Forming the central nervous system of a gas chain, SCADA systems integrate a variety of crucial components including remote monitoring and control of wellheads, gate stations, district regulators, pressure monitoring sites and metering of major customer sites.
The evolution of new vulnerabilities
The development of SCADA systems have developed in response to the need to more efficiently monitor and control the state of remote equipment. To date, there has been an emphasis on maintaining the physical security of the system, in other words, the ability to automate the action of valves and other equipment so that a valve cannot be exposed to unauthorised use.
New vulnerabilities have arisen, in part because of this prioritisation of reliability and safety. As Product Manager for Verizon Business’s security division David Shaw notes, critical infrastructure operators naturally approach SCADA systems from an engineering perspective, which means there is an emphasis on availability over security.
“When we go to an electricity utility, the thing that’s driving them is 99.99 per cent availability so there is not the mind set for privacy. Because they’re using simple systems and everything is in real time, if you add auditing or monitoring to the process, it’s seen as a waste of resources,”? says Jill Slay, a computer forensics specialist at the University of South Australia’s Defence and Systems Institute.
With lifetimes ranging from 15 to 30 years, the majority of SCADA systems have been designed without current security requirements as a priority. The rapid advance of technology and the changing business environment is driving major transformation in SCADA network architecture, introducing new vulnerabilities to legacy systems. In particular, the current push towards greater efficiency, consolidated production platforms and larger companies with smaller staffing levels is leading to changes in SCADA systems which are raising many questions about security.
Some of the other major trends exposing weaknesses in security systems include:
– Increasing consolidation of previously separate SCADA systems and of SCADA systems to other business networks to enhance the amount, detail and timeliness of information available to management, making them higher-value targets
– Increasing reliance on public telecommunications networks to link previously separate SCADA systems is making them more accessible to electronic attacks
– Increasing use of published open standards and protocols, in particular Internet technologies, exposing SCADA systems to Internet vulnerabilities
– The interconnection of SCADA systems to corporate networks may make them accessible to undesirable entities
– Lack of mechanisms in many SCADA systems to provide confidentiality of communications means that intercepted communications may be easily read
– Lack of authentication in many SCADA systems may result in a system user’s identity not being accurately confirmed.
Threats to SCADA systems
Threats to SCADA systems can come from a variety of different sources but one of the major threats facing organisations comes from genuine mistakes made as a result of lack of training, carelessness or oversight.
SCADA systems are also vulnerable to generic Internet threats such as worms, trojans and viruses that infect systems. These can impact SCADA systems when they use the same software and protocols. This may not be the result of a deliberate attack, SCADA systems may be infected merely because they can be.
Additionally, SCADA systems are prey to recreational hackers, crackers and virus writers motivated primarily by the challenge and a fascination with technology. Cyber attacks can also be executed by “˜script kiddies’, who are primarily untrained and yet have hostile or thrill-seeking intentions towards almost anything connected to the Internet.
“The amount of information available on SCADA systems online provides such a large amount of information out there for those who want to find network vulnerabilities in critical infrastructure. The reality is that there is a wide dissemination of hacker tools which allows a greater number of people to hack these systems,”? says Craig Scroggie, Symantec’s Senior Director for Asia Pacific and Japan.
Indeed, the variety of tools potentially exposes SCADA systems to insider attacks from employees or ex-employees who are disgruntled or for any other reason are a possible security threat in addition to corporate attackers that spy on competitors to gain a competitive advantage.
Managing risks to SCADA systems
While it is difficult to completely minimise the risk caused by some of the more unexpected threats, such as terrorist or activist attacks, threats to SCADA systems due to genuine mistakes and generic internet risks can be managed by a combination of effective planning, upgrading network infrastructure and training.
Evaluate the framework used to identify security risks
Considering the potential for security risks associated with SCADA systems, it is important that there is a framework in place to identify possible risks for existing and new SCADA systems. As SCADA systems are becoming increasingly interconnected with the Internet and corporate networks, they are also becoming more exposed to Internet security threats and network vulnerabilities.
It is crucial for SCADA managers to put in place appropriate risk management strategies. Such strategies might include regular vulnerability assessments of SCADA systems, processes for patch management and configuration management, communication between engineering and IT departments, staff training and appropriate network architecture. In addition to assessing operational systems, regular assessments of SCADA system vulnerabilities should also be undertaken of corporate networks, web servers, and customer management systems to reveal unintended gaps in security, including unknown links between public and private networks, and firewall configuration problems.
Ensure that engineering and IT components of SCADA system are coordinated
Because SCADA systems have been designed as engineering systems which now incorporate information technologies, sometimes vulnerabilities have arisen because of a lack of communication between the IT and engineering departments. In many organisations the engineering and IT departments do not communicate on SCADA security matters. These two areas need to work closely together to ensure that SCADA systems have appropriate security arrangements.
New security threats mean new security responses. These may require skills usually not found in process control personnel. Considering that SCADA systems are integral to business processes, it is important to note whether appropriate education and training is available. This applies at both the executive level as well as at the information systems and network management levels since it is likely that IT employees’ earlier education and training did not include many of the security issues that are now faced by SCADA systems.
More specifically, while firewalls, intrusion detection systems, and virtual private networks can all help protect networks from malicious attacks, improper configuration and/or product selection can seriously hamper the effectiveness of a security position. Finally, the network architecture should be robust and sufficiently adaptable to counter existing and new threats.
Under the umbrella of the Australian Government’s Trusted Information Sharing Network – www.tisn.gov.au – and the IT Security Expert Advisory Group – there is a special forum for owners and operators of SCADA systems within critical infrastructure sectors. This group is known as the SCADA Community of Interest and meets quarterly in a trusted environment.