The Home of the Security Bloggers Network
Home » Security Bloggers Network »
230,000 – This is the number of people affected by a single successful SCADA attack. Attackers successfully intruded Ukraine’s power grid using BlackEnergy 3 malware in 2015. The attack left 230,000 people and more stranded without power for over 6 hours. The SCADA systems were left non-functional, forcing the workforce to restore the power manually.
This attack on the SCADA system set alarm bells ringing across the globe, exposing the weak cybersecurity posture of critical infrastructure. But what are SCADA systems in the first place?
The acronym SCADA stands for Supervisory Control and Data Acquisition. Ranging from power plants to railways and water treatment plants to air traffic controls, applications of the SCADA system are vast and deep. Using SCADA systems (software), one can control processes in real-time and obtain data from sensors, devices, and other associate equipment. In short, SCADA systems help an organization manage and operate an industrial plant efficiently.
Also read: How to get started with OT security
SCADA systems find uses across industries, infrastructure, facility processes, and others. Computers, GUI, networked data communications, and proprietary software make up a typical SCADA system. Thanks to SCADA systems, one can quickly identify a non-functioning part in an industrial plant with over 10,000 functioning parts and numerous connections.
SCADA system works on collecting data and then relaying commands through the architecture to control a process or a machine. A typical SCADA system involves various collection points, administrative computers, field controllers, communication infrastructure, software, a human-machine interface, and many more.
Administrative Computers: These form the core structure of a SCADA system. The administrative/supervisory computers send all the control commands to the respective machines and devices. The administrative computers harvest all the data collected in a SCADA-enabled system. Depending on the complexity of the SCADA system, the administrative computer(s) can be one or multiple, often forming a master station. Exclusive Human-Machine interface systems propel the interactions between these computers and the workforce.
Communication Infrastructure: This deals with establishing a secure connection between the SCADA system, RTUs, and PLCs. Communication connection comes in two forms:
Most of the infrastructure is modular, and the data passing through them is often unencrypted in both Field and IT communication infrastructure. The primary design objective of these systems is easy troubleshooting and ease of implementation, emphasizing reliability over security.
A manufacturer-specific or industry-defined protocol is adopted while establishing the communication infrastructure. The PLCs and RTUs can operate autonomously based on the latest command received from the administrative system.
Human Machine Interface (HMI) System: The administrative system can comprise a single computer to a master station comprising over ten computers. The data ranges from simple flow diagrams of processes to complex schematic diagrams of the entire plant. An operator can access graphics, data charts, and other graphical data displayed on the system using a mouse, keyboard, or touch. The HMI system presents the status of every process, component, and plant-related aspect in an interpretable manner.
SCADA systems have come a long way since beginning in the early 1960s. Over the 60 years, SCADA systems have transformed from monolithic to IIoT-based systems. As per the industry standards, the Fourth Generation of SCADA Systems is in use. Shortly, the fifth generation of SCADA systems will enter industrial spaces.
The next generation of SCADA systems will have cloud computing at their core. Researchers expect the new SCADA systems to optimize resource management (at peak surges and low demand) and enhance security protocols. Even without in-depth knowledge of software, one can design complex applications using RAD (Rapid Application Development) and the upcoming new-age SCADA systems toolkit.
The vast industrial expanses make it very difficult for physical monitoring. We need a reliable and efficient system to automate recurrence processes and constantly get the status of everything in an industrial expanse. SCADA has been rightly serving this purpose since its inception. From data collection to setting up alarms, SCADA plays a crucial role in improving an industrial expanse’s productivity, maintenance, and functionality.
SCADA systems run through 5 levels from Level 0 to Level 4. They form five of the six levels described in the Purdue Enterprise Reference Architecture, followed by enterprise integration. The dissemination of levels helps us understand SCADA systems better and define each security policy for each level.
We can confidently say SCADA systems have opted for a reliable and straightforward framework for smooth functioning. SCADA systems were relatively safe, given that they were greatly restricted to on-site locations before the internet exploded. Every security framework of SCADA should be able to meet specific objectives. These help build a strong posture contributing toward a safe and secure environment. The objectives are as follows:
The evolving cybersecurity threats call for a more secure SCADA system. Primarily, we can breakdown the security framework of SCADA into:
SCADA security programs are cost intensive. Hence, a well-organized leadership with sufficient funding and expertise is key to getting SCADA security on the rails. Parallelly, playing by the book is vital for any security framework to function well. Following policies and procedures, complying with various industry standards, and meeting government norms are critical.
A regular risk assessment profile can be a great tool to gauge the security posture of the SCADA systems periodically. The risk assessment profile can help prepare strategies for combating emerging and evolving threats.
Acknowledging that SCADA and IT security risks are in contrast, a comprehensive security setup should be in place to protect a SCADA system. Identifying and classifying SCADA assets is essential. Password management, authentication and authorization, account administration, and vulnerability management – related explicitly to third-party supplied SCADA devices are critical. Since the location of RTUs is far from PLCs, physically securing the SCADA assets also plays an important role. Additionally, the corporate network and SCADA network should be separate.
As already stated, the data flowing through SCADA systems is usually not encrypted. Though confidentiality does not play a key role in data related to SCADA, it is important to store that data for future reference securely. Likewise, building defense systems against malicious code and malware, tackling the problem of Change Management, and application security should be the top priority.
Releasing complete information about policies, procedures, and standards is necessary, as it involves many third-party vendors developing applications. This approach reduces complexities that might otherwise arise due to interoperability. Traditional testing methods (used in IT) may not be sufficient for SCADA systems.
SCADA systems must maintain the same trust level (among the workforce) and reliability in an industrial plant, even during hostile situations. These can arise due to unauthorized changes to the system, unnoticed incidents, and natural disasters. Irrespective of the situation, the system should show resilience and continue to meet its end goals.
Given that communication between the SCADA administrative system and the field devices is not secured, we should protect systems that affect the processes. Defining a disaster recovery and management plan helps prevent adverse incidents and non-functional times.
SCADA systems are inherently insecure. Threat detection and real-time monitoring play a key role in securing the SCADA system environment. A well-defined policy toward Incident management is vital when handling an incident orderly, emphasizing real-time incident reporting and management.
Third-party vendors often apply patches to the sub-systems. These may sometimes open vulnerabilities, paving the way for a possible intrusion. Deploying round-the-clock threat detection tools that scan, assess, and report the entire network in real-time is vital. Parallelly, forensics can help unearth incidents that might have gone unnoticed.
Overlooking third-party vendors is impossible when it comes to SCADA security. While getting into contracts with vendors who extend SCADA associate services, enterprises should be clear about the security posture. Defining security standards, default security policies and procedures, carrying out security assessment, evaluation, and reviewing of the third-party vendor devices and services is essential.
When two enterprises collaborate, they should establish Partner Security Management processes. These help in knowing the security posture of the collaborating firm.
A SCADA system’s sub-system, like sensors, actuators, and communication infrastructure, is not secure. It is built on the intuition that the supervising system is secured. This intuition holds as long as an attacker does not attempt to intrude into the system. The large surface attack makes it easy for attackers to find vulnerabilities upon probing the network. Knowing the grey areas in a SCADA system can help security experts understand, prevent, and neutralize attacks. Even in case of an intrusion, it helps to mitigate. The following systems in a SCADA system are the origin of vulnerabilities:
Profinet and Modbus have been integral to the SCADA revolution. These were designed for reliability and not for security. The modern threat landscape completely belittles them when it comes to security. An attacker can intrude into the (unsecured) communication system and modify data sent from an RTU or PLC. This new data can change a central system’s general course of action.
Off-site engineers and technicians use mobile applications to monitor and modify processes in an industrial plant. Cybersecurity expert Alexander Bolshev managed close to 150 vulnerabilities from 20 mobile applications. According to Bolshev, an attacker can use any of these vulnerabilities and trick the operators into making a wrong decision. Such an act can potentially harm lives at the industrial plant.
Undeniably, the HMI is one of the favorite systems for an attacker. The attackers can access critical and sensitive information should they manage to access the HMI. It is an ideal target to steal essential information or alter control processes.
Most SCADA systems are highly reliable, even in the case of a Change Management execution. But other technologies and components that hold them might be ill-equipped. Such components can adversely affect the SCADA system, as in the case of URGENT/11 – a set of vulnerabilities. These affect SCADA systems, infusion pumps, printers, and firewalls.
Modern threats come in all shapes and forms. They range from a single-line malicious code to a well-grown human being. Yes, rouge employees with access to SCADA can work against the systems. The threat vectors do not end there. There are many other reasons for a SCADA system to be compromised.
Since the dawn of the computer revolution, malware has always had a special place. Irrespective of the industry and the security, novel malware have always found ways to intrude. If a system has a poor security posture, the probability of malware already intruding into the system is 80%. SCADA systems are no exception when it comes to malware attacks. SCADA systems are often a soft target for attackers, given their poor security posture. Targeting with specially designed malicious code can compromise ICS systems. This malware can comprise worms, Trojans, Ransomware, and others.
With an increasing number of SCADA systems connected to the internet and IT networks every hour, the threats have increased exponentially. The boom of IIoT devices only impelled this. Most IIoT devices run on default credentials. If a threat actor manages to access a single device on an industrial network, these devices can be turned into botnets and carry out large attacks. Often, the main aim of a DDoS attack on industrial plants is to stall production.
To pass commands to the system shell requires high-level authorization in a SCADA system. Hackers could control the target system to such an extent that they could run arbitrary commands capable of manipulating various parameters. The lack of a process to validate user-supplied data paves the way for command injection attacks.
ML (Machine Learning) and AI (Artificial Intelligence) drive Cloud integration and evolving data analytics, which enhance the efficiency and productivity of an industrial plant. Leveraging the power of ML and AI is only possible by connecting to the internet. The moment an isolated system like SCADA, with zero security built into it, connects to the internet, it becomes an easy target for evolved threats in cyberspace. Vendors are sometimes provided access to the systems for patching and routine checks. Any insecure connection on the vendor’s end can allow backdoor access for threat actors.
Misconfigured networks are a common occurrence in SCADA systems. There have been instances of SCADA systems connecting to unaudited dial-up lines. These connections can pave the way for attackers to access the OT and corporate LAN networks. The evolved and new generation threats are unaffected by legacy firewalls (physical devices) in these systems. Weak segregation of IT and OT networks also opens doors to threat actors.
Many devices in a SCADA system continue to function with their default credentials. This scenario is frightening, given modern threat actors’ vast skill sets. Along with the devices on the OT network, attackers can gain access to other networks connected to the OT network.
Legacy software continues to plague every network and industry. SCADA systems (OT networks) experience the effects of such legacy software more than others. Initial installation of a few machine software runs into years and even decades. While there is little to no security threat when isolated, these systems become fragile from a security point of view when connected to the internet. A complete failure of authentication systems and threat prevention systems due to legacy software puts the entire network at high risk.
The communication infrastructure between the field devices and the administrative computer is mainly unsecured. While the engineers in an industrial plant opt for reliability over encrypted data, attackers can eavesdrop and obtain critical information. Using this information to understand protocols better, attackers can target workstations, HMI, and ICS by pushing specifically designed malicious code.
To err is human. That sounds good, but not so when working in an environment where security is everything. A workforce undertrained in cybersecurity practices and cyber-attack vectors often becomes vectors for threat actors. Click phishing emails by employees helps the malware to enter the work systems. Using corrupted thumb drives on the SCADA system can affect the entire network.
Given the dynamic nature of cybersecurity, enterprises hire employees on a contract basis for a specific time. An employee who might have expected a full-time position might end up only with a short-term contract. Such employees turn against the enterprise and use their existing knowledge and login credentials (if still active) to attack the systems. There have also been cases of employees trying to co-operate to threat actors in exchange for money.
Knowing potential sites where vulnerabilities often arise is not sufficient. We must identify vulnerabilities before they pave the way for attackers. Following a dedicated strategy can help us identify vulnerabilities before they are exposed.
Old remote connections have to be inspected from time to time. Regular inspection can help identify and patch previously unknown vulnerabilities. The patching can stop attackers from exploiting such vulnerabilities.
Supervising IT assets used for secure logins (biometrics, passwords, or retina) is essential. The security team should check for processes running with minimum resources. The review of patches and Operating systems should take place with due authorization.
Often, SCADA networks allow external and anonymous client connections for various purposes. On such networks, the risk of infiltration is high. Regular changes of passwords, predefined session protocols, and authenticated logins are fundamental in establishing a sound security posture.
Understanding how the new Change Management policy affects the lifecycle, listing procedures, and defining policies is vital. The level of authorization separating privileged users (from regular users) who access SCADA patches is crucial.
The communication infrastructure comprises Field and IT components. Data passing from and to the administrative computer to the field and IT components is unsecured and not encrypted. Protecting such assets should be of utmost importance.
Often, the OS and the HMI/SCADA software are different. Additionally, the latter comes with many bloats, with extended (and unnecessary) features making the software complex. Few HMI/SCADA software require internet connectivity to operate or for patching. Improperly configured connections for operating or patching threaten the security posture.
Most components of a SCADA network (especially in critical infrastructure) are designed to be quad redundant. It is vital to ensure the hardware goes through stringent checks to see whether the design comprises all the desired ‘failsafe’ features in the build.
Securing industrial spaces with 10,000 or more operating components is a tough ask. Things get more complicated with SCADA systems now connected to the internet. These isolated systems moved from traditional proprietary protocol to internet protocol (or simply IP-based systems) for transmission. This shift has brought SCADA systems closer to attack vectors often associated with the internet. Protecting the SCADA systems is highly important, given that many crucial infrastructures depend on these systems.
Also Read: Complete guide to Scada Security
At Sectrio, we have compiled a list of measures that you can take to secure your SCADA system. You can jump to various sections in the table by following the adjacent Area of Focus title.
Following these procedures and practices can help secure SCADA systems extensively. This notion does not mean they are foolproof. Attackers are always on the hunt for novel technologies to intrude into networks. Hence, constant surveillance and incident detection protocols are vital in securing SCADA systems as we go into the unseen future.
While physicists can help predict the backwash of an atomic explosion, cybersecurity experts cannot do the same about a successful intrusion of SCADA systems. It is in the hands of the attacker or the hacking group. Upon a successful intrusion, it is about mitigating the risks and limiting the impact. We can conclude the chain of events that follow after a SCADA system is compromised.
Unauthorized access to ICS – Upon a successful intrusion into the system, hackers gain unauthorized access to industrial control systems. Depending on the authorization level, they can execute commands to change processes. If the intrusion is detected early, the workforce can halt the entire production, preventing further mishaps. Iranian attackers used the ‘Google Dorking’ method to access the New York dam. If not for a maintenance routine during the attack, the attacker could have gained control to release the dam waters.
Unplanned downtime – The most financially denting factor during a successful intrusion is unplanned downtime. A highly skilled attacker can bring the entire plant to a standstill for days and weeks. This unplanned downtime dents the firm’s finances, schedule, and brand value. DDoS attacks play a crucial role in bringing down networking systems. The power outage in Ukraine due to a cyber-attack paints a harsh reality of the coming future.
Data modification – Any change to the safety systems and manufacturing processes can jeopardize many lives. The attack at a Tesla Plant saw an insider sabotaging the OP system by changing the source code of the manufacturing process. Any change to data on a medical system can adversely affect many lives.
The Stuxnet malware is supposed to be one of the most complex malware known back then. It managed to affect one in every four nuclear power centrifuges in Iran. Security experts believe Stuxnet was a wake-up call about SCADA systems security. Given its ability to spread across different systems and self-replicate, it sent shivers to many national agencies globally.
The BlackEnergy malware targeted the HMI master stations in the SCADA system. A report published by ICS-CERT highlighted that the malware was highly sophisticated and exposed many SCADA systems globally.
If the attackers had more time and information on the SCADA systems, an entire local community would have fallen victim. According to a report by Verizon Security Solutions, the security of a water company, codenamed ‘Kemuri,’ has been compromised. The threat actors were able to access valve and flow control applications. Using this, they could have manipulated the PLCs and controlled the chemical processing in the water treatment plant.
Coming out as a fourth installment after Stuxnet, BlackEnergy 2, and Havex, the Crashoveride malware was designed and deployed to target electric grids specifically. Upon successful intrusion, the malware causes severe power outages.
SamSam ransomware caused havoc after it managed to bring the city of Atlanta to its knees for weeks. The malware deleted the Atlanta City Police dashcam data and blocked payments, ticketing, and other services for weeks. The hackers demanded a ransom of $51,000 to restore the data.
While the list can go on, we felt it is essential for you to realize how vulnerable and unsecured SCADA systems are. Among other SCADA attacks, Havex (2011), Night Dragon (2010), Duqu-Flame-Gauss (2011), and the Target Stores incident have flipped our view about SCADA systems security.
The attacks on SCADA systems increased manifold times in the recent past. Practically, intruding into an OT network is easier than an IT network. Even if a threat actor manages to intrude into an IT network, the ever-vigilant IT security team mitigates the attack. On the other hand, financial losses due to downtime on an OT network are huge and have long-term effects. This position forces companies to give in to the attacker’s demands.
‘Modern’ is the way to go!
Operating industrial plants in a threat-rich environment is quite challenging. Adopting modern SCADA systems and phasing out legacy systems is the only way forward. Modern SCADA systems have various advantages, from improving the existing system’s efficiency to extended software support.
Also Read: Complete Guide to Cyber Threat Intelligence Feeds
The modern SCADA systems are easy to scale and provide extended support for evolving hardware and software. Scalability and extended support facilitate new-age SCADA systems to leverage the power of cloud computing to meet fluctuating workload demands. Legacy SCADA systems usually come with vendor lock-in, preventing interoperability with other manufacturers’ SCADA devices and forcing enterprises to compromise. The modern era SCADA systems come with better interoperability increasing options for enterprises.
Communication infrastructure has always been unsecured within the SCADA system. It was often seen as a weak link and posed challenges while protecting the systems. The modern SCADA system supports current communication protocols. The enhanced support is crucial in encrypting data without compromising friendly troubleshooting and reliability. Modern protocols also enhance the SCADA system’s data capabilities and controls. Another argument in favor of phasing out legacy systems is the support modern SCADA systems offer regarding hardware and software. Integrating Off-the-shelf hardware components and third-party applications into modern SCADA systems is easy.
*** This is a Security Bloggers Network syndicated blog from Sectrio authored by Sectrio. Read the original post at: https://sectrio.com/complete-guide-to-scada-security/
The Home of the Security Bloggers Network