By Patrick Oliver Graf, General Manager NCP engineering
For a long time, hackers only targeted the IT systems of offices or individuals. This, however, has changed as the bad guys more frequently go after unconventional targets, like industrial and oil plants, refineries of all kinds, power grids or water utilities.
Last November, for example, hackers used a remote access connection to successfully attack a water utility in Illinois, destroying a pump. In fact, according to the Department of Homeland Security, the number of similar attacks on public and private SCADA infrastructure (Supervisory Control and Data Acquisition) will continue to rise.
The Stuxnet worm is among the most salient examples of this. Towards the end of 2010, hackers were able to attack Siemens’ programmable logic controllers (PLCs) that were used in Iran's atomic research facilities, bringing the research facilities to a partial halt. Common and frequently attacked weak points are peripheral systems in harsh environments, such as sensors, PLCs, as well as measuring, controlling and regulating devices. This is due to the fact that most of these systems have one thing in common: they communicate with other systems or control units, and for that, they frequently use standard protocols, like Ethernet (Industrial Ethernet).
Since the 1990s, most of these devices also have an additional Internet interface. Such interfaces are especially important for sensors, remote terminal units (RTUs), IP surveillance cameras and controls that are mounted in inaccessible locations such as, an oil production facility, a water pump, or a transformer station. Through the Internet interface, these systems transfer position, data and status messages to a central office. Apart from that, service technicians are able to remotely access, monitor and configure these devices via WAN connections or the radio network.
Risks of Outdoor Access Points
Another common weak spot for all SCADA systems is their insufficiently secured remote access functionality. Through it, an attacker might be able to access and manipulate these components via a telnet or http connection. A lot of producers further facilitate hacking by "protecting" their systems with standard passwords the user can’t change -- yet, it’s relatively easy for an attacker to figure out these hard-coded passwords.
On top of this, hackers particularly like systems that transfer data via wireless LAN connections. In fact, many companies currently use such outdoor Wi-Fi networks on their premises. And while security experts repeatedly advise Wi-Fi network users to secure their connections with encryption protocols, like WPA2, even this does not ensure absolute security. Moreover, it’s easy as searching for the Internet to find instructions and tools for hacking such access points. Generally, it takes just several hours to hack encrypted Wi-Fi networks. But especially with outdoor Wi-Fi systems, it is fairly easy for a hacker to record and assess data traffic with hardly any risk at all.
And the major problem is that a successful attack on controlling and regulating devices frequently makes other areas of the targeted corporate network vulnerable. This happens because there is no absolute separation between regulation and control networks and the corporate intranet. To put it bluntly, hackers who manage to access a PLC are also able to use the industrial Ethernet infrastructure and work their way through to customer or financial data.
VPN: The Indispensable Barrier
So then, how do you secure SCADA systems against such attacks? The answer is simple, with the same measures as a regular corporate network. This means, providing a protective mechanism, like firewalls, between regulation and control units and external Internet traffic. Firewalls analyze each access to the system, and block suspicious traffic or access to certain ports.
Furthermore, IPsec VPNs, with DES or AES encryption, are essential. When using protected tunnels to send data traffic, it’s impossible for hackers to listen in to data packets of PLCs, Local Control Units or RTUs, analyze them and draw conclusions to the technologies and systems employed in the SCADA network at hand. If the SCADA infrastructure is decentralized and has endpoints in various locations, it is sensible to implement an additional VPN server and a gateway. In this, the gateway acts as firewall and guardian by deciding which data of which systems receive network access.
Today, controls, data capturing systems and automation systems are similarly prone to hacker attacks as PCs, server and notebooks in a LAN. Therefore, those systems need the same amount of protection. This is especially true for systems with remote access connections. And remote access requires the use of VPNs and the corresponding server, clients and gateways. With that, a VPN is indispensable - even in harsh environments.