Abstract.
Supervisory Control and Data Acquisition systems (SCADA) are a subset of Industrial Control Systems (ICS), and they are used to automate the control and monitoring of processes and sets of processes. Such processes include industrial production lines, power grids, rail switching and other critical infrastructure. Traditionally, these systems were isolated and thus secure from cyber-attacks. However, modernization has led to increased complexity, interconnectivity, and digitization. In this regard, today's SCADA systems need to communicate and transfer data from one site to another via communication networks that are at times public e.g. The internet. This development has created security vulnerabilities for SCADA systems since they can be exploited by hackers and automated malware to gain access to and interfere with normal work of real-time critical infrastructure systems leading to devastating consequences (Smith, 2005). This paper explore the security issues in SCADA systems and the best possible methods of mitigating security intrusions in SCADA systems.
Introduction:
Supervisory Control and Data Acquisition (SCADA) systems are used to automate the control and monitoring of processes and sets of processes. SCADA systems have been used to improve efficiency and quality in beer brewing and artificial snow creation in ice rinks and ski-resorts (Smith, 2005). However, these systems are conventionally used in industrial processes and utilities to monitor and control processes such as power relays controls, closing and opening of pipeline valves, and shunting of rail tracks (Smith, 2005; Yardley, 2008). SCADA systems usually comprise four major components which include a human interface for system interaction, administration systems for handling data acquisition and control commands in the control local area networks (LAN); instruments and sensors such as barometers and thermometers; and finally communication networks and protocols for both short range and long range communications such as local and remote control and monitoring respectively (Yardley, 2008).
According to estimates, over 3 million SCADA systems exist, and they provide both real and near the real-time control and monitoring with time delays that range from fractions of seconds to several minutes. SCADA systems are quite expensive and depending on their levels of sophistication and size; they can cost anything from tens of thousands of dollars to millions of dollars (Smith, 2005). Conventionally, SCADA systems were operated in isolated environments running on proprietary technologies. In this regard, the systems were mostly inaccessible remotely and thus faced little or no external cyber security threats. However, modernization, the evolution of technology and increased adoption of commercially available open technologies and systems have led to increased interconnections and even interdependencies between SCADA systems (Igure, Laughter & Williams, 2006; Yardley, 2008). In fact, most modern systems run on major operating systems such as Linux, UNIX and Microsoft Windows usually tweaked to run on rugged hardware that can withstand extreme environmental and industrial conditions while still utilizing redundancies in hardware design (Yardley, 2008).
Overview of Information Systems Security.
Before examining the cyber security aspects of SCADA systems, there is a need to conduct a brief overview of the wide threat spectrum that is categorized as either cyber, physical, personnel or environmental attacks. Personnel threats are security compromises from inside persons such as employees. Physical threats are posed by burglars and unauthorized personnel. Cyber threats are mainly external and done over communications networks using remote access (hacking) or malware such as viruses that transmit confidential data over the Internet (Smith, 2005; Thales, 2013). Finally, environmental security threats result from severe weather conditions and catastrophes such as earthquakes and floods (Thales, 2013).
In some cases, it is impractical to implement mandatory security controls in SCADA systems as would be seen in enterprise systems. For example, individual user accounts are preferable and even more secure but in industrial environments, user accounts are shared among user in a control room and managed as group accounts. Given that the threats emanate from multiple sources as seen earlier, it is necessary to view security holistically and come up with mitigation strategies that counter all threat/attack vectors. For example, in critical infrastructure such as a power plant, installation of large fences and CCTV monitoring is insignificant is a cyber-attack can be conducted remotely to disable the CCTV cameras, unlock electronic gates and allow access to the site. In this regard, the ability to carry out cyber-attacks in modern SCADA systems negates the need for physical attacks since systems can be remotely accessed, shut down and put into various undesired states such as grid lockdowns, terrorist acts such as train derailments, and overexertion beyond safe limits to trigger catastrophes such as nuclear plant meltdowns (Thales, 2013). Cyber-attacks are therefore an easy option from a hacker’s perspective since they can be performed remotely and anonymously even in locations that are continents apart. A good example is the Advanced Persistent Group 1 (APT1) hacker group consisting of about 20 sub-APT who are known to attack critical infrastructure in English speaking countries in Europe and America. The APT1 group’s origins have their origin traced back to China (Mandiant, 2013). In simple terms, it is easier to attack a well-secured site remotely that physically accessing it. In a simple analogy, a competent hacker is able to search for SCADA systems using the SHODAN search engine for interconnected devices, determine the Internet Protocol (IP) addresses of these systems, formulate exploits, and finally attack critical infrastructure via anonymous networks such as the TOR network. All this can be done in a span of one hour which further explains there is a need to review the present security robustness of SCADA/ICS systems (Thales, 2013).
SCADA systems implementation.
The typical architecture of a conventional SCADA system is shown in the Figure 1 below.
Figure 1: Traditional SCADA architecture representation (Yardley, 2008).
Essentially, the Human Machine Interface (HMI) component provide an interface for interaction with human operators where the operators can view system state and control the sensors/ instruments. The interfaces also provide a conduit for data entry and other control and monitoring actions via the administrative systems which are connected to the control systems via local area networks (LANs) (Yardley, 2008). Data is gathered by instruments/sensors in the field such as thermometers and barometers and is relayed to the administrative systems over communications networks. The sensors can be digital or analog while the networks can be radio links, serial lines or Ethernet LAN/WAN. The rest of the company networks and systems are connected via a corporate LAN while another segment is designated for external access querying to query interoperation statistics and for backup purposes. From a traditional IT view, the architecture is straightforward but it is also important to note the industrial control systems (ICS) have numerous monitoring points which then introduces complexities. Some of this complexity is realized in the varied communication networks, sensors, and the geographic distribution of the devices (Johansson, Sommestad & Ekstedt, 2008; Yardley, 2008).
Common security issues and vulnerabilities in SCADA systems and protocols.
Most SCADA systems and their respective protocols are based on legacy technology where security was not a major consideration due to the closed nature of communication networks. Due to modernization, these systems have become more interconnected and now run on modern platforms such as interactive consoles and Web-based interfaces that have implemented remote configuration protocols. However, security implementation still lags with little or no implementation of modern security techniques such as data encryption and authentication (Smith, 2005). This lagging is often due to hardware restrictions imposed by legacy hardware where slow communication links, low processing power, and inefficiencies in the legacy protocols are the order of the day. Ensuring encryption on slow links is difficult while authentication is generally discouraged by vendors since they do not provide the service at all. Instead, vendors provide weak authentication such as hard-coded system passwords that can easily be found using search engine searches, guessing, and brute-force attacks (Smith, 2005).
The issues are further compounded by the industry’s move towards off-the-shelf software, systems and devices which are then incorporated into the control systems or networks in a bid to cut costs and eliminate some proprietary, legacy technologies. These devices and applications usually come with default passwords and well-known flaws that evidently serve as entry point for attacker exploits (Igure, Laughter & Williams, 2006).
Protocols are defined procedures or codes of conduct that need to be followed. In IT, protocols allow communicating devices to understand each other. Early SCADA protocols were designed to ease system debugging this flexibility allows for the interception of data, manipulation, denial of service attacks, and modification of system logs (Igure, Laughter & Williams, 2006). The lack of authentication and encryption just eases the attacks for hackers. Also given that IT is built to support multiple functions and is provided by different vendors, the number of industrial protocols has proliferated, and most of these protocols are now vendor specific. However, legacy protocols such as Profibus, Modbus and Fieldbus have some level of standardization but they were all developed when security was not a concern. For example, the Modbus protocol has no control over data interception or unauthorized commands. In this case, routing data communications from such protocols over IP networks such as the Internet requires additional controls and professional caution to ensure the integrity and security of data, commands and information (Thales, 2013; Yardley, 2008).
SCADA system defense challenges and business risks.
SCADA systems are not only insecure but also quite large, complex and expensive. Mostly, critical infrastructure systems are real-time thus slight issues in timing could lead to devastating failures. In terms of SCADA architecture, the real-time orientation has its challenges since the systems are exposed attacks focusing on the timeline properties seen in many of these industrial control systems. These systems also monitor critical infrastructure such as power grids thus attracting malicious attackers especially when the agenda is of financially or politically motivated (Thales, 2013; Yardley, 2008).
The business risk profiles also vary between different systems implementations. For example, a processing plant located in an area prone to earthquakes is exposed to environmental threats while the same power plant located in a politically destabilized area is exposed to physical access, terrorism, and espionage acts. These variations in threat profiles need to be considered by conducting risk assessments which should be conducted throughout the entire business cycle from design to implementation and installation (Thales, 2013).
SCADA systems exploitation.
There are several attacks vectors and exploits that can be targeted towards SCADA systems. For one, there are techniques to identify devices and systems on the Internet such as using the SHODAN engine. This search engine is similar to other search engines such as Microsoft Bing™ and Google Search™ but instead of indexing web page content, this novel search engine collects indexes of Hypertext Transfer Protocol (HTTP) header information which allows people to find all manner of device connected to the Internet such as servers, routers, televisions, mobile phones and evidently, industrial control systems such as SCADA. According to a SHODAN Intelligence Extraction christened Project SHINE, over 1 million SCADA systems have been discovered connected to the Internet and possessing their own IP addresses. The number of discovered systems continues to grow with 2000 – 8000 new systems/devices being discovered daily. Based, on the overview on SCADA security, most of these systems are evidently insecure and can be exploited. A potential attacker needs to locate the device using the SHODAN search engine, and based on the HTTP header information; he can then deduce the software versions and other information. This information can then be used to generate exploit code for the software or source it from online repositories such as Metasploit. The attacker can then access the system remotely via an anonymous network such as TOR and perform whatever malicious task he is set to accomplish (Thales, 2013).
It is also common knowledge that ICS/SCADA systems are highly susceptible to cyber-attacks, and they lack the robustness to withstand such kinds of attacks since their initial designs did not consider Internet connectivity. Consequently, these systems need to be designed with security controls such as Intrusion Detection Systems (IDS), firewalls, and access management systems in place to secure the real-time systems from attacks originating from the Internet.
According to experts and researchers, the current security status of SCADA systems is described as disastrous with the rare occurrence of secure coding techniques and presence of ActiveX vulnerabilities (Thales, 2013). In fact, some of these systems are so fragile that they cannot handle penetration testing and security scans. Most of the systems have open administrative accounts accessible via backdoors while some use hard coded s and passwords for login which gives guaranteed access to a hacker who knows the default system passwords. The systems are also based on legacy technologies and are thus susceptible to buffer overflow attacks and recurring crashes while some have limitless password attempts thus allowing for brute force password cracking attacks. SCADA system hacking is also made easier by the availability of predesigned plug-ins for the Nessus and Metasploit frameworks which allow hackers to access systems easily (Thales, 2013).
Once a system such as a Programmed Logic Controller has been compromised, a hacker can reprogram the system and upload their own code. A good example of such a case is the Stuxnet attack on Natanz where the controller logic was altered to increase the speed of centrifuges. The approach can be used on other systems with the aim being to disable various safety interlocks thus leading to devastating effects such as power surges, nuclear meltdowns, water/sewer spillages and a train derailment (Thales, 2013).
While SCADA system attacks are rare, their number is consistently growing. The problem is easy to dismiss but owing to the implications of hacker accessing systems and altering configurations, security issues in SCADA require mitigation. If possible, the robustness of SCADA networks and systems should be improved using inbuilt security features that are conceptualized during design and not after decommissioning. However, this may not be fully practical, and thus a possible solution is to isolate SCADA systems from public networks such as the Internet and to hide their IP addresses. If for some reason these systems need Internet access, then the necessary security controls should be put in place to ensure they are robust and can withstand external cyber-attacks (Thales, 2013; Yardley, 2008).
Policies for mitigating SCADA security issues and vulnerabilities.
After exploring the problems arising from SCADA systems, there is a need to work towards a path of securing these systems and the critical infrastructure they support. Some mitigation strategies have actually been formulated in the United States by standard bodies and regulators. For example, the National Institute of Standards and Technology (NIST) SP800-53, North American Electric Reliability Corporation (NERC) CIPS, American Gas Association (AGA) 12, and the NIST Process Control Security Requirements Forum (PCSRF) protection profile standards have been formulated to cater for different security needs but are all targeted towards securing in industrial control systems (Igure, Laughter & Williams, 2006; Yardley, 2008). Some of the standards have been refined and implemented and, in fact, non-compliance with mandatory standards such as the NERC CIPS results in huge fines being applied on an organization. There are other institutions that provide guidance on SCADA security such as the United States Computer Emergency Readiness Team (US-CERT) that guides organization on various references and standards such as the Control Systems Security Program (CSSP) (Yardley, 2008).
The above-mentioned policies and standards are meant to guide organizations and governments on how to secure SCADA systems for risk minimization and closing of vulnerabilities. There is also a need to ensure physical security such as applying CCTV monitoring and setting up physical access restrictions to prevent unauthorized access to critical infrastructure sites. There is also need to install properly configured security mechanisms (hardware and software) such as Intrusion Detection Systems (IDS), firewalls, and gateways to prevent attacks from external networks such as the Internet (Igure, Laughter & Williams, 2006). In fact, SCADA systems should be zoned out and isolated from external networks, and this is done by eliminating all connectivity to unnecessary communication networks and documenting these practices in organization security policies (Thales, 2013). Additionally, other mitigation practices include conducting risk and vulnerability assessments, audit trails, and proper user training to maintain vigilance and ensure threat mitigation practices evolve as the threats and attack vectors also evolve (Igure, Laughter & Williams, 2006).
Conclusion:
Critical infrastructure needs systems such as SCADA to ensure operational sustainability and stability. In this regard, attacks targeted towards critical infrastructure have devastating consequences if the SCADA systems that monitor them are compromised. The number of threats targeting SCADA systems has also grown considerably over the years due to the evolution of wireless and wired communication networks and technologies. The threats have also evolved to impact on the confidentiality, integrity and availability (CIA) of these systems. One of the major concerns regards system availability since outages on critical infrastructure such as power grids, sewer systems, and nuclear plants could have catastrophic effects if advanced persistent threats and coordinated attacks are targeted towards SCADA systems. Through proper identification of attack possibilities, determining existing vulnerabilities, and addressing each identified vulnerability using sound cyber security policies, the security of SCADA system can be improved to match security in modern enterprise systems. Continued updating of these policies and standards is also bound to help deal with current and future threats as well.
Various policies and standards have been mentioned in this paper published by governments, standard bodies, and independent organizations. However, there are still major concerns regarding the provision of Internet access to SCADA systems with some experts against the idea while others support it. However, it is in general agreement that if external network connectivity is not needed for normal operations, SCADA networks and systems should be isolated or zoned out to ensure fewer external threats and keep systems more secure and manageable. Finally, maintaining a vigilant security posture by implementing sound cyber security policies has been identified as the most important step in securing SCADA systems and the critical infrastructure they monitor in order to avoid catastrophes.
References:
Igure, V., Laughter, S., & Williams, R. (2006). Security issues in SCADA networks. Computers & Security, 25(7), 498-506. doi:10.1016/j.cose.2006.03.001
Johansson, E., Sommestad, T., & Ekstedt, M. (2008). Security Issues for SCADA Systems within Power Distribution. In Nordic Distribution and Asset Management Conference (NORDAC 2008) (pp. 2 - 4). Royal Institute of Technology. Retrieved from http://kth.diva-portal.org/smash/get/diva2:495747/FULLTEXT01.pdf
Mandiant,. (2013). APT1: Exposing One of China’s Cyber Espionage Units (pp. 2-3). Mandiant. Retrieved from http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
Smith, A. (2005). Security for Critical Infrastructure SCADA systems (1st ed., pp. 1-12). SANS Institute. Retrieved from http://www.sans.org/reading-room/whitepapers/warfare/security-critical-infrastructure-scada-systems-1644
Thales,. (2013). Cyber Security for SCADA Systems (pp. 2-9). Thales Group. Retrieved from https://www.thalesgroup.com/sites/default/files/asset/document/thales-cyber-security-for-scada-systems.pdf
Yardley, T. (2008). SCADA: Issues, vulnerabilities and future directions. The Magazine Of USENIX & SAGE, 33(6), 14-20. Retrieved from http://c59951.r51.cf2.rackcdn.com/5460-258-yardley.pdf