Repost from the SCADASEC thread I initiated about supply-chain security risks stemming from long-range RFID reading/closing/editing. I didnt do a good job starting off the thread, but I think there’s much more to this subject than this dicussion captured. More to come in the future (although it might be awhile).
|
show details Feb 9 (2 days ago)
|
|
So, who all saw Chris Paget’s RFID/EPC Gen 2 talk at Shmoocon this past weekend?
Has anyone wondered how it might relate to cargo (freight rail, shipping, etc) inventory interference? Or how it might relate to the “chemical mistake” Jake posted earlier?
For those who aren’t aware of it, you can find the slides here: http://www.rfidhackers.com/viewtopic.php?f=5&t=6
Basically, his talk focused on the ability to read, clone, and write arbitrary data to Electronic Drivers Licenses (which use these RFID tags) from 200+ feet away (with a theoretical max distance of about a mile away).
My concern, though, being involved in cyber-CIP-stuff, is less the EDL stuff than the fact that this is the defacto technology in tracking and moving goods into and around the US – chemicals, drugs, parts, etc. Not only in the private sector, but by the USAF and the DoD as well.
If I understand correctly, the type of issue that occurred with the chemical mistake Jake forwarded could be initiated en mass at ports or other points where these goods are aggregated….by someone anonymously from almost a mile away….in minutes. While this isn’t -literally- SCADA, the behavior is SCADA-like and potential supply chain issues certainly affect, from a CIP standpoint, SCADA.
So, questions: If the tags are rewritten but still “valid” and goods get shipped around the US incorrectly, it seems like it would take a long time to recover and at great cost. Is this probably accurate?
Is this a real concern? Are there mitigating technical controls (inadvertent or intentional)?
What kind of manual backup procedures are in place to handle a total onsite RFID data integrity failure at these locations? How long would it take to realize there is a problem and rectify it?
What is the data on these RFID tags and if they were to get altered, what systems are actually impacted?
Etc.
Thoughts appreciated.
Thx
Jack Whitsitt/SintixErr
—–
|
show details Feb 10 (2 days ago)
|
|
To answer Jack’s concerns, BY LAW, we are required to maintain certain signage on paper for the side of the drum. So any attack of an RFID device would have to happen at the plant where the chemical was made.
In the case I cited, the chemical was clearly marked, but everyone assumed it was whatever was ordered, and they just hooked it up.
The water plant superintendent took responsibility along with the chemical company.
Screwing with RFID on a barrel of whatever could lead to situations like this. However, I don’t see how this would always lead to an accident, unless one were also willing to forge several documents (not impossible, but tedious).
Jake Brodsky
—-
|
show details Feb 10 (2 days ago)
|
|
Ok, so the secondary effect of end-users (the plant) actually making that mistake again are low/unlikely.
What about the possibility (and subsequent effects) of rewriting the tags simply to cause rerouting of the cargo to the wrong destination? As in, enough of it from a given port that no one has confidence in where any of the goods ended up? How does that affect our just in time inventory systems?
(At an extreme scenario, if someone was able to brick critical SCADA components via cyber attack, could they at the same time prevent replacement part routing in this manner?)
—
|
show details Feb 10 (1 day ago)
|
|
Actually, the way they discovered this problem was because the lab
results from periodic water testing showed fluoride levels were
dropping. I suppose one could attack both the lab and the plant control
system, though. The thing is, you’d need to know quite a bit about how
they do their samples, and where they test.
For example, we have a consolidated lab off-site from the plant. The
plant does some periodic testing of their own when they need the results
right away, but the lab does the more detailed and expensive testing…
Jake Brodsky
—
|
show details Feb 10 (1 day ago)
|
|
I guess I was trying to abstract it up a level from the plant and wondered what the system and economic impacts were nationally if we couldn’t get goods from cargo ships arriving to critical SCADA infrastructure requiring those goods. This would include manufacturing, energy, chemical, water, etc.
Said another way, could RFID alteration at cargo/freight hubs cause a supply-chain hiccup(s) of national consequence (whether through direct physical problems or economic consequence).
The reason Im harping on this a little is because, if the above statement resolves to “Yes”, then the known bar to doing so is a lot lower now than it was last week.
—
|
show details 7:22 AM (16 hours ago)
|
|
And that’s a good question. I can’t say I know what the supply-chain
looks like inside a chemical plant. However, I can pretty much assure
you that between the chemical plant and the water filtration plant,
there usually isn’t a warehouse.
At the scale where we operate, we deal with tanker trucks and
tractor-trailer loads of product, and it usually comes straight from the
chemical producer. Aside of obvious business efficiencies, it reduces
the liability for someone to warehouse this stuff.
Jake Brodsky
—
No comments yet
Comments feed for this article