6.0 Security and Vulnerability of SCADA Systems
SCADA systems have evolved in recent years and are now based on open standards and COTS products. Most SCADA software and hardware vendors have embraced Transmission Control Protocol/Internet Protocol (TCP/IP) and Ethernet communications, and many have encapsulated their proprietary protocols in TCP/IP packets. While all of this evolution towards more open-based standards has made it easier for the industry to integrate various diverse systems together, it has also increased the risks of less technical personnel gaining access and control of these industrial networks. On October 1, 2003 Robert F. Dacey, Director, Information Security Issues at the General Accounting Office (GAO) eluded to this and other issues in his testimony before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Reform. He said:
“For several years, security risks have been reported in control systems, upon which many of the nation’s critical infrastructures rely to monitor and control sensitive processes and physical functions. In addition to general cyber threats, which have been steadily increasing, several factors have contributed to the escalation of risks specific to control systems, including the (1) adoption of standardized technologies with known vulnerabilities, (2) connectivity of control systems to other networks, (3) constraints on the use of existing security technologies and practices, (4) insecure remote connections, and (5) widespread availability of technical information about control systems”. [9]
There are many tools and techniques that could be used to address these threats, and flexibility of security configurations is a key design consideration. There is no one magic solution for industry. Each entity must determine what their goals are and arrive at a cost effective solution to these issues.
6.1 Attacks against SCADA Systems
In today’s corporate environment, internal networks are used for all corporate communications, including SCADA. SCADA systems are therefore vulnerable to many of the same threats as any TCP/IP-based system. SCADA Administrators and Industrial Systems Analysts are often deceived into thinking that since their industrial networks are on separate systems from the corporate network, they are safe form outside attacks. PLCs and RTUs are usually polled by other 3rd party vendor-specific networks and protocols like RS-232, RS-485, MODBUS4, and DNP, and are usually done over phone lines, leased private frame relay circuits, satellite systems, licensed and spread spectrum radios, and other token-ring bus topology systems. This often gives the SCADA System Administrators a false sense of security since they assume that these end devices are protected by these non-corporate network connections.
Security in an industrial network can be compromised in many places along the system and is most easily compromised at the SCADA host or control room level. SCADA computers logging data out to some back-office database repositories must be on the same physical network as the back-end database systems, or have a path to access these database systems. This means that there is a path back to the SCADA systems and eventually the end devices through their corporate network. Once the corporate network is compromised, then any IP-based device or computer system can be accessed. These connections are open 24x7 to allow full-time logging, which provides an opportunity to attack the SCADA host system with any of the following attacks:
· Use a Denial of Service (DoS) attack to crash the SCADA server leading to shut down condition (System Downtime and Loss of Operations)
· Delete system files on the SCADA server (System Downtime and Loss of Operations)
· Plant a Trojan and take complete control of system (Gain complete control of system and be able to issue any commands available to Operators)
· Log keystrokes from Operators and obtain usernames and passwords (Preparation for future take down)
· Log any company-sensitive operational data for personal or competition usage (Loss of Corporate Competitive Advantage)
· Change data points or deceive Operators into thinking control process is out of control and must be shut down (Downtime and Loss of Corporate Data)
· Modify any logged data in remote database system (Loss of Corporate Data)
· Use SCADA Server as a launching point to defame and compromise other system components within corporate network. (IP Spoofing)
The impact of these and other SCADA Security Risks is summarized in Table 6.1
Description of Attack
|
Type of Attack
|
Attack Motive
|
Impact to Victim
|
Impact Rating (1 = largest immediate impact 5 = least immediate impact)
|
Items Needed for Attack
|
Estimated Time to Implement Once System is Compromised
|
Denial of Service
|
System Shutdown
|
Wish to take down server and cause immediate shutdown situation
|
SCADA Server locks up and must be rebooted. When SCADA Server comes back on- line, it locks up again. Operations can no longer monitor or control process conditions, and the system will ultimately need to be shut down
|
2
|
Ability to flood the server with TCP/IP calls, the IP Address of SCADA Server, and the path to the server
|
5 min.
|
Delete System Files (Low- level format on all local drives
|
System Shutdown
|
Wish to take down server and cause immediate shutdown situation
|
Critical Server and SCADA files are lost and operations can no longer monitor process or control plant or facility
|
4
|
IP Address of SCADA Server, path to server, and permission to delete files permission can be escalated used other tools)
|
15 min
|
Take Control of SCADA System
|
Gain Control
|
Gain control of SCADA System to impact damage on industrial systems, possibly causing environmental impact, and damage corporate identity through public exposure
|
Highest impact, since attacker can then manually override safety systems, shut down the system, or takes control of the plant operational conditions.
|
1
|
IP Address of SCADA Server, path to server, and either Trojan or back door installed. (Can also use PCAnywhere, Terminal Services, SMS, or other system admin services.)
|
1 hr.
|
Log Keystrokes, Usernames, Passwords, System Set points, and any Operational Information
|
Information Mining
|
Gain Information for future attacks or satisfy curiosity
|
Lower immediate impact, but information gained can be used for future attacks.
|
4
|
IP Address of SCADA Server, path to server, and software or mechanism for logging the keystroke activities.
|
15 min.
|
Table 6.1: SCADA Attack Matrix [10]
Description of Attack
|
Type of Attack
|
Attack Motive
|
Impact to Victim
|
Impact Rating (1 = largest immediate impact 5 = least immediate impact)
|
Items Needed for Attack
|
Estimated Time to Implement Once System is Compromised
|
Change Data Points or Change Setpoint(s) in SCADA System
|
Information Tampering
|
Desire to modify corporate data or process setpoints for malicious purposes
|
Higher impact since modified setpoint or control points can have adverse effects on controlled process, and potentially cause a shutdown condition
|
2
|
IP Address of SCADA Server, access to these servers, and some knowledge of SCADA software system inner workings
|
45 min.
|
Log any Operational or Corporate data for personal gain or sell to competition or hold as ransom
|
Information Mining
|
Try to steal corporate data and either sell to other companies or hold for ransom amount
|
Low environmental or immediate damage, but can damage corporate image if attacker builds attention to the fact that this system was compromised
|
4
|
IP Addresses of SCADA and database servers. (Would not even need IP addresses if protocol sniffer/logger used to sniff TCP/IP traffic.)
|
30 min.
|
Modify Data points on SCADA graphics to deceive Operators that system is out of control and must ESD (Emergency Shut Down)
|
System Shutdown
|
Cause danger to the facility or company by staging a false alarm shutdown of the plant or facility
|
Operations can no longer trust the SCADA System, and the attacker has deceived the Operator into thinking that there was an emergency condition in the plant
|
2
|
IP Addresses of SCADA servers, and access to them through the company network
|
45 min.
|
Table 6.1: SCADA Attack Matrix [10]
Description of Attack
|
Type of Attack
|
Attack Motive
|
Impact to Victim
|
Impact Rating (1 = largest immediate impact 5 = least immediate impact)
|
Items Needed for Attack
|
Estimated Time to Implement Once System is Compromised
|
Capture, Modify, or Delete Data Logged in Operational Database SQL Server, PI Historian, Oracle, Sybase, etc.)
|
Information Tampering
|
Desire to modify corporate data or process setpoints for malicious purposes
|
Higher impact since modified setpoint or control points can have adverse effects on controlled process, and potentially cause a shutdown condition
|
3
|
IP Address of SCADA Server, path to database server, and knowledge of SCADA software structure
|
45 min.
|
Locate Maintenance Database and modify or delete information regarding calibration and reliability tests for industrial equipment
|
Information Tampering
|
Desire to steal, modify, or delete corporate data.
|
Less immediate danger, but corporate information data warehouse would be comprised
|
4
|
IP Addresses of database servers
|
30 min.
|
6.2 Developing a SCADA Security Strategy
For a company to protect its infrastructure, it should undertake the development of a security strategy that includes specific steps to protect any SCADA system. Such a strategy may include the following approach.
Developing an appropriate SCADA security strategy involves analysis of multiple layers of both the corporate network and SCADA architectures including firewalls, proxy servers, operating systems, application system layers, communications, and policy and procedures. Strategies for SCADA Security should complement the security measures implemented to keep the corporate network secure
Figure 6.1 below illustrates the typical corporate network “ring of defenses” and its relationship with the SCADA network. Successful attacks can originate from either Internet paths through the corporate network to the SCADA network, or from internal attacks from within the corporate office. Alternatively, attacks can originate from within the SCADA network from either upstream (applications) or downstream (RTUs) paths. What is an appropriate configuration for one installation may not be cost effective for another. Flexibility and the employment of an integrated and coordinated set of layers are critical in the design of a security approach.
Figure 6.1: Relationship Between Corporate and SCADA Networks [10]
Most corporate networks employ a number of security
countermeasures to protect their networks.
Some of these and a brief description of their functions are as
follows:
•
Border
Router and Firewalls-Firewalls, properly configured and
coordinated, can protect passwords, IP addresses, files and more. However,
without a hardened operating system, hackers can directly penetrate private
internal networks or create a Denial of Service condition.
·
Proxy
Servers-A Proxy server is an internet server that acts as a firewall,
mediating traffic between a protected network and the internet. They are
critical to re-create TCP/IP packets before passing them on to, or from,
application layer resources such as Hyper Text Transfer Protocol (HTTP) and
Simple Mail Transfer Protocol (SMTP). However, the employment of proxy servers
will not eliminate the threat of application layer attacks.
•
Operating
Systems-Operating systems can be compromised, even with proper
patching, to allow network entry as soon as the network is activated. This is
due to the fact that operating systems are the core of every computer system
and their design and operating characteristics are well known world wide. As a
result, operating systems are a prime target for hackers. Further, in- place operating system upgrades
are less efficient and secure than design-level migration to new and improved
operating systems.
•
Applications-Application
layer attacks; i.e., buffer overruns, worms, Trojan Horse programs and
malicious Active-X5 code, can incapacitate anti-virus software and bypass the
firewall as if it wasn’t even there.
•
Policies
and Procedures-Policies and procedures constitute the foundation of
security policy infrastructures. They include requiring users to select secure
passwords that are not based on a dictionary word and contain at least one
symbol, capital letter, and number, and should be over eight characters long.
Users should not be allowed to use their spouse, child, or pet’s name as their
password. The above list is common to all entities that have corporate
networks. SCADA systems for the most
part coexist on the same corporate network [10]. The following list suggests ways to help
protect the SCADA network in conjunction with the corporate network:
•
SCADA
Firewalls-SCADA Systems and Industrial Automation Networks, like
corporate network operating systems, can be compromised using similar hacking
methods. Oftentimes, SCADA systems go down due to other internal software tools
or employees who gain access into the SCADA systems, often without any intention
to take down these systems. For these reasons, it is suggested that strong
firewall protection to wall off your SCADA networking systems from both the
internal corporate network and the Internet be implemented. This would provide
at least two layers of firewalls between the SCADA networking systems and the
Internet.
•
SCADA
Internal Network Design-SCADA networks should be segmented
off into their own IP segment using smart switches and proper sub-masking
techniques to protect the Industrial Automation environment from the other
network traffic, such as file and print commands. Facilities using Wireless
Ethernet and Wired Equivalent Protocol (WEP) should change the default name of
the Service Set Identifier6 (SSID).
This will at least require someone driving by with a
wireless card to know the name of the SSID, and have the appropriate encryption
key for the wireless network.
•
SCADA
Server Operating Systems-Simply installing a firewall or
segmenting SCADA IP addresses will not ensure their SCADA Infrastructure is
secure. An experienced hacker can often bypass firewalls with ease and can even
use Address Resolution Protocol (ARP) trap utilities to steal Media Access
Control (MAC) addresses. The hacker can
also deploy IP spoofing techniques to maneuver through switched networks.
Operating systems running the SCADA applications must also be maintained. SCADA
applications on Windows NT, 2000, or XP are properly patched against the latest
vulnerabilities, and that all of the default NULL NT accounts and administrator
accounts have been removed or renamed.
SCADA applications running in UNIX, LINUX, Novell, or any other
Operating System (OS), must also be maintained as above. All operating systems
have back doors and default access accounts that should be removed and cleaned
off of these SCADA Servers.
•
SCADA
Applications-You must also address security within the SCADA
application itself. Trojan horses and worms can be inserted to attack
application systems, and they can be used to manipulate data or issue commands
on the server. There have even been cases of Trojan horses being deployed that
completely emulate the application. The operator or user thinks that he is
clicking on a command to stop a pump or generate a graph of the plant, but he
is actually clicking on buttons disguised to look like the SCADA screen, and
these buttons start batch files that delete the entire hard drive, or send out
pre-derived packets on the SCADA system that turn all outputs to ON or “1”
state. Trojan horses and viruses can also be planted through an email opened by
another computer in the plan, and then it is silently copied over to adjacent
SCADA servers, where they wait until a specified time to run. Many times plant
control rooms will have corporate computers with the Internet and email active
on them within the same physical room, and network switches as SCADA computers.
Methodologies to mitigate against these types of situations are: the use of anti-virus software running on the
computer where the SCADA application resides; systems administrators disabling
installation of any unauthorized software unless the user has administrator
access; and Policies and Procedures applicable to SCADA systems, which are
addressed below.
•
SCADA
Policies and Procedures-SCADA policies and procedures
associated with remote vendor and supervisory access, password management, etc.
can significantly impact the vulnerabilities of the SCADA facilities within the
SCADA network. Properly developed Policies and Procedures that are enforced
will greatly improve the security posture of the SCADA system.
In summary, these multiple “rings of defense” must be
configured in a complementary and organized manner, and the planning process
should involve a cross-team with senior staff support from operations, facility
engineering, and Information Technology (IT). The SCADA Security team should
first analyze the current risks and threat at each of the rings of defense, and
then initiate a work plan and project to reduce the security risk, while
remembering to avoid any major impacts to operations.
No comments:
Post a Comment