Security and Vulnerability of SCADA Systems

6.0 Security and Vulnerability of SCADA Systems

SCADA systems have evolved in recent years and are now based on open standards and COTS products. Most SCADA software and hardware vendors have embraced Transmission Control Protocol/Internet Protocol (TCP/IP) and Ethernet communications, and many have encapsulated their proprietary protocols in TCP/IP packets. While all of this evolution towards more open-based standards has made it easier for the industry to integrate various diverse systems together, it has also increased the risks of less technical personnel gaining access and control of these industrial networks. On October 1, 2003 Robert F. Dacey, Director, Information Security Issues at the General Accounting Office (GAO) eluded to this and other issues in his testimony before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Reform.  He said:

“For several years, security risks have been reported in control systems, upon which many of the nation’s critical infrastructures rely to monitor and control sensitive processes and physical functions. In addition to general cyber threats, which have been steadily increasing, several factors have contributed to the escalation of risks specific to control systems, including the (1) adoption of standardized technologies with known vulnerabilities, (2) connectivity of control systems to other networks, (3) constraints on the use of existing security technologies and practices, (4) insecure remote connections, and (5) widespread availability of technical information about control systems”. [9]

There are many tools and techniques that could be used to address these threats, and flexibility of security configurations is a key design consideration.  There is no one magic solution for industry.  Each entity must determine what their goals are and arrive at a cost effective solution to these issues. 

6.1 Attacks against SCADA Systems 

In today’s corporate environment, internal networks are used for all corporate communications, including SCADA.  SCADA systems are therefore vulnerable to many of the same threats as any TCP/IP-based system. SCADA Administrators and Industrial Systems Analysts are often deceived into thinking that since their industrial networks are on separate systems from the corporate network, they are safe form outside attacks. PLCs and RTUs are usually polled by other 3rd party vendor-specific networks and protocols like RS-232, RS-485, MODBUS4, and DNP, and are usually done over phone lines, leased private frame relay circuits, satellite systems, licensed and spread spectrum radios, and other token-ring bus topology systems. This often gives the SCADA System Administrators a false sense of security since they assume that these end devices are protected by these non-corporate network connections.

Security in an industrial network can be compromised in many places along the system and is most easily compromised at the SCADA host or control room level. SCADA computers logging data out to some back-office database repositories must be on the same physical network as the back-end database systems, or have a path to access these database systems. This means that there is a path back to the SCADA systems and eventually the end devices through their corporate network.  Once the corporate network is compromised, then any IP-based device or computer system can be accessed. These connections are open 24x7 to allow full-time logging, which provides an opportunity to attack the SCADA host system with any of the following attacks:

·         Use a Denial of Service (DoS) attack to crash the SCADA server leading to shut down condition (System Downtime and Loss of Operations)

·         Delete system files on the SCADA server (System Downtime and Loss of Operations)

·         Plant a Trojan and take complete control of system (Gain complete control of system and be able to issue any commands available to Operators)

·         Log keystrokes from Operators and obtain usernames and passwords (Preparation for future take down)

·         Log any company-sensitive operational data for personal or competition usage (Loss of Corporate Competitive Advantage)

·         Change data points or deceive Operators into thinking control process is out of control and must be shut down (Downtime and Loss of Corporate Data)

·         Modify any logged data in remote database system (Loss of Corporate Data)

·         Use SCADA Server as a launching point to defame and compromise other system components within corporate network. (IP Spoofing) 

The impact of these and other SCADA Security Risks is summarized in Table 6.1

Description of Attack	Type of Attack	Attack Motive	Impact to  Victim	Impact Rating  (1 = largest immediate impact 5 = least immediate impact)	Items Needed       for Attack	Estimated Time to Implement Once System is Compromised
Denial of Service	System Shutdown	Wish to take down server and cause immediate shutdown situation	SCADA Server locks up and must be rebooted. When SCADA Server comes back on- line, it locks up again. Operations can no longer monitor or control process conditions, and the system will ultimately need to be shut down	2	Ability to flood the server with TCP/IP calls, the IP Address of SCADA Server, and the path to the server	5 min.
Delete System Files (Low- level format on all local drives	System Shutdown	Wish to take down server and cause immediate shutdown situation	Critical Server and SCADA files are lost and operations can no longer monitor process or control plant or facility	4	IP Address of SCADA Server, path to server, and permission to delete files permission can be escalated used other tools)	15 min
Take Control of SCADA System	Gain Control	Gain control of SCADA System to impact damage on industrial systems, possibly causing environmental impact, and damage corporate identity through public exposure	Highest impact, since attacker can then manually override safety systems, shut down the system, or takes control of the plant operational conditions.	1	IP Address of SCADA Server, path to server, and either Trojan or back door installed. (Can also use PCAnywhere, Terminal Services, SMS, or other system admin services.)	1 hr.
Log Keystrokes, Usernames, Passwords, System Set points, and any Operational Information	Information Mining	Gain Information for future attacks or satisfy curiosity	Lower immediate impact, but information gained can be used for future attacks.	4	IP Address of SCADA Server, path to server, and software or mechanism for logging the keystroke activities.	15 min.

Table 6.1: SCADA Attack Matrix [10]

Description of Attack	Type of Attack	Attack Motive	Impact to  Victim	Impact Rating  (1 = largest immediate impact 5 = least immediate impact)	Items Needed       for Attack	Estimated Time to Implement Once System is Compromised
Change Data Points or Change Setpoint(s) in SCADA System	Information Tampering	Desire to modify corporate data or process setpoints for malicious purposes	Higher impact since modified setpoint or control points can have adverse effects on controlled process, and potentially cause a shutdown condition	2	IP Address of SCADA Server, access to these servers, and some knowledge of SCADA software system inner workings	45 min.
Log any Operational or Corporate data for personal gain or sell to competition or hold as ransom	Information Mining	Try to steal corporate data and either sell to other companies or hold for ransom amount	Low environmental or immediate damage, but can damage corporate image if attacker builds attention to the fact that this system was compromised	4	IP Addresses of SCADA and database servers. (Would not even need IP addresses if protocol sniffer/logger used to sniff TCP/IP traffic.)	30 min.
Modify Data points on SCADA graphics to deceive Operators that system is out of control and must ESD (Emergency Shut Down)	System Shutdown	Cause danger to the facility or company by staging a false alarm shutdown of the plant or facility	Operations can no longer trust the SCADA System, and the attacker has deceived the Operator into thinking that there was an emergency condition in the plant	2	IP Addresses of SCADA servers, and access to them through the company network	45 min.

Table 6.1: SCADA Attack Matrix [10]

Description of Attack	Type of Attack	Attack Motive	Impact to  Victim	Impact Rating  (1 = largest immediate impact 5 = least immediate impact)	Items Needed       for Attack	Estimated Time to Implement Once System is Compromised
Capture, Modify, or Delete Data Logged in Operational Database SQL Server, PI Historian, Oracle, Sybase, etc.)	Information Tampering	Desire to modify corporate data or process setpoints for malicious purposes	Higher impact since modified setpoint or control points can have adverse effects on controlled process, and potentially cause a shutdown condition	3	IP Address of SCADA Server, path to database server, and knowledge of SCADA software structure	45 min.
Locate Maintenance Database and modify or delete information regarding calibration and reliability tests for industrial equipment	Information Tampering	Desire to steal, modify, or delete corporate data.	Less immediate danger, but corporate information data warehouse would be comprised	4	IP Addresses of database servers	30 min.

6.2 Developing a SCADA Security Strategy 

For a company to protect its infrastructure, it should undertake the development of a security strategy that includes specific steps to protect any SCADA system. Such a strategy may include the following approach. 

Developing an appropriate SCADA security strategy involves analysis of multiple layers of both the corporate network and SCADA architectures including firewalls, proxy servers, operating systems, application system layers, communications, and policy and procedures. Strategies for SCADA Security should complement the security measures implemented to keep the corporate network secure 

Figure 6.1 below illustrates the typical corporate network “ring of defenses” and its relationship with the SCADA network. Successful attacks can originate from either Internet paths through the corporate network to the SCADA network, or from internal attacks from within the corporate office. Alternatively, attacks can originate from within the SCADA network from either upstream (applications) or downstream (RTUs) paths. What is an appropriate configuration for one installation may not be cost effective for another. Flexibility and the employment of an integrated and coordinated set of layers are critical in the design of a security approach.

Figure 6.1: Relationship Between Corporate and SCADA Networks [10]

Most corporate networks employ a number of security countermeasures to protect their networks.  Some of these and a brief description of their functions are as follows: 

•        Border Router and Firewalls-Firewalls, properly configured and coordinated, can protect passwords, IP addresses, files and more. However, without a hardened operating system, hackers can directly penetrate private internal networks or create a Denial of Service condition.

·         Proxy Servers-A Proxy server is an internet server that acts as a firewall, mediating traffic between a protected network and the internet. They are critical to re-create TCP/IP packets before passing them on to, or from, application layer resources such as Hyper Text Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP). However, the employment of proxy servers will not eliminate the threat of application layer attacks.

•        Operating Systems-Operating systems can be compromised, even with proper patching, to allow network entry as soon as the network is activated. This is due to the fact that operating systems are the core of every computer system and their design and operating characteristics are well known world wide. As a result, operating systems are a prime target for hackers.  Further, in- place operating system upgrades are less efficient and secure than design-level migration to new and improved operating systems.

•        Applications-Application layer attacks; i.e., buffer overruns, worms, Trojan Horse programs and malicious Active-X5 code, can incapacitate anti-virus software and bypass the firewall as if it wasn’t even there.

•        Policies and Procedures-Policies and procedures constitute the foundation of security policy infrastructures. They include requiring users to select secure passwords that are not based on a dictionary word and contain at least one symbol, capital letter, and number, and should be over eight characters long. Users should not be allowed to use their spouse, child, or pet’s name as their password. The above list is common to all entities that have corporate networks.  SCADA systems for the most part coexist on the same corporate network [10].  The following list suggests ways to help protect the SCADA network in conjunction with the corporate network:

•        SCADA Firewalls-SCADA Systems and Industrial Automation Networks, like corporate network operating systems, can be compromised using similar hacking methods. Oftentimes, SCADA systems go down due to other internal software tools or employees who gain access into the SCADA systems, often without any intention to take down these systems. For these reasons, it is suggested that strong firewall protection to wall off your SCADA networking systems from both the internal corporate network and the Internet be implemented. This would provide at least two layers of firewalls between the SCADA networking systems and the Internet.

•        SCADA Internal Network Design-SCADA networks should be segmented off into their own IP segment using smart switches and proper sub-masking techniques to protect the Industrial Automation environment from the other network traffic, such as file and print commands. Facilities using Wireless Ethernet and Wired Equivalent Protocol (WEP) should change the default name of the Service Set Identifier6 (SSID).

This will at least require someone driving by with a wireless card to know the name of the SSID, and have the appropriate encryption key for the wireless network.

•        SCADA Server Operating Systems-Simply installing a firewall or segmenting SCADA IP addresses will not ensure their SCADA Infrastructure is secure. An experienced hacker can often bypass firewalls with ease and can even use Address Resolution Protocol (ARP) trap utilities to steal Media Access Control (MAC) addresses.  The hacker can also deploy IP spoofing techniques to maneuver through switched networks. Operating systems running the SCADA applications must also be maintained. SCADA applications on Windows NT, 2000, or XP are properly patched against the latest vulnerabilities, and that all of the default NULL NT accounts and administrator accounts have been removed or renamed.  SCADA applications running in UNIX, LINUX, Novell, or any other Operating System (OS), must also be maintained as above. All operating systems have back doors and default access accounts that should be removed and cleaned off of these SCADA Servers.

•        SCADA Applications-You must also address security within the SCADA application itself. Trojan horses and worms can be inserted to attack application systems, and they can be used to manipulate data or issue commands on the server. There have even been cases of Trojan horses being deployed that completely emulate the application. The operator or user thinks that he is clicking on a command to stop a pump or generate a graph of the plant, but he is actually clicking on buttons disguised to look like the SCADA screen, and these buttons start batch files that delete the entire hard drive, or send out pre-derived packets on the SCADA system that turn all outputs to ON or “1” state. Trojan horses and viruses can also be planted through an email opened by another computer in the plan, and then it is silently copied over to adjacent SCADA servers, where they wait until a specified time to run. Many times plant control rooms will have corporate computers with the Internet and email active on them within the same physical room, and network switches as SCADA computers. Methodologies to mitigate against these types of situations are:  the use of anti-virus software running on the computer where the SCADA application resides; systems administrators disabling installation of any unauthorized software unless the user has administrator access; and Policies and Procedures applicable to SCADA systems, which are addressed below.

•        SCADA Policies and Procedures-SCADA policies and procedures associated with remote vendor and supervisory access, password management, etc. can significantly impact the vulnerabilities of the SCADA facilities within the SCADA network. Properly developed Policies and Procedures that are enforced will greatly improve the security posture of the SCADA system. 

In summary, these multiple “rings of defense” must be configured in a complementary and organized manner, and the planning process should involve a cross-team with senior staff support from operations, facility engineering, and Information Technology (IT). The SCADA Security team should first analyze the current risks and threat at each of the rings of defense, and then initiate a work plan and project to reduce the security risk, while remembering to avoid any major impacts to operations.