Protecting SCADA devices from threats and hackers
Supervisory Control and Data Acquisition (SCADA) systems control many of the crucial services our modern society depends upon such as electric power distribution, water treatment, natural gas and oil pipelines, hydroelectric dams, traffic lights, train switching systems, building controls, and many others.
Because of its critical role in controlling these systems, security for SCADA systems is a high priority, but many legacy SCADA devices that were designed without security measures are now being connected to the Internet. These devices also lack the ability to detect and report traffic abnormalities, probes or attacks, or to manage and control security policies. While newer systems may include improved security, many SCADA devices remain deployed for 10 years or more, often in remote areas, resulting in very slow migration to newer, more secure devices.
In addition to system level security issues, SCADA protocols themselves are often inherently insecure. They may lack basic security measures. Instead they often rely on “security by obscurity” or on isolation from public networks for security. Without security measures such as authentication and encryption, the underlying protocols provide an easy avenue for hackers wishing to attack SCADA devices.
SCADA systems are often complex networks with multiple components. These systems may be fully automated, where all control is performed by computers, fully manual, where control is performed by human operators, or a hybrid system, where some control is performed automatically and some is performed by human operators. To perform all of these functions, many SCADA systems include:
Field interface devices – Sensors detecting and reporting power levels, flow rates, temperature, pressure, and local control devices such as motor controls, valve actuators, and control switchboxes.
Operating equipment – Motors, pumps, automated factory systems, and valves controlled by the SCADA network.
Control computers – Embedded computers or dedicated PCs receiving information from the sensor networks, reporting this information to the management systems and controlling the associated operating equipment. These computers may make decisions automatically based on the information derived from sensors, or may relay commands received from management computers.
Management computers – Computer terminals with an HMI (Human Machine Interface) connected to the SCADA network. These computers provide an interface for operators to monitor and control the devices on the SCADA network.
Networked communication (local and remote) – SCADA networks use a variety of communication technologies. Serial communication, USB or proprietary wired networks are used for short range communication. Ethernet, TCP/IP, Wi-Fi, dial-up networking, cellular packet data and other methods are used for long range communication. Increasingly, SCADA networks utilize the Internet for long range communications and remote access.
Interconnection to business process systems – Frequently, SCADA networks are connected to corporate networks to allow them to interconnect with business process systems.
SCADA networks may contain a mix of PCs and special-purpose embedded systems running real-time operating systems such as VxWorks, INTEGRITY, or MQX. Many of the PCs used in SCADA networks were installed when the SCADA system was first deployed and have not been updated with newer operating system versions or software patches. As a result they are often vulnerable to attack. Most embedded computers in SCADA networks were designed before security was a major concern and contain few, if any, security measures.
In most cases, the PCs within the SCADA network can be protected by ensuring they are running a current operating system with the latest security patches and security software. In some cases, the PCs are running SCADA specific software that is only supported on an older OS version preventing the PC from being upgraded, creating a security issue. In the case of these legacy PC systems, and for embedded SCADA computers, another solution is required.
Attacks on SCADA networks
There is little dispute that additional protection is needed for SCADA networks. The FBI recently acknowledged that hackers gained access to SCADA systems in three different cities. Other reported attacks on SCADA systems include:
- Train system delays
- Sewage system spillage caused by a disgruntled former employee
- Automotive manufacturing plant shutdown
Given the large number of deployed SCADA devices and the slow migration to modern, secure SCADA devices, the SCADA marketplace needs the ability to add security to both existing legacy devices and new designs in a cost-effective manner for both remote SCADA devices located outside of a corporate network and for local SCADA devices such as those residing on the factory floor.
This can be achieved by augmenting current SCADA devices with the ability to control their communication, detect and report attacks or suspicious traffic patterns, and to allow centralized control of security policies. These capabilities would provide SCADA devices with a much higher level of security and protect them from the majority of cyber-attacks.
A low-cost SCADA aware firewall device (Figure 1) can provide these capabilities. Unlike enterprise firewalls that protect all of the computers on a corporate network, a SCADA firewall protects just a single SCADA device. Since the firewall is filtering traffic for a single SCADA device only, it does not need to perform any routing functions and can be customized specifically for the requirements of protecting a specific SCADA device. It only requires two Ethernet ports and can be implemented on low cost hardware, providing a customized yet cost-effective solution. The device is simply plugged into the network in front of the SCADA device, inserting a layer of protection.
Figure 1: A firewall to protect SCADA devices from Internet delivered threats can be embedded into an external device that protects the device.
The SCADA firewall can be used to protect devices located at remote locations without making any modifications to the SCADA device itself. It can also be used to protect SCADA devices located on a factory floor or other non-remote location. For new SCADA devices, the firewall software can be integrated into the device to ensure protection.
The SCADA firewall must provide:
- Control of the packets processed by the device
- Protection from hackers and cyber-attacks that may be launched from the Internet, inside the corporate network, or WiFi networks
- Protection from DoS attacks and packet floods
- Ability to detect and report traffic abnormalities, probes, or attacks.
- Ability to manage and control changes to filtering policies
Blocking attacks with a SCADA Firewall using a virtual closed network
As stated above, many SCADA devices with limited security are now connected to the Internet, exposing their security vulnerabilities. This can be remedied by using a SCADA firewall to create a virtual closed network (VCN).
To create a VCN, the designer needs to define communications polices for the device restricting communication to only what is required. The communication policies define who the device is allowed to talk to, what protocols are allowed, and what ports are open. The defined communications policies are then encoded as firewall rules. The firewall filters messages before the device processes the messages. By enforcing the rules, the firewall limits communication to the device, creating a virtual closed network.
In a system without a firewall, a hacker may attempt to remotely access the device using default passwords, dictionary attacks, or stolen passwords. Such attacks are often automated, allowing a huge number of attempts to break the system’s password. The same system, protected by a firewall configured with a whitelist of trusted hosts, will be able to block the attack. The firewall’s filters will block the login attempts from the hacker before a login is even attempted because the IP or MAC address is not in the whitelist of trusted hosts.
SCADA firewall design
The main requirement of a SCADA firewall is that it control who the SCADA device talks to and what communication is allowed. The firewall can control who the device talks to (IP and MAC address filtering) and what traffic is allowed (port and protocol filtering) by filtering network traffic. Ideally, the firewall should also provide protection from Denial of Service and other cyber-attacks, event reporting, and integration with a management system. Event report and integration with a management system provide visibility into abnormal network traffic, alerts in the event of a cyber-attack, and centralized control of security policies.
The firewall must provide the ability to configure a set of rules specifying which packets are processed and which are blocked. Rules can be set up to block or allow packets by IP address, port, protocol, or other criteria. Some firewalls support advanced rules allowing additional fine-grained control over the filtering process.
A SCADA firewall may also provide Stateful Packet Inspection (SPI) and threshold-based filtering. SPI filtering maintains information on the state of the connection and uses that information to distinguish legitimate from malicious packets. Threshold-based filtering maintains statistics on the number of packets received to detect and block DoS attacks.
Since each packet received by the device passes through the firewall for filtering before being processed, many attacks are blocked before a connection is even established. This provides a simple yet effective layer of protection missing from most devices.