Improving SCADA System Security (Part 1)

Saturday, December 21, 2013

InfoSec Institute


Supervisory control and data acquisition (SCADA) networks contain computers and software that perform critical tasks and provide essential services within critical infrastructure. They’re considered by cyber strategists to be the backbone of any country. Critical infrastructure, and in particular control systems, require protection from a variety of cyber threats that could compromise their ordinary operation.

These systems are used to monitor the key parameters of production processes and to operate their control to ensure the proper provisioning of critical services.

Originally, these systems were designed in an environment with the sole intent to monitor processes without considering the security requirements and the needs to protect them from external threats. These systems have a life cycle of decades. Many of those critical components that operate today do so in a context that’s completely different from the one they have been designed for. They’re exposed on Internet with obvious security risks.

As a result, almost every SCADA performs well. They’re reliable and flexible, but often lack security. The impairment of SCADA networks could cause interruption of critical services, process redirection, or manipulation of operational data that could have serious consequences for the population.

What are the best practices to implement to improve the security of SCADAs? What actions need to be taken to secure legacy systems? This article will provide a few suggestions to improve the security of SCADAs.

Current Scenario

After recent events, many security firms have started designing solutions to address security problems of SCADA systems. But the major challenge for governments is the inclusion of protection for these critical components in their cyber strategies. Several audits executed by governments on their critical infrastructures have illustrated a dangerous scenario. They demonstrate the lack of security mechanisms for the many systems located all over the world. But what is really concerning is the absence of a precise census of SCADA systems for many industrialized countries.

Events such as the Stuxnet virus and last year’s alleged incident of the water facility in Illinois have shown to the world that it’s possible to conduct terrorist attacks on foreign states remotely. This has increased awareness of cyber threats, and the need to implement proper countermeasures to mitigate risk.

With defense mechanisms virtually absent, SCADA system components are often under the government of local authorities who don’t deal with adequately trained personnel who operate with limited budgets. This means that these kinds of control devices are installed everywhere without being qualified in the installation phase. There are many systems deployed with factory settings, pre-set standard configurations, and they’re common to entire classes of devices. Even those who maintain that they shouldn’t exceed security, thus making it accessible for remote diagnostics without necessary attention.

Fortunately, something changed. Precise guidelines identify the best practices to follow in the management of SCADA systems, and operations groups monitor the operation of facilities around the country.

The last “Internet Security Threat Report” published by Symantec reports that in 2012, there were eighty-five public SCADA vulnerabilities, a massive decrease over the 129 vulnerabilities in 2011. Since the emergence of the Stuxnet worm in 2010, SCADA systems have attracted more attention from security researchers.

In a SCADA system, the programmable logic controllers (PLCs) are directly connected to infield sensors that provide data to control critical components (e.g. Centrifugal or turbines). Often the default passwords are hard-coded into Ethernet cards the systems use. Those cards funnel commands into devices, allowing administrators to remotely log into the machinery.

Hard-coded passwords are a common weakness built into many industrial control systems, including some S7 series of PLCs from Siemens. Because the systems control the machinery connected to dams, gasoline refineries, and water treatment plants, unauthorized access is considered a national security threat. They could be used to sabotage operation.

Doing a search on the Shodan server search engine, you can find what appear to be working links to several vulnerable Schneider models. It’s very worrying, and reveals the need for radical change. Fortunately, the emergency has been noticed by most countries. The ENISA (European Network Information Security Agency), has produced recommendations for Europe and member states on how to protect Industrial Control Systems. The document describes the current state of Industrial Control System security and proposes seven recommendations for improvement. The recommendations call for the creation of national and pan-European ICS security strategies, the development of a Good Practices Guide on the ICS security. They would foster awareness and education, as well as research activities or the establishment of a common test bed and ICS-computer emergency response capabilities.

The Case

Immediately after the Stuxnet virus, governments and intelligence agencies all over the world requested assessment of security for critical infrastructure of their countries. Much of the focus was on evaluating efficiency offered by defensive measures adopted to protect SCADAs and ICSes from cyber attacks.

After Stuxnet, debate on the use of software and malicious applications of information warfare have increased. Governments are investing to improve cyber capabilities working on both the defensive and the offensive side. Despite greater awareness of cyber threats, critical infrastructures of countries are still too vulnerable. Many security experts are convinced that an imminent incident caused by a cyber attack is likely soon.

Recently, Eugene Kaspersky, CEO of Kasperky Lab, revealed that a staffer at the unnamed nuclear Russian plant informed him of an infection.

“The staffer said their nuclear plant network which was disconnected from the internet … was badly infected by Stuxnet. So unfortunately these people who were responsible for offensive technologies, they recognize cyber weapons as an opportunity.”

Stuxnet had infected the internal network of a Russian nuclear plant, exactly in the same way it compromised the control system in Iranian nuclear facilities in Natanz. That’s happening despite cyber threats being well known, and various security solutions are able to neutralize it.

Stuxnet infected the network within a Russian nuclear plant isolated from the Internet. Attackers probably used as USB or mobile devices to spread the malware. Russian Intelligence agencies in the past have already observed this infection mode to cross a physically separated ‘air-gapped’ network. For example, Russian astronauts had carried a virus on removable media to the International Space Station infecting machines there, according to Kaspersky.

“NASA has confirmed that laptops carried to the ISS in July were infected with a virus known as Gammima.AG. The worm was first detected on Earth in August 2007 and lurks on infected machines waiting to steal login names for popular online games. Nasa said it was not the first time computer viruses had travelled into space and it was investigating how the machines were infected. ”

I mentioned the Stuxnet malware because it’s considered a case study. The malicious agent is so notorious, it’s still able to compromise networks and control systems within critical infrastructure. Let’s try to figure out the effect of unknown cyber threats, developed by governments as cyber weapons, for example. In this article, I’ll analyze major security issues related to SCADA systems, and best practices to follow to protect them.

According to the last “SANS SCADA and Process Control Security Survey” conducted by the SANS Institute, the awareness of cyber threats and the perception of the risks related to a cyber attacks are high. Nearly 70% of respondents believe the threat to be high (53%) to severe (16%). Recent reports from Computer Emergency Response Teams (CERT), government offices, and private companies confirm an escalating risk of cybersecurity events, specifically for the energy sector.

The survey indicates that the top threats for control systems are advanced zero-day malware such as Stuxnet, cyber operations conducted by groups of hacktivists, and hacking campaigns of cyber terrorists and state-sponsored hackers.

Recently, US CERT alerted to the continuous spear-phishing campaign that targeted the energy sector to gain remote access to control systems. SCADA system protection must be approached at different levels, defending control systems and educating operational and maintenance personnel.

“Training should include specific operational topics on spear-phishing, zero-day activities and managing internal threats.”

Figure- Top Threat Vectors SANS Institute Survey

SCADA network security

SCADAs are composed of the following subsystems:

  • The supervisory system, responsible for data acquisition and for control activities in the process.
  • Programmable logic controllers (PLCs), the final actuators used to as field devices.
  • A human–machine interface or HMI is the component responsible for data presentation to a human operator, typically it composed of a console that make possible the monitor and the control of the process.
  • Remote terminal units (RTUs) are microprocessor-controlled electronic devices that interface the sensors to the SCADA by transmitting telemetry data.
  • Communication infrastructure connecting the supervisory system to the remote terminal units.
  • Various process and analytical instrumentation

Attackers could target each of the above components to compromise a controlled process. For example, any supervisory system is usually a computer based on a commercial OS for which it’s possible to exploit known vulnerabilities or zero-day vulnerabilities. SCADA systems could be infected exploiting attack vectors via mobile support (e.g. USB sticks) or the network connections.

Establishing and following a risk management framework is the most cost-effective approach to securing critical cyber assets. The NERC Cyber Security Standards sequentially leads each Responsible Entity through the following process:

  • Identifying risks
  • Implementing controls, mitigating risks
  • Maintaining acceptable risk levels through evaluation and monitoring

Identification and Monitoring of connection to SCADA networks

To protect SCADAs, it’s essential to identify each connection to the SCADA network, evaluating the risk of exposure to attacks and implementing all necessary countermeasures to mitigate them.

It could be useful to enumerate the overall connections, the end points of communication (e.g. system management, business partners, vendors), authentication mechanisms implemented, protocols adopted, the function served with the connection (e.g. Telemetry), adoption of encryption mechanisms, the type of communications ( e.g. Ethernet, Wireless network) and the defense systems deployed to defend them.

Any connection to another network introduces security risks, especially for Internet connections. To improve security, it’s necessary in many cases to isolate the SCADA network from other network connections.

Use of “demilitarized zones” (DMZs) and data warehousing can facilitate the secure transfer of data from the SCADA network to business networks.

VA Network Connectivity Assessment must be conducted starting by mapping of all networked assets and the digital communication links that connect them. Detailed network maps are essential to identify mission critical assets, and the electronic links that may threaten their reliable operation.

Network connectivity audit results are a collection of written documentation that uniquely, clearly and accurately records all information about every networked asset. They contain the following components.

  • Unique identifier (serial number or assigned tag number)
  • Description of functionality
  • Physical location
  • Physical security mechanisms protecting the device (fences, locked cabinets, etc.)
  • Network connections to/from the device
  • Network addresses (MAC, IP, SCADA, etc.) assigned to the device
  • All other available physical interfaces

Another important thing to consider is to carefully configure network appliances by avoiding the use of default configurations easily exploitable by attackers. Commissioning penetration testing and vulnerability assessments to third parties could provide an objective analysis of the level of security of a SCADA network.

It’s important to adopt firewalls, intrusion detection systems (IDSs), and all the necessary defense systems at each point of entry. Organization management must understand and accept responsibility for the risks associated with any connection to the SCADA network.

Real-time threat protection

Recent attacks conducted against critical infrastructure are characterized by increased sophistication. A growing number of offensives could not be rejected simply with a proper patch management of the internal systems or maintaining access and service control. The trend is to implement a real-time threat protection, including network intrusion-prevention.

Real time protection could be implemented through a layered approach. Each layer of defense represents categories of system components that must be hardened.

  • Perimeter Control
    a. Internet or Corporate Perimeter Defense
  • Employees, Policies, Procedures
    a. Business contingency, Disaster Recovery
  • Network Architecture
    a. Firewalls, Routers, Switches, VPNs
  • Network Operating Systems
    a. Active Directory, Domain Security, etc.
  • Host Security
    a. Server and Workstation Operating Systems

Figure- SCADA Security Services Overview

In the next part we will go over security features and controls of a SCADA environment, authentication, vulnerabilities, physical security, management, configuration, system backups and disaster recovery plans. 

Pierluigi Paganini is a security researcher for the InfoSec Institute with over 20 years of experience in the field. 

Possibly Related Articles:
Federal Municipal State/County Industrial Control Systems
SCADA Security Critical Infrastructure
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked