelim-141020093623-conversion-gate02
The Results:
The device was placed online at 13-Oct-2014 (Monday) at approximately 1917 hrs Central. The first attack began at approximately 2104 hrs Central, less than two (2) hours from its inception. A snapshot was taken on 16-Oct-2014 (Thursday) prior to 0600 hrs Central; at the time of the snapshot, metadata specific to the device’s IP address was not harvested by the SHODAN search engine.
Of the data analyzed, it was found that there were 4,261 entries, consisting of 16 unique IP addresses, representing 4 countries: China (12), Vietnam (1), United States (2), and The Netherlands (1). Of the 4,261 en
tries, only 30 entries originated from IP addresses belonging to Vietnam, United States and The Netherlands. The remaining 4,231 entries all originated from IP addresses belonging to China.
Conclusions and Recommendations
While the information above is all from the “infracritical” report, the following lessons learned are those of Ocean Data Systems.
Clearly, something on the internet will be found, scanned and potentially compromised. It is already a recognized best practice to separate your automation networks from your business or corporate networks. It is also a best practice to be extremely aware of open ports and be sure to use proper authentication with respect to remote connections.
Dream Report offers several features making it a solid choice for “Internet” enabled connectivity.
- Separate data source connections from the Dream Report engine – With version 4.6 R3, Dream Report delivered the ability to install its data connectors at the source of your automation data, typically the control network. The Dream Report engine can then be installed on your business network, or even remotely on a cloud hosted server. The connection between the Dream Report engine and its remotely installed drivers is through a special secure Web Service called the Remote Driver. (Yes, we know, such a very creative name) The Remote Driver requires a defined port and access credentials.
- Dream Report User Access Authentication – Dream Report delivers an excellent security model. Security can be built into Dream Report, and can be authenticated using Windows Domain Security. The result is Dream Report’s ability to define access to development, run-time, the Web Portal for interaction or read only, on a role or per user basis. The Dream Report portal also automatically logs out after a period of inactivity.
- Third Party Validation – You’ll want to select products that have a solid design and ability to be secure. If your solution is based on the integration of several products, you’ll want to make sure each product has been evaluated for cyber security vulnerabilities. Dream Report has been evaluated by the Idaho National Labs and all vulnerabilities have been addressed. You can review the status and vulnerabilities of products here – http://www.infosecisland.com/
No product can do it all for you. To be secure, it takes the combination of the right products, a clear understanding of vulnerabilities that may be introduced through the integration of technologies (ideally your focus should be on the reduction of custom integration – select a product that offers all the features you need), and finally, manage your security appropriately.
Dream Report is a solid and proven solution.