Can control over the internet be safe?
In the second part of our look at the safety implications of
industrial uses of internet technology, we consider the threats
from outside
Network integrity is paramount in any internet-based system that
is to distribute safety-related information, or for control and
automation. Data corruption can lead to unsafe decisions, and unauthorised
control activities can be unsafe. Threats (viruses, malicious modification,
and other breaches) are well publicised, but the threat and ease
of malicious incursion is not fully comprehended. An organisation
that integrates its management and production-control networks in
a 'mixed infrastructure' may be particularly vulnerable.
 Some
sites of high profile are heavily targeted by hackers. A high profile
results from traditional publicity surrounding the organisation
in question, and the visibility of the site on the internet. Consider,
for example, the scenario of a chemical company that has recently
been publicised as harming the environment. In response there may
be denial of service attacks from hackers, or even attempts at intrusions.
If the network under attack is also connected to control systems,
this could have serious safety repercussions. The best advice is
to separate the networks for the plant control and business infrastructure.
Domestic internet access will increase. Although web-enabled domestic
equipment is currently an uncommon novelty, it is likely to become
much more common as non-trivial applications are developed. Domestic
applications will share the security vulnerabilities of industrial
installations, but are less likely to be expertly managed. There
is a possibility that domestic systems could be exploited to attack
safety-related industrial systems.
A new variant on these low-level viruses makes use of vulnerabilities
in operating systems and embedded scripting languages in applications
such as web-browsers, office tools, email clients and such. The
recent 'Lovebug' email virus was a malicious self-executing script
that took advantage of a facility called 'Active Scripting' - essentially
an executable program that accompanies the email message - that
performs an action and then proceeds to proliferate via email to
other parts of the network. This type of attack is likely to become
more frequent. The 'Lovebug', the 'Iexplore.zip' worm, and the 'Melissa'
incident are all well known attacks within the past year.
Windows operating systems are more prone to these last two attacks
than Unix. Note that Unix is not necessarily inherently strong in
this respect, but rather that Windows equipment is more common and
therefore a more attractive target. This may change soon with the
growing popularity of Linux systems.
Another attack that can affect data distribution is a 'Denial
of Service' (DoS) attack. A DoS attack (and a Distributed DoS attack
- a many-to-one attack that comes from several sites concurrently)
does not necessarily enter the network or computer hosting the service,
but it prevents that service from effectively performing its task.
One way to do this is to flood the system with bogus requests, thus
congesting the system for legitimate requests.
A more devious DoS will take advantage of some known vulnerability
of the system. For example, it was recently identified that if Microsoft
Information Server receives a badly formed request involving many
suffixes, it then spends much effort searching its database to recognise
the suffixes. If many such badly formed requests are received, the
Server is monopolised trying to resolve the requests, resulting
in a denial of service to legitimate users.
Under attack
Direct attacks can affect specific processes or the computers
and operating systems they are running on. In an indirect attack,
a service that is running on computer X can be brought to a halt
because a related computer Y (with which X shares some resources)
has come under attack.
For example, the recent Lovebug incident brought many corporate
networks to a standstill as the level of email traffic hit record
limits, and swamped the network, thus locking out other networking
applications. Clearly this stopped all inbound and outbound email,
but any systems that were trying to share resources, such as networks
and disk space would also have been affected.
Systems can be adversely modified through the careless upgrade
of system software. Protection against accidents of this kind is
very difficult, and relies on having appropriate recovery procedures
in place to ensure that any interrupted service can be restored
rapidly. This is best addressed by adopting good practice in system
management, and is not considered further in this report.
Systems can also be modified either through the hidden action
of agent software, or by directed action. Of interest here are programming
techniques that update, alter or reconfigure computer systems without
wilful instigation of a legitimate user.
Technologies that can potentially modify computer systems are
ActiveX, Active Scripting, and Java. The first two only affect Windows
operating systems. Java will run on any operating system that runs
a modern web-browser. In all cases, the essential problem is that
an executable program that is downloaded from elsewhere in the network
may run on the local computer without the knowledge or express permission
of a legitimate local user.
Browser vulnerabilities
ActiveX is a component-based technology (individual program designed
for re-use) that was initially specified by Microsoft for use within
web applications, and is based on the Component Object Model (COM)
that describes the standard interface between Windows components.
Consider a browser on computer A that is accessing a web page somewhere
in the network. If the web-page requires the use of a particular
ActiveX component that is not available on computer A, then that
component is downloaded from a web-site on another computer B and
is executed on computer A. Depending on security policies implemented
in computer A, this component can be downloaded and executed without
the person viewing the page ever knowing. This ActiveX component
can then execute with all the privileges that apply to the local
user: it can access the hard disk, files, send email, move local
data to or from another site, or it could deliver a virus. Although
there is some standard protection - Microsoft provides a certification
mechanism to filter components from trusted locations only. However,
users have to be sufficiently knowledgeable to make informed use
of it.
Active Scripting is the technology behind the Lovebug email incident.
Active Scripting can access your files, change registry settings,
write to hard disk and cause emails to be sent in your name. There
are also ways of manipulating, or writing web pages with Script
embedded in them that, when viewed, can cause your office applications
to perform unwanted operations, or can cause emails to be sent pertaining
to be from the user of the web-browser. Again the extent of damage
by this technology abuse can be limited by informed use of security
settings.
Java has generally caused less problems than ActiveX and scripting
mainly because it was designed to be secure, and to run in a protected
area of memory (called a Sandbox) with limited access to the host
computer's resources. Java does not allow access to the local files
for example, and a downloaded Java program (an 'applet') running
in a web-browser can send data back only to the server whence it
came. If functionality is required that breaks these simple rules,
then the user has to make explicit changes to the web-browser. However,
as Java use becomes more commonplace, and as greater functionality
is demanded, the likelihood of malicious use increases.
The effect of these system modifying technologies may be to affect
a safety-related system directly if it is hosted on the same computer,
or indirectly through denial of an important shared resource (such
as network or storage).
Good network security working practices are known, and need to
be encouraged in safety-related systems.
A company may make use of downloaded freeware or shareware in
order to minimise costs. These softwares being of unknown pedigree
(SOUPs) would have to be validated against a strict set of tests
to make sure that they were fit for purpose. Clearly, using software
that has not been validated in a system associated with safety data
(or systems), is introducing uncertainty. Using SOUPs in a system
that shares resources with a safety system could also have a knock-on
effect on linked systems and thus introduce the possibility of linked
failures.
With an intranet/network server based system, if the power drops
or if the hard disk breaks down, then potentially all the data stored
centrally is lost. There are organisations who offer a special technical
service to recover data from damaged disks, but this is not a recommended
approach to data protection; an effective policy on data back-up
is much preferred. An effective procedure for a regular back-up
will also protect against the process of accidental data corruption
(which would ruin any sort of audit trail), as it is possible to
recover data from the previous back-up.
Tessella Support Services
q126@industrialnetworking.co.uk
| 
