Security researchers warn that attacks against Supervisory Control and Data Acquisition Systems, otherwise known as SCADA systems, could cripple critical infrastructure services. SCADA networks encompass computers and applications that perform key functions in providing essential services and commodities such as electricity, natural gas, gasoline, water, waste treatment, and transportation–all part of the nation's critical infrastructure. The first step in safeguarding our critical infrastructures is in identifying system vulnerabilities.
Even though SCADA systems have been used for a decade to monitor and control critical equipment at power companies, manufacturing facilities, water treatment plants and even building automation, there really has never been a sharp focus on security nor much acknowledgement emphasizing the vulnerabilities of such systems until recently. There is all the more reason to require protection from the threats that exist in cyber space today.
Digital Bond, a consulting firm specializing in control system security, has found that the latest vulnerabilities mostly exist in free or low-cost Windows-based engineering work-stations that are used as graphical user interfaces to back-end control systems. SCADA systems such as Siemens are deployed widely in critical infrastructures.
Siemens reported just last year that a Stuxnet worm was released for the purpose of stealing industrial secrets, disturbing operations and infecting some 14 nuclear plants. The worm leveraged a previously unknown Windows vulnerability (now patched) that allowed it to spread from computer to computer, typically via USB sticks. In today's times, it has become increasing apparent that attacks on vulnerable SCADA systems can wreak havoc.
Cambashi analyst Christine Easterfield agrees, “with the growth of embedded software–in every new control system, device and industrial machine–there is a potential vulnerability at each interface. And with more interconnection, often using the Internet, for remote monitoring and business system integration, the risk of malware attack gets more real and more serious.” Easterfield continues, “but this is just one dimension–you need to consider operational procedures, staff, and other factors. For example, staff need to be trained in secure practices and made aware of the risks to which they may expose critical systems.” Critical SCADA systems such as in oil and gas, nuclear, energy or any mission critical application are typically configured in a master/slave architecture to achieve fault tolerance. For instance, PcVue designed its SCADA to run in a distributed architecture of several stations including redundant ones. Its redundancy mechanisms include such capabilities as load balancing and hot, warm or cold standby redundancy methods. This allows the operator to not only able to handle the redundancy of the real-time, alarm and historical data of your distributed application but also manage the redundancy of the communication with the devices and of the physical network.
“We see the use of these redundancy mechanisms for applications requesting a high availability and security of the data and as part of a disaster recovery strategy. As an example we can mention Iberdrola, one of the world's largest utilities and leading player in the global renewable energy sector, that uses tens of pairs of redundant PcVue stations to manage, monitor, control, distribute and archive hundreds of thousands data points from wind farms across the US,” said Emmanuel Ecochard, VP of US Operations, PcVue, Inc.
Blue Pillar, a provider of energy assets management software, confirmed Cambashi's operational procedures and staff concerns and believes that with the exception of the IT staff, the operational and energy management staff does not even have energy asset security on their radar as a security concern. The reality is that they either rely 100% on physical security or they have to rely on the unsecured and open industrial automation implementations running Modbus TCP-IP throughout their networks.
According to Kyle Zeronik, Blue Pillar's VP of Information Technology, it is critical to secure the SCADA from top to bottom. “We secure critical power infrastructures right down to securing the messaging within our architecture to limit the conversations to only the devices with appropriate credentials and authorizations. We manage site-site communication including Internet security and encrypted messages transmitted over secure channels. Device level communications is managed via 256Bit AES (FIPS-197 certified) encryption.”
Advanced integration needs
Today the threat to control systems has changed dramatically. There are now more advanced integration needs than ever before for energy management, operational testing, and even maintenance, which are requiring more sophisticated automation to be implemented into traditionally under-automated equipment. More industrial automation means historically un-automated equipment now being exposed via unsecured network protocols such as Modbus, OPC, and others.
According to Blue Pillar, advanced integration needs have become an over-arching security theme in the automation and controls industry and it needs to be addressed in the fabric of the solution; not as a bolt-on after-thought on every level (physical, logical, electrical, etc.).
Let's face it, SCADA networks provide great efficiency. They are widely used because they enable the collection and analysis of data and control of equipment such as pumps and valves from remote locations and have been initially developed from inception with capabilities to seamlessly integrate with numerous equipment and systems. Although SCADA networks were also designed to maximize functionality, very little attention was paid to security. While performance, reliability, flexibility and safety of distributed control/SCADA systems are robust, too often the security of these systems is often weak. Cambashi's Easterfield summed it up saying “critical infrastructure architectures must handle all the issues–from embedded software vulnerability to elimination of domino-effect failures.”
Domino effect failures are common in the industrial controls sector due to the amount of connections between systems and equipment. It can make some SCADA networks potentially vulnerable to disruption of service, process redirection, or manipulation of operational data that could result in public safety concerns and/or serious disruptions to critical infrastructures.
Safeguarding our infrastructure
The President's Critical Infrastructure Protection Board as well as the Department of Energy has gone on record stating that technical audits of SCADA devices and networks are critical to ongoing security effectiveness. Many commercial and open-source security tools are available that allow system administrators to conduct audits of their systems/networks to identify active services, patch level, and common vulnerabilities.
The use of these tools will not solve systemic problems, but will eliminate the “paths of least resistance” that an attacker could exploit. It is important to analyze identified vulnerabilities to determine their significance, and take corrective actions as appropriate. It is also imperative to track corrective actions and analyze this information to identify trends. Once corrective actions have taken place, retest the system after to ensure that vulnerabilities were actually eliminated. To uncover and address any potential problems, be sure to actively scan non-production environments.
Creating secure micro-grids
Blue Pillar has experienced the implementation and the maintaining of security as a real growing concern for the energy industry. To help combat security vulnerabilities, Blue Pillar is working with energy infrastructure organizations to develop a cyber-secure central nervous system for campus energy asset portfolios and advocate the use of micro-grids.
Micro-grids are campus-based, integrated portfolios of distributed critical power resources, managed as a dispatchable nodal network, responsive to economic, grid instability and/or on-site power reliability events/issues. When working with such a portfolio, it must include legacy base-load assets (generators, switchgear, chillers, campus distribution feeders, co-generation) as well as intermittent or renewable resources (thermal storage, solar, on-site wind). A true micro-grid would be able to completely island campus load from the grid for long periods of time, automating and prioritizing the dispatch of various energy assets based on circuit-level load requirements (mission critical to “curtailable”), heat rate/efficiency of on-site assets and inbound power quality from the grid, among other factors. To enable a proactive and secure micro-grid, a bi-directional command and monitoring software service bus application must be in place.
“In terms of addressing security and deploying micro-grids, the automation system should allow the end-user to manage emergencies, historically analyze the responses, and automate monthly testing regimes which we consider being the number one defense against being ill-prepared for any unforeseen events,” said Zeronik.
SCADA security checks and balances
Any facility that has a connection to the SCADA system should conduct a physical security survey and inventory access point check. It is imperative to identify and assess any source of information including remote telephone/computer network/fiber optic cables that could be tapped, radio and microwave links that are exploitable, computer terminals that could be accessed and wireless local area network access points. The goal is to identify and eliminate single points of failure.
Robust performance evaluation processes are needed to provide organizations with feedback on the effectiveness of cyber security policy and technical implementation of any SCADA. A sign of an organization on track is one that is able to self-identify issues, conduct root cause analyses, and implement effective corrective actions that address individual and systemic problems. There is much cause for securing not only the SCADA, but also the smaller, embedded software applications found within many new devices.
The National Infrastructure Protection Plan Program works with several government agencies in the area of cyber security to ensure the integrity and availability of the nation's cyber infrastructure. In addition, the National Supervisory Control and Data Acquisition (SCADA) Test Bed is a DOE Office of Electricity Delivery and Energy Reliability (OE)-sponsored resource to help secure our nation's energy control systems. It combines state-of-the-art operational system testing facilities with research, development, and training to discover and address critical security vulnerabilities and threats to the energy sector.
As America's infrastructures have become more complex and interconnected, their operation and control has become more complicated. SCADAs are today networked across the Internet and widely deployed to operate these infrastructures. These systems, and the Internet over which they handle information, are identified as insecure and have had many security vulnerabilities exposed. It is apparent that there are more safeguards now being put into place to secure our critical infrastructures. The performance of the nation's infrastructure is an essential component of the nation's economic prosperity.
The exponentially growing cyber security threats and attacks including the increasing sophistication of malware will continue to impact the security of critical infrastructure, industrial control systems, and SCADA control systems. The reliable operation of modern infrastructures depends on computerized systems and SCADA systems, which will never be going away. Also with the Internet and World Wide Web technologies, SCADA systems have been increasingly integrated with ERPs and business systems, which compounds the threat of cyber-attacks. Unfortunately the reality is that there will always be a concern around the security and safety of any system of any importance to our critical infrastructure.
As technology advances, so do system vulnerabilities. Progress in securing our infrastructures must constantly be re-evaluated and we must always prepare ourselves for whatever challenge is thrown at us, be it natural or man-made. Strong considerations of our infrastructure interdependencies and the potential effects of either losing one or more critical components in an attack could happen. There is no way to completely safeguard ourselves from attacks and malfunctions which is why preparing a robust contingency plan will go a long way in preserving our critical assets.
Eric Marks is the industry practice leader for PricewaterhouseCoopers. He helps organizations to innovate, reduce costs, manage risk and regulation, and leverage in-house capabilities. Prior to PwC, Marks worked with Deloitte Consulting, IBM Global Business Services, and Cambridge Technology Partners. Using his more than 18 years of consulting experience, his vision is to support companies in designing, managing and executing lasting beneficial change within their organization. Marks holds a bachelor of mathematics in computer science from the University of Waterloo, an MBA in strategic management and marketing from The Wharton School of the University of Pennsylvania.