5

So I have a basic question on the SCADA operating system, which the manufacturers do not disclose. From my experience I can see VxWorks running in some of them, and Windows or Linux in some of them.

Is there any classification for a specific operating system used for a specific purpose ?

I would appreciate it if you anyone could offer good input on their awareness of the operating systems they have come across in SCADA systems and possible some insight on the security vulnerabilities and exploits in them.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Legolas
  • 563
  • 6
  • 16

3 Answers3

4

Is there any classification for a specific operating system used for a specific purpose ?

Yes, although SCADA has not quite arrived yet.

Do-178B is a standard used for qualification of system for aerospace. The FAA requires DO-178B compliance for software and systems on commercial aircraft. It is also typically applied to government and commercial satellites. There are operating systems which are DO-178B compliant: GreenHills Integrity-178B RTOS, Wind River VxWorks Cert Platform, HeartOS DO-178B, SYSGO PikeOS, DDC-I Deos, LynuxWorks LynxOS-178.

Theres is also the European Cooperation for Space Standardisation (ECSS). Although ECSS focus more on the process rather than the product.

NIST has a publication Guide to Industrial Control Systems (ICS) Security which says that Industrial Control Systems use "Differing and possibly proprietary operating systems, often without security capabilities built in"

Here are some highlights of vulnerabilities:

"Some ICS operating systems make setting secure passwords difficult, as the password size is very small and the system allows only group passwords at each level of access, not individual passwords."

"Many ICS protocols transmit messages in clear text across the transmission media, making them susceptible to eavesdropping by adversaries."

"Many ICS protocols have no authentication at any level. Without authentication, there is the potential to replay, modify, or spoof data or to spoof devices such as sensors and user identities."

"SCADA and industrial protocols, such as MODBUS/TCP, EtherNet/IP, and DNP318, are critical for communications to most control devices. Unfortunately, these protocols were designed without security built in and do not typically require any authentication to remotely execute commands on a control device."

this.josh
  • 8,843
  • 2
  • 29
  • 51
  • 1
    Yes, however, DO-178B does not cover security. It is primarily focused on reliability for safety-critical systems, not security again deliberate attack: i.e., DO-178B focuses on defense against mischance, not malice. – D.W. Jul 07 '11 at 04:33
  • 3
    True, but the safety critical design has benefits in the security domain. DO-178B OSes have fault and process isolation, integrity checking, independent virtual address spaces, and formal verification. From [Flight-Critical Data Integrity Assurance for Ground-Based COTS Components](http://www.tc.faa.gov/its/worldpac/techrpt/ar06-2.pdf) "System security is closely related to system safety; both deal with threats or risks to the system and both involve protection against losses" – this.josh Jul 07 '11 at 05:44
  • @d-w forgot to notify you of my response – this.josh Jul 07 '11 at 18:53
3

There are still many legacy SCADA systems which run very old OS's that have just been attached to the Internet for ease of management.

I have not seen anything suggesting an agreed standard in this area... It appears that everyone has just used whatever platform they were comfortable with, which means older vulnerabilities are often still there, and unpatched.

This is not the type of site to ask for 'sploits, though, so that's about the level of detail I would go to.

There is a lovely piece of footage on YouTube, showing a generator destroyed through simple commands over TCP/IP. Fun bit from 1;20 onwards.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
3

You can get a good sense of the security vulnerabilities in a particular OS version by searching for CVEs that are applicable to that OS version.

I want to warn you against focusing too narrowly on the OS. The security of a system depends upon a lot more than the OS. For instance, in other contexts my experience has been that vulnerabilities in application code significantly outweigh vulnerabilities in OS code.

D.W.
  • 98,420
  • 30
  • 267
  • 572