“The Tragedy of the Commons is a type of social trap, often economic, that involves a conflict over finite resources between individual interests and the common good.”

- Wikipedia

In a perfect world, we all understand that certain situations should not exist which put our critical infrastructure at risk — we all like to be able to have electricity, water, and other common utilities which we normally take for granted.

But we do not live in a perfect world, of course.

I have written about SCADA (Supervisory Control And Data Acquisition) issues before on this blog, but I’d like to renew & enjoin the public interest in certain recent events & issues which may put these resources at risk.

First, let’s look at the issue of “convergence”, or rather, “premature convergence” which seems to be a better definition:

“…premature convergence means that a population for an optimization problem converged too early, resulting in being suboptimal.”

- Wikipedia

This is similar to — what I believe to be — the situation wherein some unknown portion of the SCADA controls & operations community has strategically moved itself into: using the same platforms, operating systems, and software, which are now susceptible to the vulnerabilities that we all know too well. Buffer overflows, remote exploitation, denial of service vulnerabilities, and so forth and so on.

Now, this wouldn’t be a problem if these system were, in no uncertain terms, not connected to the Internet in any way, shape, or form.

But that is increasingly not the case.

Due to operational “optimization” (meaning: it is cheaper to use publicly available connectivity to manage these systems), the SCADA threat landscape now begins to look a lot like the network security landscape that we all know and respect — one of constant vigilance and constant defensive threat posture.

Within the past couple of days, there have been a couple of SCADA systems management platform vulnerabilities announced which could result in some rather serious exploitation. The SANS ISC reported yesterday a situation in which one software suite which “…provides unauthorized access, allows partial confidentiality, integrity, and availability violation, allows unauthorized disclosure of information, allows disruption of service.”

This seems rather serious. And I have been informed that there is at least one more similar vulnerability which has not been publicly disclosed yet.

As utility companies make operational decisions based on economic business savings (using the Internet, or an Internet VPN, to manage their client-control base to save money), the unintended consequences can be severe. When they occur. If they occur.

Throw the dice.

Let’s keep our fingers crossed that the SCADA community quickly comes to grips with the nature of network security.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research