Pentesting Smart Grid Web Apps

Justin Searle

Tue, 16th April 2013


Thanks, that was one of our best Hacker Hotshots. The information you shared was excellent and inspirational for a lot of people. There will be a lot of people watching this [and over the replay] that are very interested in this space. I’m going to group these questions:


Questions and answers

Max, Concise Courses:
There is clearly a serious impact when someone hacks into a SCADA network and causes mischief. How do you convey urgency in this space? Obviously its apparent to you but do you feel that the automation security managers and decision makers in the various verticals are taking SCADA security seriously? How do you get them to take action?

Justin Searle:
I think that they are taking it fairly seriously especially within the energy sector. Ever since we have had worms like Stuxnet, and all the siblings that have come out of Stuxnet, and the Saudi Aramco compromise last summer, I think that most of the people worldwide that run energy resources, are very seriously concerned about this as well as oil and gas because their sectors have had major exploits. Many of the vendors like Siemens and ABB, and any of the vendors that make these large devices, are obtaining very strong security teams and trying to do as much as they can to make up for that lost time in providing security services to find the vulnerabilities and eradicate them. When it comes down to penetration testing I think that they are still very much concerned because they are running really critical resources and systems that countries depend on. Any type of active penetration is something that can be very catastrophic so [if they] shy away from [protection it will have a negative impact]. A lot of them aren’t willing to risk millions worth of dollars inside a testing environment to something that an automated tool can destroy accidentally in a few minutes.


Max, Concise Courses:
Do you feel that all verticals are treating this with the same degree of respect. You mentioned utilities and oil and gas; I’d assume that they are at the forefront. Are there any other areas that you feel might need to pick it up a little bit and create more urgency?

Justin Searle:
Some of the verticals that haven’t had major exploits and may not have as much automation in them right now, for instance maybe the water systems [might need to step their game up]. There doesn’t seem to be a lot of control over the water systems. This is something that I personally haven’t seen as much interest from the security sector. I’m not saying that they are not performing security actions, but [they] don’t seem to be as aware as or as concerned about it. When we go into other types of ICS areas [ICS: Incident Command System] I think that transportation like railways etc; there have always been grave concerns since 9/11. At the same time the visibility hasn’t been that great. If you get into the manufacturing floors, the risk of manufacturing floor-room is smaller; it’s more of a financial risk and less of a human risk. At the same time there is probably not as much because they are a little more self-contained and its’ harder for people to get into those systems unless they come through the Internet door or through the corporate network and make their way through the control system.


Max, Concise Courses:
How important is social engineering with regards to SCADA attacks?

Justin Searle:
I think that social engineering is the same in any field that we work in – whether it’s a control system or a general IT system. If you don’t have an exploit to get through a vulnerability or you don’t have a vulnerability that you can attempt to exploit the sure way in is through social engineering. Social engineering is always the easiest way in anywhere.


Max, Concise Courses:
In your recommendations when you are talking to your clients, do you have social engineering training as a component of the solution?

Justin Searle:
Yes, most people are aware of their personnel concerns and the “malicious insider.”


Max, Concise Courses:
Question from a viewer: I’m a network engineer and am moving into security. SCADA interests me, what advice can you give me to get into the field? What training would you recommend?

Justin Searle:
Actually you’re right; traditionally there hasn’t been a lot of training out there. This is something that I personally have been trying to fix single-handedly; in fact there are a few of us trying to do this and trying to create some classes. I have a two day class that I have been offering at BlackHat and most of the BlackHat events worldwide. I am also launching a brand new five day pentesting smart grid and SCADA for the SANS Institute which we will be doing for the first time in Houston, in Texas, in June. So if you are interested go ahead and send me an email and I can give you a list of dates for all the different venues that we are providing that training for. In you are a larger organization we do offer private training for architectural security concerns as well as penetration testing [and techniques therein]: from embedding applications to the networks themselves.


Max, Concise Courses:
How did you get involved in SCADA and how did you develop your expertise?

Justin Searle:
I have been in the information security field for 13 years now and the first half was more defensive. I was the Security Architect for JetBlue Airways and then I ended up moving over to the consulting side and I joined InGuardians and starting doing penetration testing [with them.] An electric utility approached us and asked us to do some work and bring our expertise and adapt it to the energy sector. I had a minor in electrical engineering in college but I hadn’t touched it really since then. I even had my first job out of high school [which was] actually watering control cabinets for water treatment plants but I had never really done anything with it within the security field and so we developed our own methodology through trial and error and working with these systems. It’s been five or six years now and I have focused my career almost entirely on these systems and now I am just trying to provide this information to the community through presentations and training. If you think that IT has a shortage of security professionals, especially knowledgeable security professionals that can find flaws and get them fixed, you should come over to the ICS field and see how much in dire we need we are here!