Security of SCADA Systems and Challenges to

National Critical Infrastructure

Introduction

SCADA Security Concerns

Facts & Figures

Incidents & Scenarios

Solutions, Controls & Effectiveness

Summary

What is SCADA?

The Fuel in your Car

Traffic Lights

The Water at your Home

The Power at Your Home

The Water goes from your home

A bit More details…

Supervisory Control And Data Acquisition.

• It generally refers to Industrial Control Systems (ICS):

“Computer systems that monitor and control industrial, infrastructure, or

facility-based processes”

• Used to control and monitor physical processes

• Transmission of electricity

• Transportation of gas and oil in pipelines,

• Water distribution, traffic lights, and other systems

• HVAC etc.

Components - SCADA

• Master Terminal

• Human Machine Interactions

• Remote Terminal Unit

• Communication protocols

SCADA Network - Sample

SCADA Security Concerns

• Basic/no security on the actual packet control protocol

• Organizations assume that VPN is sufficient protection

and forget physical access to SCADA-related network

jacks and switches

• Unauthorized access to the control software, human or

virus infections and other software threats residing

• Packet access to the network hosting SCADA devices.

Facts

• Outsiders can gain control -via cyber space

• Lead to major destruction/disturbance

• Require No highly sophisticated tools or knowledge

• Gap between control networks and Internet -?

• Systems are not too complex for outsiders

Facts

• No Authentication

• No Patching

• Internet connectivity

Some Scenarios

• Wi-fi at Power Plant

• Oil production network not separate from

corporate network

• Backend network is connected to Internet

• Product information available on Internet

• No Audit trails (common user accounts)

• Modems

Incidents • In 2006, hacker seized control of water treatment facility SCADA

system in Australia

• In June 2010, VirusBlokAda attacks SCADA (Siemens WinCC/PCS7

systems) on Windows

• Called Stuxnet, logs in to the SCADA's database and steals design

and control files

• The malware is also capable of changing the control system and

hiding those changes.

• Flame

• Dragon Fly – Russian hackers targeted European

• June 2014 – Havex (stuxnet type) targeted European power systems

Legacy Hardware/Software/Protocols.

Challenges

01

02

03

04

05

Complex Systems

Multiple/Diverse Access

Points

Need to connect Corporate N/W

Lack of concern about security and

authentication.

GOALS

Availability Authenticity Confidentiality Integrity

Standards/Best Practices

• ISO 27001

• NIST

• ISF (Information Security Forum)

• ADSIC

• Dubai Govt. Information Security Std.

Adopt a Framework

ISO 27001, NIST, etc.

Carry Out a Risk Assessment

Identify the threats, vulnerabilities,

risks etc.

Determine the controls required in

terms of technical, process, people

elements

Implement the Controls

Design and Implement the relevant

controls based on priorities, that are

defined as per the criticality.

Monitor and Improve

Ensure the continuous monitoring

of the SCADA/ICS systems &

security

Identify and implement relevant

improvements.

ICS/SCADA Security

Roadmap

Security in Total Data – Encryption, Access Control

Physical – Locks, Physical access controls

Applications – WAF, Strong Architecture

Perimeter – F/W, IPS/IDS, Data Diodes

Host – Whitelists, HIDS, Central Logs

Internal N/W – VLANs, IDS

Security Levels

Framework

• Information Security Strategy

• Security policy

• Organization of information security

• Asset management

• Human resources security –

awareness, compliance

• Physical and environmental security

Framework – Contd.

• Communications and operations management

• Access control

• Information systems acquisition, development

and maintenance

• Information security incident management

• Business continuity management, and

• Regulatory compliance

Control Details

• Holistic Approach

• Good Governance

• Control of SCADA Infrastructure

• Tools to allow them to identify threats, respond and

expedite forensic analysis in real time.

• Continuous monitoring of all log data generated by

IT system – base line and anomalies

Control Details

• Network Access Control

• Timely intelligence of a cyber attack

– From discovery to full remediation

• Ensure granular controls

• Protect un-patchable critical assets from cyber threats

• Reduce incident reporting time and corrective actions

Control Details

• Link redundancy also important for communication

continuity.

• Security of the data over the links/modems

• PCs used for monitoring and control and with

Internet access and external drive access – virus,

leakage of information.

• SCADA protocol security.

• Ensure security in Polling data from Remote Unit

by the master station.

Control Details

• SCADA protocols are extended to work

even over TCP/IP- So Internet?

• Integrate Security Plan the infrastructure

development stage

• Endpoint-to-endpoint authentication and

authorization -SSL or other cryptographic

techniques.

Control Details

• Network Level Monitoring

• IDS (Intrusion Detection System)

• Integration of cyber and physical security responses

• Design/Configuration that enables digital evidence

retention

• Complementing the existing status with ex-post analysis

experiences

Control Details

• Role based access Control

• Review of access rights

• Good design of the network from beginning - including

physical & environmental

• Secure coding practice

• Co-operation of all the business sections by projecting

security as a business enabler

• Address proactively and based on root cause analysis

Control Details

• Specialized industrial firewall and VPN solutions for

TCP/IP-based SCADA networks.

• Application white listing solutions

• Also, the ISA Security Compliance Institute (ISCI) is

emerging to formalize SCADA security testing starting

soon.

Control Details

• Ex-Post Incident analysis

– Identify the actual target

– Actual goal

– Vulnerabilities

– Possible data theft

Why things go Wrong Still? • No Planning of security from beginning

• New targeted attacks

• Reactive Controls instead of Proactive

• Lack of commitment – Management & Staff, Human error

• Not enough coordination between organizations,

government agencies, ISPs – Lack of TEAM WORK?

Can we achieve 100% security?

• Opportunity and number of cases can be reduce

• Impact could be contained, limited – Minimize losses.

• Save Reputation, by effective and quick actions.

• Business can be continued at the earliest!

In Short! • Comprehensive policy framework with

adequate compliance

• Regular Risk Assessment & Treatment

• Penetration test with business relevant

threat (Extrusion testing)

• Effective Security awareness programs

Summary

Final Word Consider the security of SCADA – Not less

but more than corporate network

Trends

SANS Survey 2014 - increase in

vulnerabilities and threats

Problem

• Connectivity of Critical infrastructure/SCADA to

Corporate network/Internet

• Targeted attacks

• Financial gains

• Politics, terrorism

Future

• Secure Operating System for SCADA

• Considering SCADA network like any

other network – in security aspect

• Back doors should be completed

controlled

• DMZ between SCADA network and

Corporate network

Solutions

• Adopt a Frame work

• Carry out risk assessment

• Ensure right processes

• Deploy adequate technology

• Enhance the awareness

Thank You !