www.lucideus.com

Introduction to SCADA system & Security.

2016

1. IntroductionIt is impossible to keep control and supervision on all industrial activities manually. Some automated tool is required which can control, supervise, collect data, analyses data and generate reports. A unique solution is introduced to meet all this demand is SCADA system.

SCADA stands for supervisory control and data acquisition. It is an industrial control system where a computer system monitoring and controlling a process

1 www.lucideus.com

The term SCADA usually refers to centralized systems which monitor and control entire sites, or complexes of systems spread out over large areas (anything from an industrial plant to a nation). Most control actions are performed automatically by rtus or by plcs. Host control functions are usually restricted to basic overriding or supervisory level intervention. For example, a PLC may control the flow of cooling water through part of an industrial process, but the SCADA system may allow operators to change the set points for the flow, and enable alarm conditions, such as loss of flow and high temperature, to be displayed and recorded. The feedback control loop passes through the RTU or PLC, while the SCADA system monitors the overall performance of the loop.

SCADA's schematic overview

Data acquisition begins at the RTU or PLC level and includes meter readings and equipment status reports that are communicated to SCADA as required. Data is then compiled and formatted in such a way that a control room operator using the HMI can make supervisory decisions to adjust or override normal RTU (PLC) controls. Data may also be fed to a Historian, often built on a commodity Database Management System, to allow trending and other analytical auditing.

SCADA systems typically implement a distributed database, commonly referred to as a tag database, which contains data elements called tags or points. A point represents a single input or output value monitored or controlled by the system. Points can be either "hard" or "soft". A hard point represents an actual input or

2 www.lucideus.com

output within the system, while a soft point results from logic and math operations applied to other points. (Most implementations conceptually remove the distinction by making every property a "soft" point expression, which may, in the simplest case, equal a single hard point.) Points are normally stored as value-timestamp pairs: a value, and the timestamp when it was recorded or calculated. A series of value-timestamp pairs gives the history of that point. It is also common to store additional metadata with tags, such as the path to a field device or PLC register, design time comments, and alarm information.

Common system components

A SCADA system usually consists of the following subsystems:

Remote terminal units (RTUS) connect to sensors in the process and convert sensor signals

to digital data. They have telemetry hardware capable of sending digital data to the

supervisory system, as well as receiving digital commands from the supervisory system. Rtus

often have embedded control capabilities such as ladder logic in order to accomplish boolean

logic operations.

Programmable logic controller (PLCS) connect to sensors in the process and convert sensor signals to digital data. Plcs have more sophisticated embedded control capabilities (typically one or more IEC 61131-3 programming languages) than rtus. Plcs do not have telemetry hardware, although this functionality is typically installed alongside them. Plcs are sometimes used in place of rtus as field devices because they are more economical, versatile, flexible, and configurable.

A telemetry system is typically used to connect plcs and rtus with control centers, data warehouses, and the enterprise. Examples of wired telemetry media used in SCADA systems include leased telephone lines and WAN circuits. Examples of wireless telemetry media used in SCADA systems include satellite (VSAT), licensed and unlicensed radio, cellular and microwave.

A data acquisition server is a software service which uses industrial protocols to connect software services, via telemetry, with field devices such as rtus and plcs. It allows clients to access data from these field devices using standard protocols.

3 www.lucideus.com

A Human–Machine Interface or HMI is the apparatus or device which presents processed data to a human operator, and through this, the human operator monitors and interacts with the process. The HMI is a client that requests data from a data acquisition server or in most installations the HMI is the graphical user interface for the operator, collects all data from external devices, creates reports, performs alarming, sends notifications, etc.

A historian is a software service which accumulates time-stamped data, boolean events, and boolean alarms in a database which can be queried or used to populate graphic trends in the HMI. The historian is a client that requests data from a data acquisition server.[5]

A supervisory (computer) system, gathering (acquiring) data on the process and sending commands (control) to the SCADA system.

1.Human machine interface(HMI)

A human–machine interface (HMI) is the input-output device through which the human operator controls the process, and which presents process data to a human operator.

HMI (human machine interface) is usually linked to the SCADA system's databases and software programs, to provide trending, diagnostic data, and management information such as scheduled maintenance procedures, logistic information, detailed schematics for a particular sensor or machine, and expert-system troubleshooting guides.

4 www.lucideus.com

SCADA components

Human Machine

Interface(HMI)

Remote Terminal

units(RTU)

Programmable logic

controller(PLC)

supervisroy (computer)

system

communication infrastructure

The HMI system usually presents the information to the operating personnel graphically, in the form of a mimic diagram. This means that the operator can see a schematic representation of the plant being controlled. For example, a picture of a pump connected to a pipe can show the operator that the pump is running and how much fluid it is pumping through the pipe at the moment. The operator can then switch the pump off. The HMI software will show the flow rate of the fluid in the pipe decrease in real time. Mimic diagrams may consist of line graphics and schematic symbols to represent process elements, or may consist of digital photographs of the process equipment overlain with animated symbols.

The HMI package for the SCADA system typically includes a drawing program that the operators or system maintenance personnel use to change the way these points are represented in the interface. These representations can be as simple as an on-screen traffic light, which represents the state of an actual traffic light in the field, or as complex as a multi-projector display representing the position of all of the elevators in a skyscraper or all of the trains on a railway.

2.Remote terminal units(RTU)

A remote terminal unit (RTU) is a microprocessor-controlled electronic device that interfaces objects in the physical world to a distributed control system or SCADA (supervisory control and data acquisition) system by transmitting telemetry data to a

5 www.lucideus.com

master system, and by using messages from the master supervisory system to control connected objects. Another term that may be used for RTU is remote telecontrol unit.

An RTU monitors the field digital and analog parameters and transmits data to the Central Monitoring Station. It contains setup software to connect data input streams to data output streams, define communication protocols, and troubleshoot installation problems.

An RTU may consist of one complex circuit card consisting of various sections needed to do a custom fitted function or may consist of many circuit cards including CPU or processing with communications interface(s), and one or more of the following: (AI) analog input, (DI) digital input, (DO/CO) digital or control (relay) output, or (AO) analog output card(s).

3. Programmable logic controller (PLC)

A programmable logic controller (PLC) or programmable controller is a digital computer used for automation of industrial processes, such as control of machinery on factory assembly lines. Unlike general-purpose computers, the PLC is designed for multiple inputs and output arrangements, extended temperature ranges, immunity to electrical noise, and resistance to vibration and impact. Programs to control machine operation are typically stored in battery-backed or non-volatile memory. A PLC is an example of a real time system since output results must be produced in response to input conditions within a bounded time, otherwise unintended operation will result.

Hence, a programmable logic controller is a specialized computer used to control machines and processes.  It therefore shares common terms with typical PCs like central processing unit, memory, software and communications.  Unlike a personal computer though the PLCis designed to survive in a rugged industrial atmosphere and to be very flexible in how it interfaces with inputs and outputs to the real world.

6 www.lucideus.com

4. Supervisory station

The term supervisory station refers to the servers and software responsible for communicating with the field equipment (RTUs, PLCs, SENSORS etc.), and then to the HMI software running on workstations in the control room, or elsewhere. In smaller SCADA systems, the master station may be composed of a single PC. In larger SCADA systems, the master station may include multiple servers, distributed software applications, and disaster recovery sites. To increase the integrity of the system the multiple servers will often be configured in a dual-redundant or hot-standby formation providing continuous control and monitoring in the event of a server malfunction or breakdown.

5.Communication infrastructure and methods

SCADA systems have traditionally used combinations of radio and direct wired connections, although SONET/SDH is also frequently used for large systems such as railways and power stations. The remote management or monitoring function of a SCADA system is often referred to as telemetry. Some users want SCADA data to travel over their pre-established corporate networks or to share the network with other applications. The legacy of the early low-bandwidth protocols remains, though.

SCADA protocols are designed to be very compact. Many are designed to send information only when the master station polls the RTU. Typical legacy SCADA protocols include Modbus RTU, RP-570, Profibus and Conitel. These communication protocols are all SCADA-vendor specific but are widely adopted and used. Standard protocols are IEC 60870-5-101 or 104, IEC 61850 and DNP3. These communication protocols are standardized and recognized by all major SCADA vendors. Many of these protocols now contain extensions to operate over TCP/IP. Although the use of conventional networking specifications, such as TCP/IP, blurs the line between traditional and industrial networking, they each fulfill fundamentally differing requirements.

7 www.lucideus.com

The importance of security requirements in design of SCADA systems.

Excerpt from the article published on the last edition of PenTest AUDITING & STANDARDS 06 2012

The article exposes the main issues related to the use of SCADA systems in critical infrastructures, providing a careful analysis of the relative level of security on a global scale. It discusses the main vulnerabilities of critical systems exploitable by cyber attacks and possible solutions to implement to ensure their safety.

Over the last years worldwide countries have discovered their critical infrastructures too vulnerable to cyber attacks due the increasing attention in cyber security matter and successfully attacks to SCADA systems. Events such as the spread of Stuxnet virus have alerted the international security community on the risks related to a cyber attacks and the relative disastrous consequences, we have learned how much powerful is a cyber weapon and which is real involvement of governments in cyber warfare.

SCADA (supervisory control and data acquisition) is an industrial control system (ICS) used for the control and monitor of industrial processes, it is typically present in all those potential targets of a cyber attack such as a critical infrastructures or a utility facility.

Being related to industrial processes we find this family of devices everywhere, manufacturing, production, power generation and many times they are implemented to control of activities of critical systems such as water treatment and, electrical power transmission and distribution and large communication systems.

These components are privileged targets for cyber attacks, with a virus is possible to destroy the processes inside a nuclear plant as it happened in Natanz nuclear site during the offensive against Iran and its nuclear program. Western countries have been the first to explore the possibility of a cyber offensive using a cyber weapon such as a malware, the operation Olympic Games demonstrates the high attention of US government in cyber operations and the strong commitment provided by Bush administration first and after by the Obama one.

The scenario is really alarming, an attack on a SCADA system of a sensible structure could materialize the nightmare of every government, similar incidents can undermine the safety of

8 www.lucideus.com

millions of individuals and can compromise the homeland security. Dozens, hundreds, thousands of installations all over the world are potentially vulnerable to attack from anywhere on the planet, the offensive option is moved into what it is defined as the fourth dimension, the cyberspace, but that could also lead to the loss of many human lives.

Not necessarily our minds must fly to a nuclear plant thinking to a possible accident in its control systems, we can think for example of the impact of an attack on the processes in a chemical plant. The main problem of SCADA systems is that they are in large number, each industrial process has its own, and many of them are exposed on internet without proper protection.

In similar structure is possible to imagine several entry points for the external agents such as malware, the supervisory system is usually a computer based on the commercial OS for which is possible to exploit known vulnerabilities and in case of state sponsored attacks also 0-day vulnerabilities. Incidents occurred in SCADA systems have been demonstrated that these systems could be infected in different ways, we can imagine the inoculation of a virus through a USB stick or via a network interface.

After the recent events many security firms have started the design of specific solutions to address security problems of SCADA systems, but the major challenge

9 www.lucideus.com

is for governments that have to include the protection of these critical components in their cyber strategies. Several audits executed by governments on their critical infrastructures have illustrated a dangerous scenario, the lack of security mechanisms for the many systems located all over the world, but it is really alarming the absence of a precise census of the SCADA systems for many of the principal industrialized countries.

Events such as the virus Stuxnet diffusion and the alleged incident to the water facility in Illinois occurred last year have shown to the world that it is possible to conduct a terrorist attacks on foreign state remotely, this has increased the awareness of cyber threats and the necessity to implement right countermeasures to mitigate the risks.

Defense mechanisms virtually absent, the SCADA system components are often under the government of local authorities who do not deal with adequately trained personnel and that operates with limited budgets. This means that this kind of control devices is installed everywhere without being qualified in the installation phase. There are many systems deployed with factory settings, pre-set standard configurations and common to entire classes of devices. To this we add that even those who maintain them, should not exceed security, thus making it accessible for remote diagnostics without necessary attention.

Fortunately, something is changed, precise guidelines identify best practices to follow in the management of SCADA systems and operations groups monitor the operation of facilities around the country.

The last “INTERNET SECURITY THREAT REPORT” published by Symantec reports that during 2011 have been detected several weaknesses in Critical Infrastructure Systems, the security firm has seen a dramatic increase in the number of publicly-reported SCADA vulnerabilities from 15 in 2010 to 129 in 2011. Since the emergence of the Stuxnet worm in 2010 36, SCADA systems has 10 www.lucideus.com

attracted wider attention from security researchers. However, 93 of the 129 new published vulnerabilities were the product of just one security researcher.

In December the Industrial Control System – Cyber emergency Response Team (ICS-CERT) has distributed a new alert to provide timely notification to critical infrastructure owners and operators concerning threats or activity with a potential impact on critical infrastructure computing networks.

ICS-CERT informed that some models of the Modicon Quantum PLC used in industrial control systems contain multiple hidden accounts that use predetermined passwords to grant remote access Palatine, Illinois–based Schneider Electric, the maker of the device, has produced fixes for some of the weaknesses and continues to develop additional mitigations. ICS-CERT encourages researchers to coordinate vulnerability details before public release.

In a SCADA system the programmable logic controllers (PLCs) are directly connected to in-field sensors that provide data to control critical component (e.g. Centrifugal or turbines). Often the default passwords are hard-coded into Ethernet cards the systems use to funnel commands into the devices, allowing administrators to remotely log into the machinery.

An independent security researcher Rubén Santamarta reported that the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals. Even in cases where the passcodes are obscured using cryptographic hashes, they are trivial to recover thanks to documented weaknesses in the underlying VxWorks operating system. As a result, an attacker can exploit the weakness to log into devices and gain privileged access to its controls.

Hard-coded passwords are a common weakness built into many industrial control systems, including some S7 series of PLCs from Siemens. Because the systems control the machinery connected to dams, gasoline refineries, and water treatment

11 www.lucideus.com

plants, unauthorized access are considered a national security threat because it could be used to sabotage their operation.

Doing a search on the server search engine known as Shodan it’s possible to discover what appear to be working links to several of the vulnerable Schneider models. Santamarta said there is no fix for the devices other than to retire the faulty Ethernet cards and replace them with better-designed ones. The ICS-CERT advisory issued on December said the fixes from Schneider removes the telnet and Windriver services. The advisory made no mention of changes to FTP services.

The scenario is very worrying and reveals the need for a radical change, fortunately, the emergency has been perceived by most Nations. The ENISA (European Network Information Security Agency, has produced a recommendation for Europe and Member States on how to protect Industrial Control Systems. The document describes the current scenario of Industrial Control System security and proposes seven recommendations to improve it. The recommendations call for the creation of the national and pan-European ICS security strategies, the development of a Good Practices Guide on the ICS security, fostering awareness and education as well as research activities or the establishment of a common test bed and ICS-computer emergency response capabilities.

In June The Pacific Northwest National Laboratory (PNNL), a federal contractor to the U.S. Department of Energy (DOE), in collaboration with McAfee has published an interesting report entitled “Technology Security Assessment for Capabilities and Applicability in Energy Sector Industrial Control Systems: McAfee Application Control, Change Control, Integrity Control.”

12 www.lucideus.com

The Case

Immediately after the Stuxnet virus, governments and intelligence agencies all over the world requested assessment of security for critical infrastructure of their countries. Much of the focus was on evaluating efficiency offered by defensive measures adopted to protect scadas and icses from cyber attacks.

After Stuxnet, debate on the use of software and malicious applications of information warfare have increased. Governments are investing to improve cyber capabilities working on both the defensive and the offensive side. Despite greater awareness of cyber threats, critical infrastructures of countries are still too vulnerable. Many security experts are convinced that an imminent incident caused by a cyber attack is likely soon.

Just a few days ago, Eugene Kaspersky, CEO of Kasperky Security, revealed that a staffer at the unnamed nuclear Russian plant informed him of an infection.

“The staffer said their nuclear plant network which was disconnected from the internet … was badly infected by Stuxnet. So unfortunately these people who were responsible for offensive technologies, they recognize cyber weapons as an opportunity.”

Stuxnet had infected the internal network of a Russian nuclear plant, exactly in the same way it compromised the control system in Iranian nuclear facilities in Natanz. That’s happening despite cyber threats being well known, and various security solutions are able to neutralize it.

Stuxnet infected the network within a Russian nuclear plant isolated from the Internet. Attackers probably used as USB or mobile devices to spread the malware. Russian Intelligence agencies in the past have already observed this infection mode to cross a physically separated ‘air-gapped’ network. For example, Russian astronauts had carried a virus on removable media to the International Space Station infecting machines there, according to Kaspersky.

“NASA has confirmed that laptops carried to the ISS in July were infected with a virus known as Gammima.AG. The worm was first detected on Earth in August 2007 and lurks on infected machines waiting to steal login names for popular online games. Nasa said it was not the first time computer viruses had travelled into space and it was investigating how the machines were infected. ”

I mentioned the Stuxnet malware because it’s considered a case study. The malicious agent is so notorious, it’s still able to compromise networks and control systems within critical infrastructure. Let’s try to figure out the effect of unknown cyber threats, developed by governments as cyber weapons, for example. In this article, i’ll analyze major security issues related to SCADA systems, and best practices to follow to protect them.

13 www.lucideus.com

Figure: - Russian Nuclear Plant

According to the last “SANS SCADA and Process Control Security Survey” conducted by the SANS Institute, the awareness of cyber threats and the perception of the risks related to a cyber attacks are high. Nearly 70% of respondents believe the threat to be high (53%) to severe (16%). Recent reports from Computer Emergency Response Teams (CERT), government offices, and private companies confirm an escalating risk of cybersecurity events, specifically for the energy sector.

The survey indicates that the top threats for control systems are advanced zero-day malware such as Stuxnet, cyber operations conducted by groups of hacktivists, and hacking campaigns of cyber terrorists and state-sponsored hackers.

Recently, US CERT alerted to the continuous spear-phishing campaign that targeted the energy sector to gain remote access to control systems. SCADA system protection must be approached at different levels, defending control systems and educating operational and maintenance personnel.

“Training should include specific operational topics on spear-phishing, zero-day activities and managing internal threats.”

14 www.lucideus.com

A Look Back at past SCADA hacking in 2015It should come as no surprise that Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) that control key functions in critical infrastructure are especially at risk of cyber attack. If saboteurs manage to compromise critical infrastructure services, a country’s economy and military defenses can be severely hampered. In addition, since organizations that operate critical infrastructure often own valuable intellectual property, this information can be a target for foreign state actors trying to steal intellectual property to advance their economies or to win competitive bids.

In the past year we have seen some disturbing news that highlights the growing risk of SCADA attacks:

December 2014 - SCADA attack causes physical damage: In late 2014, an unnamed German Steel Mill suffered extensive damage from a cyber attack. The attackers were able to disrupt the control system and prevent a blast furnace from being shut

down,resulting in ‘massive’ damage .

In late December, the annual German Federal Office for Information Security report revealed a disturbing cyberattack on a steel mill that resulted in “massive damage” to the foundry. This case is just one of the latest examples of Hollywood fears coming true through the Internet of Things (IoT). Through the judicious use of online translation engines, we have learned several key things about the attack, although specific details about the company and the full extent of the damage are still unknown.

15 www.lucideus.com

According to the report, the attacker used sophisticated social engineering and spear-phishing tactics to gain initial access to the steel mill’s office network. Individual industrial control components were compromised, which prevented the blast furnace from being shut down. The technical capabilities of the attacker were very advanced, demonstrating a familiarity not only with conventional IT security, but also with the specific applied industrial control and production processes.

Although not explicitly stated, we can infer the attacker was likely an insider — or worked with an insider — or was familiar with industry-standard protocols used in the operation of the mill. Because of the jump from office network to industrial control system, we can also assume the mill’s office network had to be connected to the industrial control system. The more familiar the attacker was with this specific company’s systems, the easier that link would have been to find and exploit.

SCADA Attacks Double in 2014Dell Security’s annual threat report shows not only a significant surge in the number of attacks on retail credit card systems, but industrial SCADA systems as well, which are much more likely to go unreported.

16 www.lucideus.com

For Dell to report an annual surge in point-of-sale (POS) attacks aimed at payment card infrastructures might not be such a surprise to people who pay any attention to the news. We know that the retail industry was hit hard by cybersecurity attacks in 2014—Target wasn’t the only target, so to speak, though it got the year started, and was the largest breach in the history of U.S. retail until Home Depot was hit even harder later in the year. There were also significant attacks on Michaels, Staples, Goodwill and more.

But don’t be thinking that the attacks are just focused there. What Dell also found in its annual threat report was that the number of attacks on SCADA systems doubled from 2013 to 2014. Obviously, that has significant bearing on process industries, which use SCADA systems to control remote equipment and collect data on that equipment’s performance.

As industrial manufacturers face threats, other companies within the same space might not even know a SCADA threat exists until they are targeted themselves. “Since companies are only required to report data breaches that involve personal or payment information, SCADA attacks often go unreported,” said Patrick Sweeney, executive director for Dell Security. “This lack of information sharing combined with an aging industrial machinery infrastructure presents huge security challenges that will to continue to grow in the coming months and years.”

17 www.lucideus.com

Unlike the retail breaches, which are likely geared toward financial gain, attacks against SCADA systems tend to be political in nature, targeting operational capabilities within power plants, factories and refineries.

Dell’s annual threat report relies on research from its Global Response Intelligence Defense (GRID) network and telemetry data from Dell SonicWall network traffic to identify emerging threats. For SCADA systems, buffer overflow vulnerabilities continue to be the primary point of attack, according to the Dell SonicWall Research Team, accounting for a quarter of the attacks.

The majority of the SCADA attacks targeted Finland, the UK and the U.S. One likely reason for that, however, is that SCADA systems are more common in these regions and more likely to be connected to the Internet. In 2014, Dell saw 202,322 SCADA attacks in Finland; 69,656 in the UK; and 51,258 in the U.S.

Along with the doubling of SCADA attacks from 2013 to 2014, a look at January numbers alone shows a staggering rise, year over year. Worldwide SCADA attacks increased from 91,676 in January 2012 to 163,228 in January 2013, and 675,186 in January 2014.

“Everyone knows the threats are real and the consequences are dire, so we can no longer blame lack of awareness for the attacks that succeed,” Sweeney said. “Hacks and attacks continue to occur, not because companies aren’t taking security measures, but because they aren’t taking the right ones.”

Dell recommends a few general ways to protect against SCADA attacks. For one, make sure all software and systems are up to date. “Too often with industrial companies, systems that are not used every day remain installed and untouched as long as they are not actively causing problems,” Dell’s report explains. “However, should an employee one day connect that system to the Internet, it could become a threat vector for SCADA attacks.”

Make sure your network only allows connections with approved IPs; and follow operational best practices for limiting exposure, such as restricting or disabling USB ports and Bluetooth.

Hacks and attacks continue to occur, not because companies aren’t taking security measures, but because they aren’t taking the right ones.

Dell also urges manufacturers to report and share information about SCADA attacks to help ensure the industrial community as a whole is appropriately aware of emerging threats.

Mobile security

As mobility continues to take hold in the manufacturing space and the bring-your-own-device (BYOD) trend grows, it’s worth noting another section of Dell’s threat report focused on sophisticated, new malware techniques targeting smartphones. “Smartphone attacks have been a security concern since mobile devices began to reach widespread adoption, but it wasn’t until 2014 that smartphone malware began to look and act like its desktop predecessors,” Dell’s report notes.

Both Android and iOS malware took hold in 2014, and Dell expects malware to emerge this year targeting wearables, televisions and other ancillary devices. “The pairing of these devices to laptops and smartphones will give hackers an

18 www.lucideus.com

easy attack vector, and these devices will become much more enticing as the market grows in the coming months,” the report details.

Common factors

Though Dell’s report details several key findings in a variety of industries and attack points, there were some key common denominators. For example, several of the breaches throughout the year involved companies that overlooked one or more basic threat vectors: outdated, unpatched software; under-restricted contractor access to networks; under-secured network access for mobile or distributed users; and under-regulated Internet access for all employees.

“Some of these threat vectors have posed security challenges for years, while others are emerging as a result of today’s highly mobile, consumer-tech-empowered workforce,” the report says. “As always, cyber criminals remain adept at finding new ways to exploit common blind spots and even use companies’ best security intentions against them.”

The most effective approach manufacturers can take is a defense-in-depth program, Dell concluded, establishing multiple layers of security and threat intelligence for preventing and responding to attacks on the network.

Security issuesSCADA systems that tie together decentralized facilities such as power, oil, gas pipelines, water distribution and wastewater collection systems were designed to be open, robust, and easily operated and repaired, but not necessarily secure. The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems, office networks and the Internet has made them more vulnerable to types of network attacks that are relatively common in computer security. For example, United States Computer Emergency Readiness Team (US-CERT) released a vulnerability advisory that allowed unauthenticated users to download sensitive configuration information including password hashes on an Inductive Automation Ignition system utilizing a standard attack type leveraging access to the Tomcat Embedded Web server. Security researcher Jerry Brown submitted a similar advisory regarding a buffer overflow vulnerability in a Wonderware inbatchclient activex control. Both vendors made updates available prior to public vulnerability release. Mitigation recommendations were standard patching practices and requiring VPN access for secure connectivity. Consequently, the security of some SCADA-based systems has come into question as they are seen as potentially vulnerable to cyber attacks.

In particular, security researchers are concerned about:

The lack of concern about security and authentication in the design, deployment and operation of some existing SCADA networks

The belief that SCADA systems have the benefit of security through obscurity through the use of specialized protocols and proprietary interfaces

The belief that SCADA networks are secure because they are physically secured19 www.lucideus.com

The belief that SCADA networks are secure because they are disconnected from the Internet.

SCADA systems are used to control and monitor physical processes, examples of which are transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of modern society. The security of these SCADA systems is important because compromise or destruction of these systems would impact multiple areas of society far removed from the original compromise. For example, a blackout caused by a compromised electrical SCADA system would cause financial losses to all the customers that received electricity from that source. How security will affect legacy SCADA and new deployments remains to be seen.

There are many threat vectors to a modern SCADA system. One is the threat of unauthorized access to the control software, whether it be human access or changes induced intentionally or accidentally by virus infections and other software threats residing on the control host machine. Another is the threat of packet access to the network segments hosting SCADA devices. In many cases, the control protocol lacks any form of cryptographic security, allowing an attacker to control a SCADA device by sending commands over a network. In many cases SCADA users have assumed that having a VPN offered sufficient protection, unaware that security can be trivially bypassed with physical access to SCADA-related network jacks and switches. Industrial control vendors suggest approaching SCADA security like Information Security with a defense in depth strategy that leverages common IT practices.

The reliable function of SCADA systems in our modern infrastructure may be crucial to public health and safety. As such, attacks on these systems may directly or indirectly threaten public health and safety. Such an attack has already occurred, carried out on Maroochy Shire Council's sewage control system in Queensland, Australia. Shortly after a contractor installed a SCADA system in January 2000, system components began to function erratically. Pumps did not run when needed and alarms were not reported. More critically, sewage flooded a nearby park and contaminated an open surface-water drainage ditch and flowed 500 meters to a tidal canal. The SCADA system was directing sewage valves to open when the design protocol should have kept them closed. Initially this was believed to be a system bug. Monitoring of the system logs revealed the malfunctions were the result of cyber attacks. Investigators reported 46 separate instances of malicious outside interference before the culprit was identified. The attacks were made by a disgruntled ex-employee of the company that had installed the SCADA system. The ex-employee was hoping to be hired by the utility full-time to maintain the system.

In April 2008, the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack issued a Critical Infrastructures Report which discussed the extreme vulnerability of SCADA systems to an electromagnetic pulse (EMP) event. After testing and analysis, the Commission concluded: "SCADA systems are vulnerable to EMP insult. The large numbers and widespread reliance on such systems by all of the Nation’s critical infrastructures represent a systemic threat to their continued operation following an EMP event. Additionally, the necessity to reboot, repair, or replace large numbers of geographically widely dispersed systems will considerably impede the Nation’s recovery from such an assault."

Many vendors of SCADA and control products have begun to address the risks posed by unauthorized access by developing lines of specialized industrial firewall and VPN solutions for TCP/IP-based SCADA networks as well as external SCADA monitoring and recording equipment. The International Society of Automation (ISA) started formalizing SCADA security requirements in 2007 with a working group, WG4. WG4 "deals specifically with unique

20 www.lucideus.com

technical requirements, measurements, and other features required to evaluate and assure security resilience and performance of industrial automation and control systems devices".

The increased interest in SCADA vulnerabilities has resulted in vulnerability researchers discovering vulnerabilities in commercial SCADA software and more general offensive SCADA techniques presented to the general security community. In electric and gas utility SCADA systems, the vulnerability of the large installed base of wired and wireless serial communications links is addressed in some cases by applying bump-in-the-wire devices that employ authentication and Advanced Encryption Standard encryption rather than replacing all existing nodes.

In June 2010, anti-virus security company virusblokada reported the first detection of malware that attacks SCADA systems (Siemens' wincc/PCS 7 systems) running on Windows operating systems. The malware is called Stuxnet and uses four zero-day attacks to install a rootkit which in turn logs into the SCADA's database and steals design and control files. The malware is also capable of changing the control system and hiding those changes. The malware was found on 14 systems, the majority of which were located in Iran.

In October 2013 National Geographic released a docudrama titled, "American Blackout" which dealt with a large-scale cyber attack on SCADA and the United States' electrical grid.

Common SCADA System Threats and Vulnerabilities

As any IT manager understands, particularly those managing SCADA and industrial control networks, keeping SCADA systems safe from security threats isn’t just about peace of mind. These systems control critical components of industrial automation networks. If there’s a problem with them, essential services – such as water and power – could shut down services for thousands or millions of people.

However, despite knowing this, there’s a frightening truth many of us are ignoring: attacks on SCADA systems are on the rise, and it is possible that many infiltrated systems have gone undetected. Cyber criminals often “infect” systems and silently monitor traffic, observe activity, and wait for months or even years before taking any action. This allows them to strike when they can cause the most damage.

While we’d rather not have to face the fact our critical infrastructures could very well be compromised, there is good news. Understanding common SCADA system threats and vulnerabilities allow us to develop a clear, actionable framework for overcoming these security issues

Many if not most SCADA systems are currently vulnerable to cyber-attacks due to the following:

Lack of monitoring. Without active network monitoring, it is impossible to detect suspicious activity, identify potential threats, and quickly react to cyber-attacks.Slow updates. As SCADA systems become more advanced, they also become more vulnerable to new attacks. Maintaining firmware and software updates may be inconvenient (without the proper systems in place), but they’re necessary for maximum protection.

21 www.lucideus.com

Lack of knowledge about devices. Connecting devices to a SCADA System allows for remote monitoring and updates, but not all devices have equal reporting capabilities. Since most SCADA systems have been developed gradually over time, it’s not uncommon to see technology that’s 5 years old paired with technology that’s 20 years old. This means the knowledge about network connected devices is often incomplete.

Not understanding traffic. Managers need to know what type of traffic is going through their networks. Only then they can make informed decisions about how to respond to potential threats. With advanced data analysis, managers can get a big picture view of data gathered from traffic monitoring, and translate that into actionable intelligence. For example, an infiltrated system might check with a foreign server once every 30, 45, or 180 days.

Authentication holes. Authentication solutions are designed to keep the wrong people from accessing the SCADA system. However, this can easily be defeated due to common unsafe practices such as poor passwords, username sharing, and weak authentication

Security countermeasures for SCADAPhysical security

Physical security is another aspect that must be properly managed. All plants that host SCADA systems and networks must be assessed. SCADA systems are usually distributed over large distances in multiple locations with different physical security measures. Their protection must be carefully evaluated. It’s important to evaluate the overall infrastructure to identify weaknesses, evaluate defense measures to implement, and the expected benefits.Best practices include the assessment of the physical security of remote environments that are directly connected to a SCADA.

“Any location that has a connection to the SCADA network is a target, especially unmanned or unguarded remote sites. Conduct a physical security survey and inventory access points at each facility that has a connection to the SCADA system.”

Establish proper physical security through the adoption of defensive measures like guards and gates to protect equipment from unauthorized access and sabotage. Every external connection to the perimeter of the facility has to be assessed. It’s suggested to use security products for perimeter protection that meet NIST FIPS standards.

Physical restrictions that could be applied to improve security to prevent incidents are:

Restricted access to the site

Restricted number of technicians responsible for maintenance

22 www.lucideus.com

No use of mobile support

Segregated control network, no connection to other networks

Each computer is locked in a restricted room or cabinet

Roles and responsibility – management

Management has a crucial role in security. Its primary task is to provide a strong commitment for the implementation of an efficient cyber strategy. That includes the assignment of cyber security roles, responsibilities, and authorities for personnel. Each employee needs to know their responsibilities to protect information and assets of scadas. Key personnel need to be given sufficient authority to carry out their assigned responsibilities. A detailed security policy must be in place that describes how management defines roles and responsibilities. Each employee must be informed of all procedures adopted to keep architecture secure.

The first goal of management is to define a structured security program with mandated requirements to reach expectations and provide personnel with formalized policies and procedures. Senior management must establish expectations for cyber security performance and hold individuals accountable for their performance.

Compliance with current security standards is necessary to provide a harmonious approach to cyber security. Policies and procedures need to be assigned to employees regarding specific security responsibilities. Guidance regarding actions to be taken in response to incidents and security policy must identify the critical systems within the SCADA network, their functions and classify the information they manage.

The security requirements must be identified within security policy to minimize cyber threats, including menaces from insiders. Personnel training is one of the most important responsibilities for management. Managers have to provide a strong commitment to organizing of training courses.

Training also helps to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls deployed.

Only the people involved explicitly need to have access to the above information. Personnel must be trained to recognize social engineering attacks made by hackers to gather sensitive information about a computer or computer network. Typically these attacks prelude more invasive and dangerous offensives. The more information revealed about internal configuration, the more vulnerable the network is. Keep secret data related to a SCADA network, including manufacturers, key people, computer operating systems and physical distributions of SCADA.

The responsibility of management is the definition of proper protection strategies, highlighting the risks related to cyber attackers and the necessary defense systems, for each component. The rapid and continuous evolution of cyber threats needs frequent revision of protection strategy to ensure it remains effective. Each risk must be evaluated, analyzing the probability of occurrence for the incident and the related severity. It’s crucial that the identification of residual risk is accepted by management.

23 www.lucideus.com

Configuration management processes and assessment

Configuration management is a critical component for the security of the infrastructure, for both hardware and software configurations. Each modification to the overall infrastructure could have a serious impact on its security. Changes could introduce vulnerabilities that undermine security.

“Configuration management begins with well-tested and documented security baselines for your various systems. Robust performance evaluation processes are needed to provide organizations with feedback on the effectiveness of cyber security policy and technical implementation. “

The impact of any modification of the infrastructure must be correctly evaluated with assessment processes conducted by both internal and external professionals. Routine vulnerability assessment and automated auditing of the network and systems must be part of the configuration management process.

The NSA document titled “Securing Supervisory Control and Data Acquisition (SCADA) and Control Systems (CS)” introduces the following suggestions for configuration management:

Map out and document the entire CS network, including CS and infrastructure device configurations

Prepare and configure new equipment off-line

Sanitize old equipment before disposal

Keep CS infrastructure security features current with device moves, additions, and decommissions

Enable auditing features and periodically examine the resulting logs for signs of unusual activity

Synchronize to a common time reference, so audit logs become more useful during incident response

Develop a Disaster Recovery Plan (DRP) for the CS, and if possible test it!

System backups and disaster recovery plans

Recovery is the ability to restore a compromised system to its operational status. Establishing a disaster recovery plan is fundamental for rapid recovery from any incidents, such as cyber attacks.

System backups are an essential part of any plan and they allow rapid reconstruction of and network. Routinely exercise disaster recovery plans to ensure that the work and that all employees know the procedure to follow. Every change to the overall architecture has to trigger a review of the plan to apply the appropriate changes to disaster recovery plans.

Recovery plans usually include:

Adoption of redundant hardware and fault tolerant systems

24 www.lucideus.com

Fallback mechanisms

System backup procedure

The disaster recovery plan allows corporate to prepare for, respond to and recover from a disruptive event, including a cyber attack. The following criteria should be considered in case of a hardware failure:

Determine and document the procedures for responding to a disaster that involves the SCADA center and its services.

Acquire additional hardware for disaster recovery plan or locate current backup hardware to a different location.

Periodically test the disaster recovery plan.

Related to software components, it’s possible to follow the criteria below in case of malfunction:

Determine ways to recover from any type of loss including historical data, installation media, application files, configuration files, documents, and software licenses.

Establish a strategy to keep the system up-to-date.

Evaluate the set of data and application to restore to its previous state in the event of a disaster.

Create a centralized inventory of all software titles and licenses, evaluate the possibility to replicate it in different locations.

Perform regular system backups and send copies of backup files to storage array networks off-site.

Periodically test backup copied and restoring procedures operated by the personnel.

ConclusionsSCADA systems are increasing in complexity, due to the integration of different components, in many cases produced by different manufacturers. It’s necessary to address the security level of each device and the overall environment. The design of SCADAs must totally change and have to take care of all the security requirements. That’s done by considering their surface of attack and exposure to cyber threats that could arm the systems.

There must be a collective effort by all governments to produce continuous report on the security status of critical infrastructures and related SCADA systems. The overall security will pass through a global collaboration and information sharing on the possible cyber threats and the vulnerabilities of every device that is qualified in the market.

25 www.lucideus.com

The security component must become part of the project of an industrial system. It must be considered a specific requirement. The overall security of critical infrastructures must be audited during the entire lifecycle of its components.

Recently the heads of the Federal Bureau of Investigation (FBI), Department of Homeland Security, and National Counterterrorism Center have declared cyber attacks are the most likely form of terrorism against the United States in the coming years.

“That’s where the bad guys will go. There are no safe neighborhoods. All of us are neighbors [online].” FBI director James Comey said about cyberterrorism.

These words should make us think about the real importance of security for critical systems of our infrastructure, including SCADAs.

Refrences:

1. http://electrical-engineering-portal.com/an-introduction-to-scada-for-electrical-engineers.html 2. http://securityaffairs.co/wordpress/7314/security/the-importance-of-security-requirements-in-design-of-

scada-systems.html3. http://thehackernews.com/2012/10/scada-hacking-exploit-released-to-hack.html 4. https://www.opswat.com/blog/look-back-scada-security-2015 5. https://www.opswat.com/blog/attacks-rise-how-can-scada-security-be-improved 6. https://en.wikipedia.org/wiki/SCADA 7. http://www.automationworld.com/scada-attacks-double-2014 8. http://patriot-tech.com/common-scada-system-threats-and-vulnerabilities/ 9. http://resources.infosecinstitute.com/improving-scada-system-security/ 10. http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-

industrial-control-systems/protecting-industrial-control-systems.-recommendations-for-europe-and-member-states

11. http://www.tsips.com/SCADA.html

Kunal Gupta,

26 www.lucideus.com

Lucideus Student

www.lucideus.com

27 www.lucideus.com