The SCADA Threat Landscape - Semantic Scholar · The SCADA Threat Landscape Michael Robinson and highly obfuscated, and provides an example of what can be done with the resources

The SCADA Threat Landscape

Michael RobinsonEADS Innovation Works

Celtic SpringsCoedkernew

Newport, NP10 8FZUK

[email protected]

Nations around the world rely on the correct and continued functioning of industrial control systems (ICS) tokeep economies moving and provide critical services such as electricity and clean water. This paper providesan analysis of the current threat landscape facing ICS. Discussion is provided on the actors involved, theirmotivations, and specific attack vectors they may use to reach their goals.

SCADA, ICS, Threat Landscape, Security

1. INTRODUCTION

Nations around the world are increasingly becomingreliant on the correct and continued functioningof critical national infrastructure (CNI). Stockexchanges and banking systems keep economiesmoving and allow every day life to continue, thepower grid generates the huge amounts of electricityrequired to keep homes and businesses running,and water systems provide homes with clean waterwhilst safely treating waste. Around the middle to latetwentieth century, security for national infrastructurewas a minor concern that could be addressed bysimple physical security measures such as a lockeddoor. With no external connections and no internet,physical security was all that was needed. In manycases, even physical security was a luxury manyfacilities did without, simply because there was noimagined reason why anyone would want to enter.

With the arrival of cheap computing in the 70sand 80s, these critical infrastructures becameincreasingly computerised. As networking becamemore affordable and available, utility companiesfound cost savings by connecting facilities togetherand controlling distributed systems from a centralcontrol centre. Corporate divisions were alsoplugged into the systems, allowing direct accessto various statistics and reports about globaloperations. Unfortunately, while the complexity andinterconnectedness of these systems increased,security did not. Old systems designed withoutsecurity in mind were now exposed to much more

than just physical access issues. In the worst case,control panels for critical systems can now be directlyaccessed via the internet.

This paper surveys the current threat landscapefaced by these systems, examining the who, why andhow of attacking an industrial control system, fromboth the attacker and defender’s perspective.

2. THREAT ACTORS

In today’s world, there are a multitude of potentialattackers, all with various ultimate goals. This sectiondescribes the main actors that may have an interestin attacking a SCADA system and their motivations.An estimation of their potential impact is also given.

2.1. Hostile Nations and Foreign IntelligenceServices

During war and conflict, an enemy nation may seekto attack another by targeting the critical nationalinfrastructure. By disrupting areas such as power,transportation and industry a nation can weakenanother and bring a war or dispute to an earlyconclusion. An attack by a hostile nation is a highthreat, since the resources behind the efforts will besubstantial. These resources can be used to hirehighly skilled hackers, who can operate without fearof prosecution in their home country. Highly skilledcoders can also be hired, who can be tasked withcoding advanced malware that avoids detection anddelivers reliable payloads. Stuxnet was very robust

c© Michael Robinson. Published by BCSLearning and Development Ltd. 30Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research 2013

The SCADA Threat LandscapeMichael Robinson

and highly obfuscated, and provides an example ofwhat can be done with the resources of a nationstate. In addition to the best coders and hackers, anation state may have influence over vendors andconvince them to insert backdoors into hardware.Nations are fully aware of this, and recent banson awarding contracts to Chinese technology firmHuawei due to security concerns have confirmedan awareness of this threat Arthur (2012). Finally,the resources and status of a nation allow it tosimply buy the hardware that another nation is usingand test it locally for weaknesses, an ability thatother potential attackers will not have (even if ahacking group managed to raise the funds, theyare going to raise alarm trying to purchase nuclearcentrifuges). Nations do not have to be at war tobe interested in attacking the national infrastructureof another nation. Many nations have an interestin on-going information gathering on other nations,and seek to extract data from national infrastructure.The realisation that future wars may be held incyberspace also encourages nations to keep up todate on each other’s activities and test their ability tobreach another nation’s cyber defences. Again, witha nation’s resources behind the attack, the threat ishigh.

2.2. Terrorist Groups

Critical national infrastructures are a tempting targetfor terrorist groups looking to cause fear, damageand loss of life. Air traffic control systems, nuclearpower plants, the water supply and food productionare just a few examples of areas where a terroristgroup could target their activities. While lacking theresources of a nation state, terrorist groups may stillbe able to attract highly skilled hackers and codersdue to an ideological appeal, rather than due toa financial reward. Terrorist groups may also havean extensive support network and unofficial supportfrom their nation, somewhat shielding the attackersfrom the threat of prosecution.

2.3. Industrial Spies

Organisations themselves may also be potentialattackers of SCADA systems. By breaking into acompetitor’s industrial control systems, trade secretsabout production processes may be stolen anddamage done to inflict financial harm or a drop inpublic confidence in the safety of their products. Alarge multinational will have the resources to hirequality hackers and coders, but the work will beclearly illegal with a risk of prosecution and damageto the organisation’s reputation.

2.4. Criminal Groups

Criminal groups also have an interest in attackingSCADA systems. An organisation could potentially

be held to ransom once a criminal group managesto gain control over its systems. Likewise, anation could be held to ransom should a criminalgroup claim to have control over critical nationalinfrastructure. The threat level of such groups mayvary. Some may be amateurish attempts at extortionby one or two people, using simple Ransomware(malware that infects a machine and demands apayment to remove it and give control back). Onthe other hand, there is a potential that an alreadyestablished criminal group could hire quality hackers,and launch a well-orchestrated extortion attack on anorganisation. There is also the possibility for a trulyhigh tech crime group to emerge. This group woulddifferentiate themselves from traditional criminalsby showing innovative methods of making moneyillegally through SCADA systems. An example ofthis may be acquiring false refunds on energy coststhrough a smart grid.

2.5. Disgruntled Insiders

Perhaps the biggest threat, disgruntled insidersalready possess the knowledge of and accessto an organisation’s SCADA systems. An insidermay include employees as well as contractors andbusiness partners. In 2000, a sewage plant inAustralia began to overflow shortly after it wasactivated, filling a river, park and nearby hotelwith 264,000 gallons of raw sewage Tsang (2012).Operators struggled to locate the problem, buteventually tracked it down to a series of spoofedcontrollers, set up by a contractor who originallyinstalled the control system. It was later determinedthat the contractor was intentionally making the plantoverflow, in an attempt to make the company hire himto solve the problem. While their hacking knowledgemay be low or zero, their knowledge of how thesystem operates and their privileged access to itmakes the disgruntled insider a very high threat.Motivations can vary from revenge to being a partof a larger plan such as terrorism or extortion. Aninsider may act alone or be approached by one ofthe other groups discussed in this paper, such ascriminal groups or a commercial competitor.

2.6. Hacktivists

Activist groups are increasingly becoming moreactive in the cyber world, using cyber-attack as ameans of making a political or ideological point.Anti-nuclear groups may target the control systemsof nuclear plants, environmental groups may seekto disrupt oil exploration attempts in the Arctic bydisabling or damaging SCADA equipment on rigs. Aswith terrorist groups, high quality coders and hackersmay be attracted by the ideology and personalbeliefs.

31


2.7. Hackers

The final potential attackers are hackers. This groupdo not have an agenda other than proving that theycan defeat defences and take systems over. Thereare generally two types of hacker, those that possessa good amount of knowledge and skill and thosethat simply run tools and scripts that are created byothers. While the first type is obviously dangerous,the second type can still cause disruption anddamage: especially when they may not realise thefull effects of the tool or script they are running.The threat from a good hacker is high, since theypossess a great deal of hacking knowledge and havea personal drive to defeat defences.

2.8. Comparison Table

Figure 1 below provides a visual overview of thepotential levels of attack each actor could inflict andtheir related motivation for doing so. Note that onlythe highest potential attack level is shown for eachactor. For example, nation states can achieve levelfive, and all levels below. The potential attack levelsare defined as follows:

Attack Level Description

1 The effects of the attack are minimal.Attacker may simply be snooping onoperations or running scripts to littleeffect

2 The effects of the attack are limited.Disruption to one local facility withno wider effect. Possible data theft ortampering

3 The effects of the attack are wide-ranging. Disruption to multiple nation-wide services, acting as an inconve-nience to daily life. Nation as a wholestill able to run

4 The effects of the attack are extensiveand sustained, bringing down at leastone critical infrastructure, such asnationwide air traffic control. Livesput in danger. Attacker actively worksto counter attempts to restore theinfrastructure

5 The effects of the attack are sweepingand sustained, crippling multiple partsof a nation’s CNI and bringing everydaylife to a halt. Loss of life caused. At-tacker actively works against defendersto sustain the attack

Table 1: Potential Attack Levels

Figure 1: Actor Attack Level Table

Note: This table is for a general overview ofestimated attack levels and motivations that can beexpected of the various groups. It should be notedthat it is always possible for an actor to causemuch higher damage than expected due to luck(e.g. a low skill hacker using a script which triggers achain reaction could reach level 3).

3. ATTACK VECTORS

SCADA systems were developed at a time when themain concern of their users was to increase operatorefficiency. By providing a centralised console, oneoperator was able to operate many distributedsystems, allowing plant owners to make costsavings. With the internet not yet invented, thesecurity of these systems was a minor concern thatextended no further than ensuring that unauthorisedpeople were not able to walk into a plant anduse a terminal. Even as technology advanced, thedesign of SCADA systems lagged behind on issuesof security, with assumptions made that air gapswould exist and unauthorised remote access wouldbe unlikely. The fact that SCADA systems run criticalinfrastructure means they cannot simply be takendown and upgraded; even patching is difficult. Forthis reason, a modern day attacker can find multipleattack vectors that simply wouldn’t exist on a systemused in other sectors such as finance or defence.This section will explore these attack vectors.

3.1. Lack of protocol security

With the original focus on efficiency rather thansecurity, a number of SCADA protocols still in usetoday have little to no security measures. Modbus,a popular SCADA protocol, is one that has noinbuilt security. A lack of authentication means thatremote terminals will accept commands from anymachine that claims it is a master. A lack of integritychecking or encryption means that messages maybe intercepted, altered and forwarded on with no

32


mechanism to prevent it. DNP3, another popularprotocol used in SCADA, also suffers from a lack ofsecurity. A malicious user may easily spoof repliesfrom a particular outstation, making it appear to beunavailable and denying a master the opportunity toissue commands or collect data. Where passwordsare sent across the network, it is not uncommonto see them sent in clear text. Attempts havebeen made to add security to protocols, as canbe seen with DNPSecure. Putting these protocolsinto live environments is a difficult task however,since the kind of systems using them are criticalnational infrastructure in which any downtime isunacceptable.

EffectsThe potential consequences of poor protocolsecurity include:

1. Spoofing of requests and/or responses

2. Man in the middle/message tampering

3. Replay attack

4. Traffic snooping

5. Credential Theft

Effects 1-3 are significant and can lead to an attackerbringing down a SCADA system or causing adangerous situation. While not an immediate threat,traffic snooping over a long period will provide anattacker with information on how the system runsand potentially allow them to better obfuscate afuture attack by making it blend into normal traffic.In the case of CNI, it may also be a vector forespionage. As an example, country A may be veryinterested in building a profile of how country B’s newsmart grid system operates.

Red Team PerspectiveIn order to exploit a protocol’s lack of security, anattacker must first gain access to the network thatthe protocol is being used on. This could be achievedby physical access (breaking into a facility, use ofan insider) or by exploiting other attack vectors togain remote access. Once on the network, tools suchas Wireshark can be used to snoop on and capturesamples of traffic. Packet crafting tools can then beused to either simply replay commands onto the line,or to first modify them to carry out some kind ofmalicious action.

Blue Team PerspectiveFrom a defender’s perspective, mitigating the impactof weak protocol security revolves around fourapproaches:

1. Preventing access to the network via goodnetwork security

The first step a defender needs to consider isthe idea of perimeter control. In an ideal world, asensitive SCADA system would be isolated and haveno external connections. But in reality, that may notbe the case. In cases where external connectionsexist, the perimeter of a SCADA network shouldend at connections to corporate networks, wirelessaccess points, dial in/VPN connections and atconnections to external parties such as businesspartners and backup services. Firewalls are thestandard method to enforce a perimeter, and arean essential component in denying an unauthorisedperson from getting into the SCADA network.Defenders may also consider layering perimeters,whereby particularly sensitive networks are givena perimeter inside of the wider SCADA perimeter.This inner perimeter can be given very specificfirewall rules that further protect it from an outsiderlooking to exploit the weak protocols used inside.IDS and IPS are additional valuable defensive toolsto detect and prevent unauthorised access to thenetwork carrying these weakly secured protocols.Data diodes are another option, physically enforcingone way communication out of the SCADA network.

2: Strengthening the security of the protocols

This approach to defence is a difficult one butresearch is advancing in this area. Researchershave developed new versions of existing protocolsthat add levels of confidentiality and integrity.While these protocols work in theory and insimulated environments, placing them into liveenvironments is challenging since it would meansignificant amounts of downtime and potentialissues with systems that run critical infrastructures.Unsurprisingly, governments and utility companiesare not scrambling to be the first to take down theirnational grid to beta test an improved protocol.

3: Redundant Systems

A potential way to mitigate the effects of weakprotocol security is to simply have redundantsystems. Should an attacker manage to get into yournetwork and send a malicious message to shut downa system, a redundant system elsewhere wouldtake over and ensure an uninterrupted service. Byeliminating single points of failure, an attacker mustperform a more complex attack to achieve somethingdestructive.

4: Monitoring

A final mitigation that is essential in defendingfrom weak protocol security is monitoring. Logsmust be generated and monitored to alert staff thatsomething abnormal may be happening. Withouteffective log monitoring an attack may go undetected

33


and post-incident investigation will be difficult.Security Information and Event Monitoring (SIEM)solutions are ideal for this task, raising alerts whenabnormal network messages are detected. AdaptingSIEM solutions to work seamlessly on SCADAnetworks is an ongoing area of research.

3.2. Erosion of Isolation

SCADA systems were originally isolated fromthe outside world. Sensors would simply monitorequipment and provide that information to acentral control room. As networking has advancedand become more accessible, organisations havemade decisions to integrate systems DigitalBond(2012). What were once isolated systems are nowconnected to corporate networks, allowing a headoffice to receive statistics and information fromnumerous remote sites. While protections such asfirewalls are put into place, a physical connection tothe outside world and the internet now exists. Thisopens the way for a determined attacker to leveragezero day vulnerabilities and social engineering tofind a path through the corporate network to theseonce isolated systems. Aside from targeted attacks,there is also a constant threat of a path opening upby chance. Infected USB drives, infected websitesand everyday social engineering that happens on acorporate network may open up paths to a SCADAnetwork to the whole world.

EffectsThe potential consequences of the erosion ofisolation include:

1. Providing unauthorised remote access to aSCADA network

This effect is significant, since it provides the meansfor an attacker to exploit other attack vectors, suchas weak protocol security.

Red Team PerspectiveIn order to exploit the erosion of isolation, an attackermust successfully locate and exploit vulnerabilitiesin the corporate network and ultimately buildthemselves a path to the SCADA network.

Blue Team PerspectiveAs with weak protocol security, the erosion ofisolation can be defended against by having goodnetwork security. Layered perimeters defended byfirewalls, IDS, and diodes, along with regularauditing of logs to detect intrusion attempts.Diodes can be particularly useful where networkconnections are required to send data out of acontrol network (e.g. statistics and monitoring) whilestill preventing traffic travelling back in. Wherepossible, authentication should be enforced with

good password management at both perimeterdevices and devices inside the perimeter. Staffawareness and the adoption of policies such asISO27001/2 will also help mitigate the problems oferoded isolation.

3.3. Configurations: Convenience over Security

This attack vector exists due to the legacy ofSCADA systems being isolated and the perceptionof air gaps. With the focus on efficiency andproductiveness, it is common to find SCADAsystems configured for convenience rather thansecurity. Systems can be accessed with noauthentication: if you can get to a terminal (eitherphysically or remotely), you have full access. Whereauthentication is in place, passwords are often leftas default or changed to something extremely weak,short and easy to guess. In some cases, passwordsare actually hard coded into systems, meaning thatthey cannot be changed at all. Passwords can alsobe the same across multiple systems. With thegrowth of mobile computing, wireless networks areset up to give operators access to the SCADAnetwork on the move. These wireless networks areagain configured for convenience and may haveweak passwords and poor or no encryption. Someolder SCADA systems still use dial-up modemsto allow remote access. In newer systems, VPNaccess has replaced this dialup access. Again,these systems can be potentially configured forconvenience and not with security in mind.

EffectsThe potential consequences of convenience oversecurity include:

1. Unauthorised remote or local access toSCADA systems.

Red Team PerspectiveIn the case of insecurely configured wirelessnetworks, the attacker needs to know which networkto connect to and be in range with a device capableof connecting. For dial-up and VPN access, theattacker needs to know the telephone number orVPN details. To exploit poorly configured systems,the attacker needs either remote or local accessto the system. Remote access can come fromthe erosion of isolation discussed previously. Localaccess can be achieved by exploiting failings inphysical security at a site.

Blue Team PerspectiveTo defend against this threat, defenders mustmove away from a culture that emphasisespurely convenience and towards one that balancesconvenience with security. Passwords should not beleft at default and should ideally be subject to the

34


same password management policies that wouldapply on a corporate network. Unfortunately, dueto the age and design of some SCADA systems,passwords may have to be changed at each machinemanually or simply be hard coded, making passwordmanagement difficult. Defenders should ensure thatall external points of access such as wireless accesspoints or dial in modems are properly protected. Inthe case of wireless access, MAC filtering can beapplied to provide a whitelist of allowed devices,along with the use of WPA2 encryption. If thesedevices only support WEP, they should be replacedwith modern devices. Dial in and VPN connectionsshould challenge the connector for a usernameand password. Staff should be encouraged to lockworkstations when not in use.

3.4. Weak Audit Trails

One of the main goals of IT security is to allowfor non-repudiation. This is the goal of making itdifficult for a particular person to deny sending aparticular message or command. Somewhat relatedto the convenience over security issue, a systemwith shared logins such as admin present an issuein identifying which particular employee sent whichcommand. If suitable logs are not kept, it may noteven be possible to determine a time and date ofa command being sent. This lack of accountabilityfor actions on the SCADA network opens the wayfor a malicious insider to attack systems and remainundetected.

In addition to user actions, the actions of hardwarealso need to be audited. In 2012, the USblocked Chinese firm Huawei from being awardedcertain telecommunications contracts due to nationalsecurity concerns over its hardware Arthur (2012).This was due to suspicions that the hardware itselfcontained malicious code and hence could not betrusted. Therefore, auditing needs to focus on bothusage by operators and the actions carried out byhardware with no user input.

EffectsThe potential consequences of a weak audit trail mayinclude:

1. Difficulty identifying who did what and when

2. Lack of hard evidence for a court case

3. Failure to notice abnormal activity beforeit becomes a security breach (brute forceattempts on accounts, attempts to connect tosystems etc.)

Red Team PerspectiveFrom an attacker’s perspective, weak audit trails arejust a bonus that removes the need to spend time

and effort covering their tracks. Connections can bemade and commands sent with no record being kept.This allows the attacker to carry out more aggressiveprobing into the network without the worry of obvioustrails being left in logs. In the case of a maliciousvendor, the vendor simply needs to sell the device toa victim and have it installed into the infrastructure.Weak auditing will then allow the device to steal dataor cause problems undetected.

Blue Team PerspectiveThe only real mitigation for weak audit trails is to addmore logging and policies to review those logs. Itshould be noted that organisations may be reluctantto add logging since it may add delay or the potentialfor instability to mission critical systems. Defendersshould check that all firewalls and IDS/IPS havelogging enabled, and a security information andevent monitoring (SIEM) program to monitor thoselogs and raise alerts.

To audit the actions of hardware, organisationscan consider using a trusted third party whospecialise in testing devices and detecting hidden orundocumented behaviour.

3.5. Vendor Back doors

Even if an organisation implements a very goodsecurity policy, attackers may still be able to findan attack vector through vendor back doors. Unlikea bug, a vendor back-door is a way into a pieceof hardware or software that is undocumented andhidden. Vendors can use these back doors forremote support, to temporarily give admin rights toapply updates or as a last resort if an organisationgets locked out of their systems. In 2012, one suchvendor back-door was discovered in Ruggedcomequipment widely used in perimeter defence. It wasfound that a hidden ‘factory’ account existed, with thepassword derived from the MAC address DigitalBond(2012). Once someone knows the existence ofthis account, they only need to discover the MACaddress to gain unauthorised access to the device.

Researchers have for a long time suggested thatcomputer chips made in China for the US militaryhave contained such vendor back doors BusinessInsider (2012), raising fears that there are manymore back doors out there that are sitting incritical equipment. Vendor back doors can be eitherintentional or non-intentional. Beyond that, they canbe either malicious or non-malicious. Figure 2 belowgives some examples of each characteristic:

35


Figure 2: Types of Vendor Back doors

Effects

The potential consequences of vendor back doorsinclude:

1. Unauthorised remote or local access todevices.

Red Team Perspective

By their very definition, vendor back doors are hid-den and so are not immediately visible to a potentialattacker. Information about these backdoors musteither be leaked from the vendor or discovered inthe same way that exploits are. To exploit a knownvendor backdoor, an attacker must be able to com-municate with the device in question. The erosionof isolation, weak physical security at the location orinsecure wireless networks are potential paths to thisgoal.

Blue Team Perspective

To mitigate the effects of vendor back doors,organisations should aim to have multiple layers ofnetwork security. Should a back-door be found in onedevice, the next device will still provide an obstaclefor the attacker. Using a trusted third party to testdevices before putting them into use may also detectthese back doors before they are exploited. Keepinglogs and regularly reviewing them may also helpto detect that a back-door is being used, althoughthe device itself should not be trusted with this jobsince it may intentionally not log use of the back-door. Finally, defenders should ensure that theirorganisation has good supply chain managementand knows where equipment is coming from and itshistory.

3.6. Interconnectedness

Critical national infrastructure is increasingly becom-ing more interconnected, with multiple distributedsystems depending on each other to function prop-erly. While important systems may have strong de-fences in place, the overall robustness of the systemis only as good as the weakest link in the chain. Aprime example of this is the national grid. In August

of 2003, a bug hidden inside a General Electricmanagement module triggered a chain reaction thattook out power systems across Northern America,leaving eight US states and two Canadian provinceswithout power Farmer et al. (2005), Poulsen (2004).With knowledge of the level of interconnectednessseen in CNI, an attacker can focus on the weakestlink and still achieve their goals.

Effects

The potential consequences of interconnectednessinclude:

1. Attacker can target weakest link and stillachieve success.

2. An organisation can suffer problems due to afailing of another organisation.


To exploit interconnectedness, an attacker musteither get lucky and hit a device which has knock oneffects, or carry out research to plan and specificallytarget a device which is likely to cause knock oneffects. Once the chain reaction has started, theattacker does not need to take any additional actions.


Protecting against interconnectedness is a difficulttask, since it is difficult to know what the knock oneffects will be until it happens. Organisations shouldcollaborate to discuss how their systems connect toeach other and identify which systems are the mostcritical and interconnected. Plans can then be drawnup to provide extra security for that system.

3.7. Human Error

When looking at potential threats to a SCADAsystem, it is important to consider accidentaldamage as well as intentional attack. As SCADAsystems increase in complexity and becomemore interconnected, the chance for human errorincreases. These errors can be the result of asimple mistake (i.e. entering the wrong value orforgetting to carry out a process), or due to a lackof training. Stuxnet was first introduced to Iraniannuclear facilities via a USB device used by anemployee.

Effects

The potential consequences of human error include:

1. Damage to systems with potential knock-oneffects to other systems.

2. Unintended changes to processes.

36



In a scenario where an operator inputs a commandand an undesirable effect takes place, there is noattacker, it is simply a mistake. Human error canbe exploited in other scenarios however, such asleaving an infected USB stick on the floor outside ofthe facility. Out of curiosity, a worker at the facilitymay insert the USB into a system to see what itcontains. At this point, malware can be automaticallytransferred onto the system. Human error may alsoprovide opportunities for an attacker in the formof incorrect firewall rules, or rules that are addedtemporarily for testing but never removed once thetesting is over.

Blue Team Perspective Human error is unavoidablebut the threat can be reduced by having regular, upto date training of staff. In addition, checks shouldbe in place to ensure that commands are enteredcorrectly these can be automated checks usinglogging to flag potential errors or manual checks byanother operator before an operation is permitted. Ingeneral, the organisation should have clear policiesin place that limit the chances for human error to goundetected.

3.8. Unpatched Systems

Some industrial control systems need to be on 24/7with no downtime. Once systems are up and running,organisations are reluctant to install updates to eitherthe OS or applications. These updates may involvereboots and introduce instability or new bugs thatcould bring an organisation to a halt. For thesereasons, organisations are much more inclined tosimply leave the system as it is and avoid makingany changes. For an attacker, this is extremely usefulsince no security updates will have been applied.This gives them the opportunity to exploit well-knownvulnerabilities that are potentially years old.

Effects

The potential consequences of unpatched systemsinclude:

1. Easy unauthorised access and control ofsystems.


The attacker must discover at least one knownvulnerability in the current version of OS orapplication being run on the target system. Theymust also be able to communicate with the systemto exploit such vulnerabilities (e.g. secure wirelessaccess or have access to the SCADA network viacompromising another machine).


Having good network security will help to preventan attacker from reaching an unpatched machine.Having redundant systems will also help in patchmanagement. Should a patch introduce undesirableeffects, the redundant system can take over until thepatch is rolled back. Using an up to date intrusiondetection system is also advisable, since it will havesignatures for well known exploits and prevent suchattacks from reaching the vulnerable system.

3.9. Malware

SCADA systems are just as (or even more)susceptible to malware as corporate systems, andthe effects are potentially much more serious. Toreduce potential instability and to ensure that thespeed of the system is not hindered, SCADAsystems rarely run any form of anti virus, firewall orIDS. This means that once malware has accesseda system, it is not going to be automaticallydetected and stopped. Malware infections intoSCADA systems can be both general and targeted.As an example of a general malware infection, itwas reported in 2011 that the USAF drone controlsystems had become infected with a key loggerNaked Security (2011). This key logger did notspecifically target the control centre, and could notcommunicate out, but its presence on the systemwas undesirable and its overall effect on the flyingof drones was unknown. On the other hand, Stuxnetwas coded to specifically target a very particularpiece of Siemens hardware, and to perform a veryspecific action of changing the speed of centrifuges.

Effects

The potential consequences of malware on SCADAsystems include:

1. Damage and impairment of systems.

2. Unauthorised remote access.

3. Data exfiltration.


There are numerous ways a piece of malware canget into a SCADA network, ranging from USB drivesto drive by downloads to coming preloaded on anew piece of hardware. Social engineering can beused to trick an employee into clicking a particularlink in an email or by leaving a USB drive onthe ground near a facility and hoping an employeeinserts it into a machine out of curiosity. Once themalware is inserted into a machine on the SCADAnetwork, it may attempt to call home and establisha connection with a command and control machine,allowing remote control or transferring data.

37



A SCADA system can never be completely securedfrom malware, but good security policies, theapplication of the principle of least privilege andhost hardening techniques can be used to lessenthe chance of infection. When an infection doesoccur, an organisation should have adequate loggingin place to detect it, and a response plan toact quickly in its containment and removal. Goodnetwork security is also essential in preventing thespread of malware, along with staff training on howto avoid malware and redundant systems that cantake over the running of systems should anotherfail. Making physical security teams aware of whatitems may potentially introduce malware (such asUSB sticks or smartphones) and confiscating thembefore they reach a critical system is also important.

3.10. Adoption of Standards and CommonTechnologies

While the SCADA systems of the past often reliedon proprietary software and technologies, modernsystems are increasingly adopting more commonlyaccepted standards. Data is transported acrossTCP/IP networks; interfaces are displayed usinga Flash or Java interface with an Apache or IISwebserver behind the scenes. These are also likelyto be old versions: Either they simply can’t beupdated or the update process risks downtime,instability or loss of configuration. These commontechnologies are easier to use and implement sincethey are better understood, but this understanding isalso possessed by attackers and can be used to helpattack the system.

Effects

The adoption of standards has the following potentialconsequences:

1. Large number of known and zero dayvulnerabilities, especially for old versions.

2. Attacker has advance knowledge of technolo-gies being used.


To exploit these common technologies, an attackermust be aware of a known vulnerability in a commontechnology such as Java or Flash, and be able tolocate a suitably vulnerable version in use on theSCADA network. They must be able to communicatewith the vulnerable piece of software in order toexploit it.


As with most attack vectors discussed so far, goodnetwork security is a key element of defendingagainst vulnerable common technologies, since anattacker cannot exploit a vulnerability if they cannotaccess it. Improved logging would help to detectif an attacker was attempting to exploit a knownvulnerability. If possible, security patches shouldbe applied as they are released, but in a SCADAenvironment this may not be viable since downtimeor instability may be introduced. Mitigation solutionssuch as Microsoft’s Enhanced Mitigation ExperienceToolkit (EMET) may also have a role to play here,although extensive testing must be carried out beforedeployment since a product such as EMET changesthe actions of processes to make them more secure.Having redundant systems is also a benefit, sincepatches can be automatically applied on one systemwhile the redundant system continues operation.If the patched system performs identically to theunpatched system for a certain amount of time, theother system can also be patched. The best optionis to avoid common technologies that regularly getbreached, such as Java and Flash.

3.11. Lack of physical security

As the name suggests, distributed control systemscan be distributed at multiple remote locations. Manyof these locations are unmanned, simple structureswhere physical security may be limited to a padlockon a door. An attacker may break in and interferewith the SCADA equipment with little fear of beingcaught. Even at a larger, manned facility, an intrudermay claim to be an engineer or contractor and begiven physical access to sensitive equipment.

Effects

1. Unauthorised local access to SCADAequipment


Attacker must locate remote equipment, and pos-sess enough tools to break into the location or gainaccess through deception. A determined attackeracting as an engineer may make multiple visits towin trust. Once inside, they can cause problemssimply by physically damaging the equipment. Amore advanced attacker may possess the ability todo something more destructive, by sending or tam-pering with commands from the accessed equipmentor changing configurations.


At a basic level, organisations should ensure thatthere is reasonable physical security at all locations

38


where SCADA equipment is present. Doors shouldbe locked and not propped open; staff trainingand policies should reflect this. Policies shouldstate a minimum level of physical security for allsystems. For an organisation such as an electricityprovider, this is obviously difficult since the systemsare very distributed in nature with substations allaround a nation. Organisations should also examinehow traditional, physical security operations in theirorganisation work with cyber security operations.Often these two teams are unconnected anddo not communicate to see the bigger cyber-physical security picture. Cyber-physical security canbe defined as the integration of logical security,information security, physical and personnel security,business continuity, disaster recovery and safety riskmanagement Slater (2011). By integrating all thesesecurity aspects, a number of benefits can be gainedsuch as having a single point of contact for allsecurity issues. This allows a security issue to beeasily reported and solved by the collaboration ofboth physical and cyber security teams. As attackson an organisation may involve both physical andcyber aspects, this collaboration is essential.

3.12. General Security Issues

This category covers security issues that are notspecific to SCADA systems, but still present a threat.This includes software based vulnerabilities, such asbuffer overflows and SQL injection. These can bepresent in web interfaces and will allow an attackerto crash the program or take control over processing.General network security is also an issue. Wherethey exist, firewalls and IDS systems need to becarefully configured with the principle of whitelisting(i.e. block everything, then only allow the minimumthat is needed to carry out business). A firewall thatis poorly configured can allow an attacker to passthrough and exploit further attack vectors. Networkadministrators should also ensure that port securityis upheld, unused network ports should be disabledand active ports should have MAC and IP addressrestrictions, to hamper a physical attack wherebyan existing device is unplugged and replaced by anew one. These are all general cyber security issuesthat organisations should already be addressing,whether they use SCADA systems or not. US Certprovides extensive guides for anyone looking tosecure their organisation from these general threatsUS CERT (2011).

Figure 3 provides a summarised overview of thediscussed threats and associated controls.

Figure 3: Attack Vectors and Controls

4. ATTACK CHAINING

It should be noted that while these attack vectorsare all significant, one alone is unlikely to result ina security breach. An attacker will exploit many ofthese vectors to carry out a complete attack. Figure4 below gives an example of how an attack may takeplace by chaining together some of the attack vectorsdiscussed in this paper.

Figure 4: Example Attack Scenario

In this example, we can see that an attacker usesa wireless access point to connect to the SCADAnetwork. They deny workers at the facility a viewof the factory by disabling the HMI. Maliciouscommands are then sent to a PLC, which causesdamage to the factory. The attacker is then ableto escape undetected and the organisation is leftwondering how this attack occurred, or even if itwas just an accident. Figure 5 below shows how

39


the attacker was successful at each stage of thisexample attack:

Figure 5: Reasons for Attacker Success

Firstly, the attacker exploits the erosion of isolationand the organisation’s failure to update systems. Thewireless access point did not use MAC whitelisting,and hence allowed anyone to connect. Once con-nected, the attacker was challenged for a networkkey. The use of weak and outdated WEP encryptionallowed the attacker to easily determine this keybeforehand. Once on the network, the attackerexploits convenience over security, by trying someobvious logins on the HMI terminal. They eventuallyguess supervisor/supervisor. This account hasfull administrative access to the machine, allowingthe attacker to wipe the hard drive of the HMI.This leaves the supervisor with no view or controlover the operation of the plant. The attacker thenexploits weak protocol security by snooping on thetraffic on the network. With some sample messagescaptured, the attacker can use a tool to craft theirown messages containing commands to raise thetemperature to high levels. The attacker disconnects,no logs are kept and the organisation is left mystifiedas to how this damage occurred. The problem ofthe insecure wireless point is not corrected, and theattacker may repeat their attack in the future. Evenif a cyber security officer determined that the attackwas coming via wireless, physical security officersare not informed quick enough due to a lack of cyber-physical security operations at the organisation andthe attacker can escape the location.

Figure 6 below shows how the attack may be mademore difficult by implementing some of the blue teamrecommendations made in this document and byhaving a secure architecture:

Here we can see a number of defences in place.Multiple firewalls provide perimeter security to mul-tiple layers of perimeters, with particularly sensitivesystems (highlighted in yellow, blue and green) giventheir own perimeters with deep packet inspectionfirewalls. Alongside these firewalls, one way gate-ways such as data diodes are used, to help ensurethat data can only flow in one direction. A securityoperations centre (SOC) uses security information

Figure 6: A more secure architecture

and event management (SIEM) systems to monitorlogs and events from throughout the organisation.

5. RELATED WORK

This paper has suggested ways in which an or-ganisation can develop policies to defend froma variety of SCADA threats. Aside from the ad-vice in this paper, other efforts to develop bestpractice exist. ISA99 (2013), a standards develop-ment committee with a focus on industrial controlsystems is one such group also working to helpprotect critical infrastructure. NERC (2013), alsofocusses on developing standards, but specificallyfor power grid systems. In Europe, ENISA (2013)also provide a number of documents advising howbest to secure industrial control systems.

6. CONCLUSION

This paper has looked at the SCADA threatlandscape: The who, why and how of SCADAsecurity. For each vector, red and blue teamperspectives have been given, allowing an insightinto both sides of the situation. The advice given toblue teams by this paper should be considered aspointers to help formulate an organisation’s policiesand to help support risk assessment procedures.Policy formulated from thorough risk assessment isthe key to good security, and by ensuring currentpolicies reflect the advice in this paper and otherrelevant works, blue teams can ensure that systemsare protected by best practice.

40


REFERENCES

Arthur, C. (2012) Huawei contract ban stokes fear ofcyber cold war. Guardian.

Business Insider (2012) Sergei Skorobogatov de-fends backdoor claims. Business Insider.

DigitalBond (2012) Ruggedcom backdoor revealed -fragile.

ENISA (2013) Protecting industrial control systems.Recommendations for Europe and member states.

Farmer, R., Anderson, G., and Donalek, P. (2005)Causes of the 2003 major grid blackouts in northAmerica and Europe, and recommended meansto improve system dynamic performance, IEEETrans. Power Syst., 20 (4/Nov.). 1922-1928.

ISA99 (2013) ISA99 industrial automation andcontrol security. Research Triangle Park, NC, USA:ISA.

Naked Security (2011) Malware compromises USAFpredator drone computer systems.

NERC (2013) North American Electric ReliabilityCorporation.

Poulsen, K. (2004) Software bug contributed toblackout.

Slater, D. (2011) Physical and it security conver-gence: The basics. CSO.

Tsang, R. (2012) Cyberthreats, vulnerabilities andattacks on SCADA networks.

US CERT (2011) Governing for enterprise security.

41

Documents

The SCADA Threat Landscape - Semantic Scholar · The SCADA Threat Landscape Michael Robinson and highly obfuscated, and provides an example of what can be done with the resources