Critical Infrastructures and Utilities- Oil and Gas, Transport, Power, Water, Chemical are national material assets for the functioning of the society and economy. They are so vital that their incapacity or destruction would have a debilitating impact on the defence and economic security of the country. From an engineering perspective, the process control networks of these industries become the back-bone of their functioning. SCADA Systems forms an important integral part of these networks.
A SCADA (Supervisory Control And Data Acquisition) system collects data from various remote sites and makes it available in a central location for subsequent processing. Examples of use: simple electronic gathering of data from oil wells to remote operation of an unmanned oil or gas platform. Other typical applications might be storage tank farm management, water/steam injection, pipeline management, metering stations, steam generator and compressor stations, etc. Because of the distances involved and obstacles along the path, data is typically transmitted over radio, microwave or satellite links. Data can also be delivered over a dial-up or leased landline. Apart from the different media, a whole range of (mostly) proprietary protocols exist.
The new SCADA architecture is a result of close co-operation with different oil and gas companies around the world, fusing their know-how with SCADA industry knowledge of automation protocols (Fieldbus, Industrial Ethernet, MODBUS/TCP, etc.) The architecture provides a platform principally for energy and resource utilities by offering improved access to real-time measurements and instrument diagnostics at remote locations.
Originally, process control networks were restricted to dedicated processes with sparse interconnectivity to other systems, if at all. The corresponding hardware was based on proprietary technologies and protocols coming from only one or a few vendors. As such, they were completely (or mostly) separated from the rest of the world and only reachable by means of a few dial-up modems. From the cyber-security point of view these control systems were protected by 'security through obscurity' since only a few experts had knowledge of the protocols and methods used, and the outside connectivity was low. Major threats were insiders such as disgruntled employees who were targeting the control system in order to achieve personal gain, or users who had badly configured the system. A recent analysis reports that today this dominance of internal fraud is rapidly shifting to threats created externally.
With IT networks spread around a combination of openness and imperfect software/operating systems led to the emergence of problems in form of 'war dialling', 'back doors', password sniffing and cracking, and the hijacking of user sessions during the early 90's. These threats evolved in sophistication as attackers' accumulated knowledge, leading to a new breadth of automated attacks from viruses and worms. Today, IT faces Denial-of-Service (DoS) attacks, BotNets and Zombie machines which are able to perform a synchronised attack from hundreds of machines around the world.
Unfortunately the rise of modern IT in control systems and networks also has its drawbacks. The pervasive interconnectivity between business and office networks enables viruses and worms to spread more easily to control systems. VPN, wireless access, notebooks and USB sticks offer new possibilities for a virus or worm to enter the controls network to say nothing of attackers who might be interested in targeting controls machines in order to shut down the system.
MS Windows is now the de-facto platform for SCADA applications. From the point-of-view of functionality this might be a reasonable step forward. However, with regards to cyber-security it is questionable, since the corresponding controls PCs inherit the vulnerabilities of office machines, but controls PCs cannot be patched and updated quite so speedily or easily. Some controls PCs might even lack anti-virus software because its use might interfere with the control processes. Even if these PCs are secured, 'zero-day' exploits might enter before the proper patch and virus signature file is available or applied. Furthermore, OPC (Object Linking and Embedding for Process Control (OPC) Foundation) runs on the port number 135 which is heavily used by the Windows OS and cannot easily be blocked by means of a firewall.
The following graphic broadly classifies the threats
Backdoor to the Network
One of the enduring beliefs held in the SCADA and control systems world is that they are secure because they are simply never connected to the Internet. But if this is the case, then how are all these viruses getting to the plant floor and infecting SCADA systems? Some of the points of entry would be the through internet, Corporate WAN, LAN, wireless networks, VPN Connections, Dial -Up modems, etc.
- Modems: Both leased-line and dial-up modems have been in use for decades to allow the remote support of control systems and are still widespread, especially on control devices that use serial communications or are located in remote locations. For example, the connection of maintenance modems to protection relays substations is a largely accepted practice throughout the North American power industry. Unfortunately, many of these modem/device pairs have been shown to have either no password or trivial passwords. Some are even so old as to not allow passwords at all.
- Wireless: There are many ways SCADA control systems companies use wireless technology. Traditionally, SCADA networks over large physical areas used licensed-band radio systems to allow remote nodes to communicate with a centralised management host. More recently, the large-scale use of 802.11 WLANs has created countless opportunities for intrusion and information theft.
- Third-party connections: Generally used for remote support by control systems vendors or product transfer by raw materials suppliers, these connections interconnect the control system to an outside network that may not follow the same security policies. Dial-up, long-haul serial, unencrypted wide area network, radio frequency, and VPN style connections are all used.
- VPNs: Often deployed as part of a third-party connection, these use encryption technologies such as SSL and IPsec to tunnel so-called secure communications across insecure networks (such as the Internet) and into the control network. Since the traffic is encrypted, it is commonly believed to be secure. VPNs do not protect the network and workstations against most data-driven attacks (i.e., viruses) when the end-nodes or networks are not also secured7. Additionally, such connections can often bypass firewall rules because data is received in an encrypted format and cannot be checked by the firewall.
- Mobile devices such as laptops, PDAs and Flash drives are often used in a variety of environments, each with different security policies and practices. This allows the spillover of security issues from one system to the other. For example, if laptops are used both in the plant environment and in a less secure home environment, malware obtained in one setting may be unwittingly transferred to the other.
- Internet: While commonly denied, both the ARC Study and a number of the incidents in the ISID show that control systems do get connected directly to the Internet. Reasons for this include a desire to download system patches or antivirus updates from vendor web sites, as well as a misguided desire to conduct typical office activities (such as email) from the plant floor.
Vulnerabilities in the network
- Weak Protocols
- Most field devices are currently enabled with their own proprietary IP stack. These stacks were never tested outside their normal SCADA systems
- These devices are prone to simple Denial of Service attacks, buffer overflows.
- Implicit trust no authentication in the protocol architecture
- Lack of patched systems
- Lack of overall segmentation
- If firewalls are used, they are typically not well configured and only provide protection between the corporate network and the control centre. Once the perimeter of the Process Control network is breached, then the network is wide open.
- Lack of antivirus protection
- These systems are usually not accessing the Internet, making it difficult to download the daily virus updates that make antivirus technology legitimate.
- Most IP-based communications in networks is unencrypted
- Eavesdropping, Session Hijacking
- Process Control Networks has generally limited to no-logging
Impact of Threats
Physical Impact - As a consequence of a security breach incident in these systems, personal injury, loss of operations, loss of property, or even loss of life; these are all potential impacts from a resulting security attack.
Economic Impact - Economic impacts are results from the physical impact. Physical impacts can adversely affect production operations, which in turn can adversely impact the local, regional, national, or even global economy. Additionally corporations experiencing business continuity losses and/or physical impacts from a cyber security incident risk adverse financial market trading performance due to lost revenues, dissatisfied customers, and public affairs activities.
Social Impact - A third element of impact resulting from a cyber security incident is the potential loss of local or national confidence in an organization. The loss of confidence in our utilities, transportation systems, water supplies, and oil & gas pipelines may potentially have a far reaching social impact on the global population. The general public refusing to use public transportation, consume public drinking water, or residing near a power plant are examples of the potential social impacts to these threats.