INTRODUCTION TO INDUSTRIAL CONTROL SYSTEM & SCADA SECURITY
In today's modern manufacturing process, electronics and computing is increasingly used to increase productivity and process improvement, utilizing automated process control systems. Real time control systems are used for monitoring and process control and can be found in virtually all critical infrastructures. Examples of industrial processes controlled includes the power industry (e.g. to control the operations of a power generation plant), in water works (e.g. used in water treatment and distribution), the oil and gas industry (e.g. control over flow and pressure of gas through pipelines) and chemical plant operation (e.g. control of chemical reactions and processes) and even in lifts, lighting and elevators.
SCADA or â€œSupervisory Control And Data Acquisitionâ€ systems are used to enable remote control and monitoring of these automated processes. SCADA systems allows the operator to be located on a central control room, using computers and communication networks to control the operations of industrial equipment and machinery remotely.
A typical SCADA system usually comprises of the following:
- an HMI (Human Machine Interface), which is a device that presents data to the human operator forpurposes of monitoring and control, usually through an LCD or computer screen.
- A supervisory computer system, which acquires data on the processes and sends commands to RTUs (Remote Terminal Units) and/or PLCs (Programmable Logic Controllers) connected to end devices in the field. The system allows remote process monitoring and control as well as automates data flow to other applications
- Remote Terminal Units or Programmable Logic controllers connected to end devices in the field.
- End devices in the field such as valves, switches and sensors.
- Communication link and infrastructure that connects the entire industrial control system from end devices to the SCADA/DCS system
- Connecting point to other networks
In the past, SCADA systems are usually designed to be isolated from the rest of the corporate network and most systems have been designed to be able to run unattended for years at a time. As there were many different vendors offering SCADAs, PLCs and RTUs, there emerged many different proprietary communication protocols, such as Modbus, DNP and Profibus.
However, in a push for more information access, nowadays corporate headquarters and plant owners are now demanding more information to be made available remotely. Hence, more and more SCADA systems are currently being modified to communicate via private corporate intranets and even via the internet. OLE (Object Linking and Embedding) for Process Control (OPC) is widely used to connect disparate hardware and software and allow operation over standardized protocols, e.g. TCP/IP. Using the internet for remote monitoring can result in increased productivity and high return on investment. Some SCADA systems have also been designed for industrial controls to be operated remotely.
However, being connected to the outside world creates vulnerabilities and presents threats to the safety of the control processes being monitored by the SCADA system. This is because SCADA systems are typically not designed with cyber security as one of its focus. Security researchers typically find misconceptions among plant owners such as:
1. SCADA operators believe that their systems are isolated,
Most SCADA networks were built many years ago and have been designed to be separated from the corporate network. However, as pointed out above, the SCADA networks have often been modified later on to allow remote users to view and monitor the processes from within the corporate network, linking the SCADA system to the outside world, creating vulnerabilities as these links have often been designed without enough security considerations.
As Alan Paller, director of research, SANS Institute summarised â€œ It's not that these guys don't know what they are doing. Part of it is that these systems were engineered 20 years ago, and part of it is that the engineers designed these things assuming they would be isolated. But--wham!--they are not isolated anymore. â€
Furthermore, even if the SCADA networks are isolated from the internet, someone plugging their notebook in to the system, such as for routine maintenance inspection, may infect the SCADA system with malicious programs such as worms and viruses. In this case, proper security policies, management and processes plays a role to mitigate these kinds of threats.
2.â€œSecurity through obscurityâ€ through the use of vendor specific proprietary protocols is believed by asset owners to be sufficient protection from malicious attacks.
This misconception is risky, as the highly motivated attacker can easily obtain information from vendors as well as from open source information.
It was reported that computers containing detailed information about SCADA systems were allegedly found in Al Qaeda training camps. Furthermore, hackers are increasingly discovering exploits and sharing them with others, most visibly at DefCon and other similar security related conferences.
3. Design and operations of SCADA networks inadequately address security concerns.
SCADA networks have usually been designed for ease of use. It has been found that default usernames and passwords created by SCADA vendors have remained unchanged and is shared among the SCADA operators. Passwords are sometimes even openly displayed next to the SCADA HMI display terminals to make access to the SCADA networks easier.
This presents a considerable risk to the SCADA network as attackers through social engineering or brute force can easily obtain access to the SCADA networks for malicious purposes. To address the issue of social engineering vulnerability, suitable training in security should be instilled in all personnel involved in the SCADA network. Proper security management policies and processes should also address the issue of password management.
4. SCADA networks are believed to be physically secured by asset owners.
Oftentimes, critical infrastructure installations are large in size and usually designed to be physically secure. Nevertheless the potential for motivated attackers to penetrate the physical security through force or through guile is a factor that must be taken into consideration. Once the attacker manages to infiltrate the facility, there is every potential for the attacker to damage the infrastructure physically or through planting of backdoors and other malicious programs into the electronic process control system.
As described above, malicious individuals and organizations could make use of these vulnerabilities to conduct extortion, theft, threatening physical destruction, injuries and even death on a massive scale, by exploiting the key unique vulnerabilities of SCADA systems which are:
- Lack of encryption,
- Lack of authentication and
- Difficulty of patching. SCADA systems are usually designed to operate for years with minimal maintenance, comprise of legacy systems and cannot be easily patched and updated.
The threat to process control systems is very real and cannot be underestimated.Malicious attackers could disrupt and destroy critical infrastructures for purposes of crime (e.g. extortion), cyberterrorism and even cyberwarfare. Attacks on SCADA systems can result in massive damage, injury and even death.
Examples abound. An oft recounted story is that of the disgruntled ex-employee releasing millions of litres of sewage in Maroochy Shire, Queensland Australia using his insider knowledge of the control systems. In his book â€œAt the Abyss: An Insider's History of the Cold Warâ€, Thomas Reed, former Secretary of the Air Force in the Reagan administration, claims that the US covertly supplied software to the USSR which eventually caused a major explosion in a gas pipeline in Siberia in the early 1980s. Reed wrote,"In order to disrupt the Soviet gas supply, its hard currency earnings from the West, and the internal Russian economy, the pipeline software that was to run the pumps, turbines, and valves was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds," "The result was the most monumental non-nuclear explosion and fire ever seen from space.â€
As another example of the risk facing industrial control networks, during a routine security test in the late 90s Israel's Shin Bet internal security service penetrated the mainframe of the Pi Glilot fuel depot near Tel Aviv. However, a member of the Shin Bet drill found that, "Once inside the Pi Glilot system, we suddenly realised that, aside from accessing secret data, we could also set off deliberate explosions, just by programming a re-route of the pipelinesâ€.
Having looked at the vulnerabilities, we now turn our attention on the ways to mitigate the vulnerabilities. One of the methods to secure SCADA systems is to identify all possible connections to the network. The SCADA network should be segregated and partitioned to allow separation between the control network and the corporate network system. DMZs (Demilitarised Zones) should be created utilizing IDSs (Intrusion Detection Systems), firewalls and also UTM (Unified Threat Management) systems. Unnecessary external connections, for example wireless connections, should be severed.
As SCADA systems are usually designed to be run unattended for years at a time, they are not designed to be patched on a regular basis. To replace the entire control network system would not be feasible in most cases, as these systems usually control systems on a real time basis and their constant operation is vital. Hence, for future installations, prior to setting up a plant, it would be a good practice to include language in the contract during the procurement process that ensures that the SCADA network is designed with security in mind. Security updates and patches should also be done during planned maintenance shutdowns of the plant.
Regular audit and vulnerability testing should also be instituted. Nevertheless, penetration testing of SCADA systems need to be done with care as improper testing techniques can make SCADA systems behave unpredictably and lead to disruption in operations. For example, it was reported by SANDIA (a major United States Department of Energy research and development national laboratory)that a ping sweep done during security testing of an industrial control system caused a robotic arm to erratically swing 180 degrees. Fortunately, no one was in the immediate vicinity when this happened or otherwise serious injury and death could have occurred. Security measures need to also chosen with care, for example, IPS (Intrusion Protection System) may not be suitable to be used in SCADA networks as they may cause valid information to be intercepted and blocked, causing instability in SCADA networks. On the other hand, a malicious attacker can make use of this vulnerability to perform attacks using simple techniques, such as Denial of Service Attacks.
In summary, this article provides a brief introduction and overview on process control systems, specifically SCADA systems, its potential vulnerabilities and some risk mitigation techniques. It needs to be recognized that security research on SCADA is lagging behind traditional IT security. However, since the past several years, many industry and security related organizations have been paying closer attention to SCADA and process control security such as SANS and ISC2. In the US, the NERC (North American Energy Reliability Corporation) is an initiative for the self regulation of the energy industry and has instituted standards and guidelines for process control security. Similar initiatives are being undertaken in Malaysia and CyberSecurity Malaysia is currently in the forefront of this issue, undertaking research and security assessments services in order to ensure that Critical National Information Infrastructures are protected in line with the aspirations of Malaysia's National Cyber Security Policy.
- Professional in Critical Infrastructure Protectioncourse notes, Critical Infrastructure Institute, November 2008
- Common vulnerabilities in critical infrastructure control systems , Sandia National Laboratories, 22 May 2003 ,
- Penetration Testing of Industrial Control Systems, Sandia National Laboratories, 7 March2005
- SCADA system makers pushed toward security, Robert Lemos, Security Focus 2006-07-26 (http://www.securityfocus.com/news/11402/2)
- SCADA, Fear, Uncertainty, and the Digital Armageddon, Morgan MarquisÂBoire, SecurityÂAssessment.com,
- At the Abyss: An Insider's History of the Cold War (Ballantine, 2004, ISBN 0-89141-821-0)
- US software 'blew up Russian gas pipeline', Matt Loney, ZDNet UK , March 01, 2004 (http://news.zdnet.co.uk/software/0,1000000121,39147917,00.htm)
- SCADA (in)Security: Hacking Critical Infrastructures, 2007, The CrISTAL Project (Critical Infrastructures Security Testing & Analysis lab)
- Wary of naked force, Israelis eye cyberwar on Iran, Dan Williams, July 7, 2009.http://thestar.com.my/news/story.asp?file=/2009/7/7/worldupdates/2009-07-07T185047Z_01_NOOTR_RTRMDNC_0_-408717-1&sec=Worldupdates