230,000 – This is the number of people affected by a single successful SCADA attack. Attackers successfully intruded Ukraine’s power grid using BlackEnergy 3 malware in 2015. The attack left 230,000 people and more stranded without power for over 6 hours. The SCADA systems were left non-functional, forcing the workforce to restore the power manually.
This attack on the SCADA system set alarm bells ringing across the globe, exposing the weak cybersecurity posture of critical infrastructure. But what are SCADA systems in the first place?
The acronym SCADA stands for Supervisory Control and Data Acquisition. Ranging from power plants to railways and water treatment plants to air traffic controls, applications of the SCADA system are vast and deep. Using SCADA systems (software), one can control processes in real-time and obtain data from sensors, devices, and other associate equipment. In short, SCADA systems help an organization manage and operate an industrial plant efficiently.
Also read: How to get started with OT security
SCADA systems find uses across industries, infrastructure, facility processes, and others. Computers, GUI, networked data communications, and proprietary software make up a typical SCADA system. Thanks to SCADA systems, one can quickly identify a non-functioning part in an industrial plant with over 10,000 functioning parts and numerous connections.
SCADA system works on collecting data and then relaying commands through the architecture to control a process or a machine. A typical SCADA system involves various collection points, administrative computers, field controllers, communication infrastructure, software, a human-machine interface, and many more.
Administrative Computers: These form the core structure of a SCADA system. The administrative/supervisory computers send all the control commands to the respective machines and devices. The administrative computers harvest all the data collected in a SCADA-enabled system. Depending on the complexity of the SCADA system, the administrative computer(s) can be one or multiple, often forming a master station. Exclusive Human-Machine interface systems propel the interactions between these computers and the workforce.
Field Controllers: These come in two forms:
- PLCs – Programmable Logic Controllers help control a designated system, directed by built-in custom logic.
- RTUs – Remote Terminal Units help connect physical devices (machines, sensors, and other devices) to the SCADA system. They form the bridge to transfer the data collected to the SCADA system.
Communication Infrastructure: This deals with establishing a secure connection between the SCADA system, RTUs, and PLCs. Communication connection comes in two forms:
- Field: Communication-based between RTUs and the command control
- IT: Communication established between multiple servers within the command control
Most of the infrastructure is modular, and the data passing through them is often unencrypted in both Field and IT communication infrastructure. The primary design objective of these systems is easy troubleshooting and ease of implementation, emphasizing reliability over security.
A manufacturer-specific or industry-defined protocol is adopted while establishing the communication infrastructure. The PLCs and RTUs can operate autonomously based on the latest command received from the administrative system.
Human Machine Interface (HMI) System: The administrative system can comprise a single computer to a master station comprising over ten computers. The data ranges from simple flow diagrams of processes to complex schematic diagrams of the entire plant. An operator can access graphics, data charts, and other graphical data displayed on the system using a mouse, keyboard, or touch. The HMI system presents the status of every process, component, and plant-related aspect in an interpretable manner.
Evolution of SCADA Systems
SCADA systems have come a long way since beginning in the early 1960s. Over the 60 years, SCADA systems have transformed from monolithic to IIoT-based systems. As per the industry standards, the Fourth Generation of SCADA Systems is in use. Shortly, the fifth generation of SCADA systems will enter industrial spaces.
|First Generation (1960s to mid-1970s)||Monolithic||RTUs incorporated at industrial sites directly connected to minicomputer systems.Low RiskIndependent system|
|Second Generation (Mid 1970’s to late 1980s)||Distributed||Security risk elevated from low to moderate Availability of proprietary LAN networks Smaller computers and greater computing power Multiple systems connected via LANLack of interoperability due to vendor lock-in practice|
|Third Generation (Late 1980s – 1990s)||Networked||The emergence of Ethernet and fiber optic.Improved interoperability Scalability of SCADA systemSecurity risk heightened Less operating costs|
|Fourth Generation 2000s||SCADA and IoT integrated system||Equipped with IoT, Cloud computing, and big dataSSL and TLS have improved security posture while exchanging data between the SCADA systems and external networks.Better interfaces on handheld devices Greater interoperability SQL database support Web-deployable|
The next generation of SCADA systems will have cloud computing at their core. Researchers expect the new SCADA systems to optimize resource management (at peak surges and low demand) and enhance security protocols. Even without in-depth knowledge of software, one can design complex applications using RAD (Rapid Application Development) and the upcoming new-age SCADA systems toolkit.
What makes SCADA so effective?
The vast industrial expanses make it very difficult for physical monitoring. We need a reliable and efficient system to automate recurrence processes and constantly get the status of everything in an industrial expanse. SCADA has been rightly serving this purpose since its inception. From data collection to setting up alarms, SCADA plays a crucial role in improving an industrial expanse’s productivity, maintenance, and functionality.
- Data Collection and Presentation: SCADA systems help collect data from various sensors across an industrial floor. Analyzing and interpreting this data, we can understand the working conditions of the machine and the industrial space in real-time. Thanks to the improved HMI systems, a comprehensive data presentation means a better understanding of the entire industrial plant.
- Comparative Studies: The historical and real-time data obtained from SCADA systems come in handy when comparing performance and deriving other statistical data.
- Remote Control: A well-defined SCADA system can control every industrial floor process using sensors’ data and field actuators’ control. This feature saves valuable time and human work hours.
- Logging Reports: Given its ability to automate machines and industrial processes and collect massive data, SCADA systems are great at generating reports. Applying the appropriate context to these reports gives one an in-depth perspective of the industrial plant.
- Alarms and Alerts: With predefined and custom policies, SCADA systems trigger alerts notifying about the processes. The alerts help the workforce modify or stop a procedure right away.
SCADA systems run through 5 levels from Level 0 to Level 4. They form five of the six levels described in the Purdue Enterprise Reference Architecture, followed by enterprise integration. The dissemination of levels helps us understand SCADA systems better and define each security policy for each level.
|SCADA System Levels||Description|
|Level 4||Planning and Logistics Scheduling of production processes Managing ongoing processes|
|Level 3||Production Control Level Made up of administrative systemsData aggregation from Level 2 systemsReporting to ongoing production is produced Executing alerts and other region-wide functions|
|Level 2||Plant Administrative Level Data aggregation from level controllersIssuing commands to respective level controllers It consists of supervisory and administrative systems|
|Level 1||Direct Control Level Comprises local controllers – RTUs and PLCs Accepts data inputs from sensors Actuator receive commandsDirect interaction with field devices|
|Level 0||Field Device Level Includes sensors that forward data Includes actuators that control processes|
SCADA Security Framework:
We can confidently say SCADA systems have opted for a reliable and straightforward framework for smooth functioning. SCADA systems were relatively safe, given that they were greatly restricted to on-site locations before the internet exploded. Every security framework of SCADA should be able to meet specific objectives. These help build a strong posture contributing toward a safe and secure environment. The objectives are as follows:
- Scalability is essential
- Ability to comply with all regulatory standards
- Dynamic and comprehensive to combat evolving threats
- Scoring well in Risk Management System exclusively designed for SCADA systems
The evolving cybersecurity threats call for a more secure SCADA system. Primarily, we can breakdown the security framework of SCADA into:
- Governance Control
- Exclusive SCADA Controls
- Data and Application Security
- System Assurance
- Monitoring Controls
- Peripheral Controls
Breakdown of the SCADA Security Framework:
1. Governance Control:
SCADA security programs are cost intensive. Hence, a well-organized leadership with sufficient funding and expertise is key to getting SCADA security on the rails. Parallelly, playing by the book is vital for any security framework to function well. Following policies and procedures, complying with various industry standards, and meeting government norms are critical.
A regular risk assessment profile can be a great tool to gauge the security posture of the SCADA systems periodically. The risk assessment profile can help prepare strategies for combating emerging and evolving threats.
2. Exclusive SCADA Controls:
Acknowledging that SCADA and IT security risks are in contrast, a comprehensive security setup should be in place to protect a SCADA system. Identifying and classifying SCADA assets is essential. Password management, authentication and authorization, account administration, and vulnerability management – related explicitly to third-party supplied SCADA devices are critical. Since the location of RTUs is far from PLCs, physically securing the SCADA assets also plays an important role. Additionally, the corporate network and SCADA network should be separate.
3. Data and Application Security:
As already stated, the data flowing through SCADA systems is usually not encrypted. Though confidentiality does not play a key role in data related to SCADA, it is important to store that data for future reference securely. Likewise, building defense systems against malicious code and malware, tackling the problem of Change Management, and application security should be the top priority.
Releasing complete information about policies, procedures, and standards is necessary, as it involves many third-party vendors developing applications. This approach reduces complexities that might otherwise arise due to interoperability. Traditional testing methods (used in IT) may not be sufficient for SCADA systems.
4. System Assurance:
SCADA systems must maintain the same trust level (among the workforce) and reliability in an industrial plant, even during hostile situations. These can arise due to unauthorized changes to the system, unnoticed incidents, and natural disasters. Irrespective of the situation, the system should show resilience and continue to meet its end goals.
Given that communication between the SCADA administrative system and the field devices is not secured, we should protect systems that affect the processes. Defining a disaster recovery and management plan helps prevent adverse incidents and non-functional times.
5. Monitoring Controls:
SCADA systems are inherently insecure. Threat detection and real-time monitoring play a key role in securing the SCADA system environment. A well-defined policy toward Incident management is vital when handling an incident orderly, emphasizing real-time incident reporting and management.
Third-party vendors often apply patches to the sub-systems. These may sometimes open vulnerabilities, paving the way for a possible intrusion. Deploying round-the-clock threat detection tools that scan, assess, and report the entire network in real-time is vital. Parallelly, forensics can help unearth incidents that might have gone unnoticed.
6. Peripheral Controls:
Overlooking third-party vendors is impossible when it comes to SCADA security. While getting into contracts with vendors who extend SCADA associate services, enterprises should be clear about the security posture. Defining security standards, default security policies and procedures, carrying out security assessment, evaluation, and reviewing of the third-party vendor devices and services is essential.
When two enterprises collaborate, they should establish Partner Security Management processes. These help in knowing the security posture of the collaborating firm.
Grey areas in a SCADA System
A SCADA system’s sub-system, like sensors, actuators, and communication infrastructure, is not secure. It is built on the intuition that the supervising system is secured. This intuition holds as long as an attacker does not attempt to intrude into the system. The large surface attack makes it easy for attackers to find vulnerabilities upon probing the network. Knowing the grey areas in a SCADA system can help security experts understand, prevent, and neutralize attacks. Even in case of an intrusion, it helps to mitigate. The following systems in a SCADA system are the origin of vulnerabilities:
- Mobile Applications
- Human-Machine Interface
Profinet and Modbus have been integral to the SCADA revolution. These were designed for reliability and not for security. The modern threat landscape completely belittles them when it comes to security. An attacker can intrude into the (unsecured) communication system and modify data sent from an RTU or PLC. This new data can change a central system’s general course of action.
2. Mobile Application
Off-site engineers and technicians use mobile applications to monitor and modify processes in an industrial plant. Cybersecurity expert Alexander Bolshev managed close to 150 vulnerabilities from 20 mobile applications. According to Bolshev, an attacker can use any of these vulnerabilities and trick the operators into making a wrong decision. Such an act can potentially harm lives at the industrial plant.
3. Human-Machine Interface (HMI)
Undeniably, the HMI is one of the favorite systems for an attacker. The attackers can access critical and sensitive information should they manage to access the HMI. It is an ideal target to steal essential information or alter control processes.
Most SCADA systems are highly reliable, even in the case of a Change Management execution. But other technologies and components that hold them might be ill-equipped. Such components can adversely affect the SCADA system, as in the case of URGENT/11 – a set of vulnerabilities. These affect SCADA systems, infusion pumps, printers, and firewalls.
Common threats faced by SCADA systems:
Modern threats come in all shapes and forms. They range from a single-line malicious code to a well-grown human being. Yes, rouge employees with access to SCADA can work against the systems. The threat vectors do not end there. There are many other reasons for a SCADA system to be compromised.
Since the dawn of the computer revolution, malware has always had a special place. Irrespective of the industry and the security, novel malware have always found ways to intrude. If a system has a poor security posture, the probability of malware already intruding into the system is 80%. SCADA systems are no exception when it comes to malware attacks. SCADA systems are often a soft target for attackers, given their poor security posture. Targeting with specially designed malicious code can compromise ICS systems. This malware can comprise worms, Trojans, Ransomware, and others.
2. DDoS attacks
With an increasing number of SCADA systems connected to the internet and IT networks every hour, the threats have increased exponentially. The boom of IIoT devices only impelled this. Most IIoT devices run on default credentials. If a threat actor manages to access a single device on an industrial network, these devices can be turned into botnets and carry out large attacks. Often, the main aim of a DDoS attack on industrial plants is to stall production.
3. Command injection
To pass commands to the system shell requires high-level authorization in a SCADA system. Hackers could control the target system to such an extent that they could run arbitrary commands capable of manipulating various parameters. The lack of a process to validate user-supplied data paves the way for command injection attacks.
4. Connecting to the Internet
ML (Machine Learning) and AI (Artificial Intelligence) drive Cloud integration and evolving data analytics, which enhance the efficiency and productivity of an industrial plant. Leveraging the power of ML and AI is only possible by connecting to the internet. The moment an isolated system like SCADA, with zero security built into it, connects to the internet, it becomes an easy target for evolved threats in cyberspace. Vendors are sometimes provided access to the systems for patching and routine checks. Any insecure connection on the vendor’s end can allow backdoor access for threat actors.
5. Networking issues
Misconfigured networks are a common occurrence in SCADA systems. There have been instances of SCADA systems connecting to unaudited dial-up lines. These connections can pave the way for attackers to access the OT and corporate LAN networks. The evolved and new generation threats are unaffected by legacy firewalls (physical devices) in these systems. Weak segregation of IT and OT networks also opens doors to threat actors.
6. Continuing default configurations
Many devices in a SCADA system continue to function with their default credentials. This scenario is frightening, given modern threat actors’ vast skill sets. Along with the devices on the OT network, attackers can gain access to other networks connected to the OT network.
7. Legacy software
Legacy software continues to plague every network and industry. SCADA systems (OT networks) experience the effects of such legacy software more than others. Initial installation of a few machine software runs into years and even decades. While there is little to no security threat when isolated, these systems become fragile from a security point of view when connected to the internet. A complete failure of authentication systems and threat prevention systems due to legacy software puts the entire network at high risk.
8. Unencrypted communication infrastructure
The communication infrastructure between the field devices and the administrative computer is mainly unsecured. While the engineers in an industrial plant opt for reliability over encrypted data, attackers can eavesdrop and obtain critical information. Using this information to understand protocols better, attackers can target workstations, HMI, and ICS by pushing specifically designed malicious code.
9. Human Errors
To err is human. That sounds good, but not so when working in an environment where security is everything. A workforce undertrained in cybersecurity practices and cyber-attack vectors often becomes vectors for threat actors. Click phishing emails by employees helps the malware to enter the work systems. Using corrupted thumb drives on the SCADA system can affect the entire network.
10. Rogue employees
Given the dynamic nature of cybersecurity, enterprises hire employees on a contract basis for a specific time. An employee who might have expected a full-time position might end up only with a short-term contract. Such employees turn against the enterprise and use their existing knowledge and login credentials (if still active) to attack the systems. There have also been cases of employees trying to co-operate to threat actors in exchange for money.
Measures to identify vulnerabilities:
Knowing potential sites where vulnerabilities often arise is not sufficient. We must identify vulnerabilities before they pave the way for attackers. Following a dedicated strategy can help us identify vulnerabilities before they are exposed.
Identifying vulnerabilities at the manufacturer end:
1. Periodic Inspection
Old remote connections have to be inspected from time to time. Regular inspection can help identify and patch previously unknown vulnerabilities. The patching can stop attackers from exploiting such vulnerabilities.
2. Reviewing IT assets
Supervising IT assets used for secure logins (biometrics, passwords, or retina) is essential. The security team should check for processes running with minimum resources. The review of patches and Operating systems should take place with due authorization.
3. Inspecting Access Control
Often, SCADA networks allow external and anonymous client connections for various purposes. On such networks, the risk of infiltration is high. Regular changes of passwords, predefined session protocols, and authenticated logins are fundamental in establishing a sound security posture.
4. Periodic review of Change Management Policy
Understanding how the new Change Management policy affects the lifecycle, listing procedures, and defining policies is vital. The level of authorization separating privileged users (from regular users) who access SCADA patches is crucial.
Strategic identification of vulnerabilities:
The communication infrastructure comprises Field and IT components. Data passing from and to the administrative computer to the field and IT components is unsecured and not encrypted. Protecting such assets should be of utmost importance.
Often, the OS and the HMI/SCADA software are different. Additionally, the latter comes with many bloats, with extended (and unnecessary) features making the software complex. Few HMI/SCADA software require internet connectivity to operate or for patching. Improperly configured connections for operating or patching threaten the security posture.
Most components of a SCADA network (especially in critical infrastructure) are designed to be quad redundant. It is vital to ensure the hardware goes through stringent checks to see whether the design comprises all the desired ‘failsafe’ features in the build.
Securing SCADA Systems:
Securing industrial spaces with 10,000 or more operating components is a tough ask. Things get more complicated with SCADA systems now connected to the internet. These isolated systems moved from traditional proprietary protocol to internet protocol (or simply IP-based systems) for transmission. This shift has brought SCADA systems closer to attack vectors often associated with the internet. Protecting the SCADA systems is highly important, given that many crucial infrastructures depend on these systems.
Also Read: Complete guide to Scada Security
At Sectrio, we have compiled a list of measures that you can take to secure your SCADA system. You can jump to various sections in the table by following the adjacent Area of Focus title.
|Sl.No||Area of Focus||Security Measure|
|1||Network Connections||Diagramming all the network traffic and connections is essential. It helps us to know the weak points and places where a potential attack can take place using vectors by bad actors. Remove all unnecessary systems from the network.Achieving complete connection and asset visibilityNo one should connect their devices to the system.Maintain separate networks for Corporate and SCADA systems.Remove untrusted devices from the network.|
|2||Communication Infrastructure||Encrypt all the unencrypted data. Important to assess which connections need to be encrypted while working with PLCs A Data Diode facilitates one-way data flow (generally out of the network). This technique eliminates the in-flow of data, thereby avoiding a significant threat vector.|
|3||Workforce related||Clear communication about the role of each individual is essential. The authorization hierarchy should be well understood among the team members Managing the security team is critical, especially during incident detection CISOs should organize regular workforce training programs to bring awareness about the latest developments in the industry|
|4||User Logins and authentication||Two-Factor authentication should be de facto.Enable Single Sign Ons during remote logins.Default logins and usernames should be modified or removed.|
|5||Software related security||Deploying Technical Audits, Live Threat Intelligence feeds, and real-time management systems help identify network threats. Network segmentation helps in mitigating the lateral movement of the attackers. It also limits the spread of malware and considerably reduces the exposure of sensitive and critical information. Usage WAF (Web Application Firewall) to scan web applications that are patch vulnerable. Traditional methods like penetration testing and constant vulnerability scanning can let us know security posture from time to time. Similarly, simulating cyber-attack using devices on the network (with predefined policies) should be carried out.|
|6||Hardware systems||Establishing IDS (Intrusion Detection System) is vital. Mobile Device Management (MDM), Security Information and Event Management, and Firewalls will be helpful.|
|7||Broader view||Understanding the limits and options of software and hardware is crucial for extending security features. One should prefer SCADA devices that come with built-in security features. Likewise, avoiding any software which cannot support the devices on the network or cannot extend the functionality beyond a point. Determining the risk profile of the organization helps the CISO to come up with a budget plan. One should identify what sensitive and critical data is and what is not. Proper segregation of data aids in choosing the optimum level of security for the organization, rather than overspending or lacking security. Robust incident detection and recovery plan are important. The plan should be precise about ‘Before, during, and after the incident. It can help in protecting critical assets during crucial times. Multi-layered security and best practices can keep many threats at bay.|
Following these procedures and practices can help secure SCADA systems extensively. This notion does not mean they are foolproof. Attackers are always on the hunt for novel technologies to intrude into networks. Hence, constant surveillance and incident detection protocols are vital in securing SCADA systems as we go into the unseen future.
Consequences of a successful intrusion!
While physicists can help predict the backwash of an atomic explosion, cybersecurity experts cannot do the same about a successful intrusion of SCADA systems. It is in the hands of the attacker or the hacking group. Upon a successful intrusion, it is about mitigating the risks and limiting the impact. We can conclude the chain of events that follow after a SCADA system is compromised.
Unauthorized access to ICS – Upon a successful intrusion into the system, hackers gain unauthorized access to industrial control systems. Depending on the authorization level, they can execute commands to change processes. If the intrusion is detected early, the workforce can halt the entire production, preventing further mishaps. Iranian attackers used the ‘Google Dorking’ method to access the New York dam. If not for a maintenance routine during the attack, the attacker could have gained control to release the dam waters.
Unplanned downtime – The most financially denting factor during a successful intrusion is unplanned downtime. A highly skilled attacker can bring the entire plant to a standstill for days and weeks. This unplanned downtime dents the firm’s finances, schedule, and brand value. DDoS attacks play a crucial role in bringing down networking systems. The power outage in Ukraine due to a cyber-attack paints a harsh reality of the coming future.
Data modification – Any change to the safety systems and manufacturing processes can jeopardize many lives. The attack at a Tesla Plant saw an insider sabotaging the OP system by changing the source code of the manufacturing process. Any change to data on a medical system can adversely affect many lives.
Recent attacks on SCADA Systems!
1. Stuxnet 2010
The Stuxnet malware is supposed to be one of the most complex malware known back then. It managed to affect one in every four nuclear power centrifuges in Iran. Security experts believe Stuxnet was a wake-up call about SCADA systems security. Given its ability to spread across different systems and self-replicate, it sent shivers to many national agencies globally.
2. BlackEnergy Malware 2014
The BlackEnergy malware targeted the HMI master stations in the SCADA system. A report published by ICS-CERT highlighted that the malware was highly sophisticated and exposed many SCADA systems globally.
3. ‘Kemuri’ Water Company attack 2016
If the attackers had more time and information on the SCADA systems, an entire local community would have fallen victim. According to a report by Verizon Security Solutions, the security of a water company, codenamed ‘Kemuri,’ has been compromised. The threat actors were able to access valve and flow control applications. Using this, they could have manipulated the PLCs and controlled the chemical processing in the water treatment plant.
4. CRASHOVERRIDE 2017
Coming out as a fourth installment after Stuxnet, BlackEnergy 2, and Havex, the Crashoveride malware was designed and deployed to target electric grids specifically. Upon successful intrusion, the malware causes severe power outages.
5. SamSam 2018
SamSam ransomware caused havoc after it managed to bring the city of Atlanta to its knees for weeks. The malware deleted the Atlanta City Police dashcam data and blocked payments, ticketing, and other services for weeks. The hackers demanded a ransom of $51,000 to restore the data.
While the list can go on, we felt it is essential for you to realize how vulnerable and unsecured SCADA systems are. Among other SCADA attacks, Havex (2011), Night Dragon (2010), Duqu-Flame-Gauss (2011), and the Target Stores incident have flipped our view about SCADA systems security.
Going into the future…
The attacks on SCADA systems increased manifold times in the recent past. Practically, intruding into an OT network is easier than an IT network. Even if a threat actor manages to intrude into an IT network, the ever-vigilant IT security team mitigates the attack. On the other hand, financial losses due to downtime on an OT network are huge and have long-term effects. This position forces companies to give in to the attacker’s demands.
‘Modern’ is the way to go!
Operating industrial plants in a threat-rich environment is quite challenging. Adopting modern SCADA systems and phasing out legacy systems is the only way forward. Modern SCADA systems have various advantages, from improving the existing system’s efficiency to extended software support.
The modern SCADA systems are easy to scale and provide extended support for evolving hardware and software. Scalability and extended support facilitate new-age SCADA systems to leverage the power of cloud computing to meet fluctuating workload demands. Legacy SCADA systems usually come with vendor lock-in, preventing interoperability with other manufacturers’ SCADA devices and forcing enterprises to compromise. The modern era SCADA systems come with better interoperability increasing options for enterprises.
Communication infrastructure has always been unsecured within the SCADA system. It was often seen as a weak link and posed challenges while protecting the systems. The modern SCADA system supports current communication protocols. The enhanced support is crucial in encrypting data without compromising friendly troubleshooting and reliability. Modern protocols also enhance the SCADA system’s data capabilities and controls. Another argument in favor of phasing out legacy systems is the support modern SCADA systems offer regarding hardware and software. Integrating Off-the-shelf hardware components and third-party applications into modern SCADA systems is easy.
*** This is a Security Bloggers Network syndicated blog from Sectrio authored by Sectrio. Read the original post at: https://sectrio.com/complete-guide-to-scada-security/