2. 1 www.lucideus.com
1. Introduction
It is impossible to keep control and supervision on all industrial activities manually. Some
automated tool is required which can control, supervise, collect data, analyses data and generate
reports. A unique solution is introduced to meet all this demand is SCADA system.
SCADA stands for supervisory control and data acquisition. It is an industrial control system
where a computer system monitoring and controlling a process
3. 2 www.lucideus.com
The term SCADA usually refers to centralized systems which monitor and control
entire sites, or complexes of systems spread out over large areas (anything from an
industrial plant to a nation). Most control actions are performed automatically by
rtus or by plcs. Host control functions are usually restricted to basic overriding or
supervisory level intervention. For example, a PLC may control the flow of cooling
water through part of an industrial process, but the SCADA system may allow
operators to change the set points for the flow, and enable alarm conditions, such as
loss of flow and high temperature, to be displayed and recorded. The feedback
control loop passes through the RTU or PLC, while the SCADA system monitors
the overall performance of the loop.
SCADA's schematic overview
Data acquisition begins at the RTU or PLC level and includes meter readings and
equipment status reports that are communicated to SCADA as required. Data is then
compiled and formatted in such a way that a control room operator using the HMI
can make supervisory decisions to adjust or override normal RTU (PLC) controls.
Data may also be fed to a Historian, often built on a commodity Database
Management System, to allow trending and other analytical auditing.
SCADA systems typically implement a distributed database, commonly referred to
as a tag database, which contains data elements called tags or points. A point
represents a single input or output value monitored or controlled by the system.
Points can be either "hard" or "soft". A hard point represents an actual input or
4. 3 www.lucideus.com
output within the system, while a soft point results from logic and math operations
applied to other points. (Most implementations conceptually remove the distinction
by making every property a "soft" point expression, which may, in the simplest
case, equal a single hard point.) Points are normally stored as value-timestamp
pairs: a value, and the timestamp when it was recorded or calculated. A series of
value-timestamp pairs gives the history of that point. It is also common to store
additional metadata with tags, such as the path to a field device or PLC register,
design time comments, and alarm information.
Common system components
A SCADA system usually consists of the following subsystems:
Remote terminal units (RTUS) connect to sensors in the process and convert sensor signals
to digital data. They have telemetry hardware capable of sending digital data to the
supervisory system, as well as receiving digital commands from the supervisory system. Rtus
often have embedded control capabilities such as ladder logic in order to accomplish boolean
logic operations.
Programmable logic controller (PLCS) connect to sensors in the process and convert
sensor signals to digital data. Plcs have more sophisticated embedded control capabilities
(typically one or more IEC 61131-3 programming languages) than rtus. Plcs do not have
telemetry hardware, although this functionality is typically installed alongside them. Plcs are
sometimes used in place of rtus as field devices because they are more economical,
versatile, flexible, and configurable.
A telemetry system is typically used to connect plcs and rtus with control centers, data
warehouses, and the enterprise. Examples of wired telemetry media used in SCADA systems
include leased telephone lines and WAN circuits. Examples of wireless telemetry media used
in SCADA systems include satellite (VSAT), licensed and unlicensed radio, cellular and
microwave.
A data acquisition server is a software service which uses industrial protocols to connect
software services, via telemetry, with field devices such as rtus and plcs. It allows clients to
access data from these field devices using standard protocols.
5. 4 www.lucideus.com
A Human–Machine Interface or HMI is the apparatus or device which presents processed
data to a human operator, and through this, the human operator monitors and interacts with
the process. The HMI is a client that requests data from a data acquisition server or in most
installations the HMI is the graphical user interface for the operator, collects all data from
external devices, creates reports, performs alarming, sends notifications, etc.
A historian is a software service which accumulates time-stamped data, boolean events, and
boolean alarms in a database which can be queried or used to populate graphic trends in the
HMI. The historian is a client that requests data from a data acquisition server.[5]
A supervisory (computer) system, gathering (acquiring) data on the process and sending
commands (control) to the SCADA system.
1.Human machine interface(HMI)
A human–machine interface (HMI) is the input-output device through which the
human operator controls the process, and which presents process data to a human operator.
HMI (human machine interface) is usually linked to the SCADA system's databases and
softwareprograms, to providetrending, diagnostic data, and management information such
as scheduled maintenance procedures, logistic information, detailed schematics for a
particular sensor or machine, and expert-systemtroubleshooting guides.
SCADA components
Human
Machine
Interface(HMI)
Remote
Terminal
units(RTU)
Programmable
logic
controller(PLC)
supervisroy
(computer)
system
communication
infrastructure
6. 5 www.lucideus.com
The HMI systemusually presents the information to the operating personnel graphically, in the
formof a mimic diagram. This means that the operator can see a schematic representation of
the plant being controlled. For example, a picture of a pump connected to a pipe can show the
operator that the pump is running and how much fluid it is pumping through the pipe at the
moment. The operator can then switch the pump off. The HMI softwarewillshow the flow
rate of the fluid in the pipe decrease in real time. Mimic diagrams may consistof line graphics
and schematic symbols to representprocess elements, or may consistof digital photographs
of the process equipment overlain with animated symbols.
The HMI packagefor the SCADA systemtypically includes a drawing programthatthe
operators or systemmaintenance personnel useto changethe way these points are
represented in the interface. These representations can be as simple as an on-screen traffic
light, which represents the state of an actual traffic light in the field, or as complex as a multi-
projector display representing the position of all of the elevators in a skyscraper or allof the
trains on a railway.
2.Remote terminal units(RTU)
A remote terminal unit (RTU) is a microprocessor-controlled electronic device that
interfaces objects in the physical world to a distributed control system or SCADA
(supervisory control and data acquisition) system by transmitting telemetry data to a
7. 6 www.lucideus.com
master system, and by using messages from the master supervisory system to
control connected objects. Another term that may be used for RTU is remote
telecontrol unit.
An RTU monitors the field digital and analog parameters and transmits data to the
Central Monitoring Station. It contains setup software to connect data input streams
to data output streams, define communication protocols, and troubleshoot
installation problems.
An RTU may consist of one complex circuit card consisting of various sections
needed to do a custom fitted function or may consist of many circuit cards including
CPU or processing with communications interface(s), and one or more of the
following: (AI) analog input, (DI) digital input, (DO/CO) digital or control (relay)
output, or (AO) analog output card(s).
3. Programmable logic controller (PLC)
A programmable logic controller (PLC) or programmable controller is a digital computer used
for automation of industrial processes, suchas controlof machinery on factory assembly lines.
Unlike general-purpose computers, the PLC is designed for multiple inputs and output
arrangements, extended temperature ranges, immunity to electrical noise, and resistance to
vibration and impact. Programs to control machine operation are typically stored in battery-
backed or non-volatile memory. A PLC is an example of a real time system since output results
must be produced in responseto input conditions within a bounded time, otherwise unintended
operation will result.
Hence, a programmable logic controller is a specialized computer used to controlmachines and
processes. It therefore shares common terms with typical PCs like central processingunit,
memory, software and communications. Unlike a personal computer though the PLCis
designed to survive in a rugged industrial atmosphere and to be very flexible in how it
interfaces with inputs and outputs to the real world.
8. 7 www.lucideus.com
4. Supervisory station
The term supervisorystation refers to the servers and softwareresponsiblefor communicating
with the field equipment (RTUs, PLCs, SENSORS etc.), and then to the HMI softwarerunning on
workstations in the control room, or elsewhere. In smaller SCADA systems, the master station
may be composed of a single PC. In larger SCADA systems, themaster station may include
multiple servers, distributed softwareapplications, and disaster recovery sites. To increasethe
integrity of the systemthe multiple servers willoften be configured in a dual-redundantor
hot-standby formation providing continuous controland monitoring in the event of a server
malfunction or breakdown.
5.Communication infrastructure and methods
SCADA systems havetraditionally used combinations of radio and direct wired connections,
although SONET/SDH is also frequently used for large systems such as railways and power
stations. The remote management or monitoring function of a SCADA systemis often referred
to as telemetry. Some users wantSCADA data to travel over their pre-established corporate
networks or to sharethe network with other applications. The legacy of the early low-
bandwidth protocols remains, though.
SCADA protocols are designed to be very compact. Many are designed to send information
only when the master station polls the RTU. Typical legacy SCADA protocols include Modbus
RTU, RP-570, Profibus and Conitel. These communication protocols are all SCADA-vendor
specific but are widely adopted and used. Standard protocols are IEC60870-5-101 or 104, IEC
61850 and DNP3. Thesecommunication protocols are standardized and recognized by all
major SCADA vendors. Many of these protocols now contain extensions to operate over
TCP/IP. Although the use of conventional networking specifications, such as TCP/IP, blurs the
line between traditional and industrial networking, they each fulfill fundamentally differing
requirements.
9. 8 www.lucideus.com
The importance of security requirements in design of SCADA systems.
Excerpt from the article published on the last edition of PenTest AUDITING & STANDARDS 06 2012
The article exposes the main issues related to the use of SCADA systems in critical
infrastructures, providing a carefulanalysis of the relative level of security on a global scale. It
discusses themain vulnerabilities of critical systems exploitable by cyber attacks and possible
solutions to implement to ensuretheir safety.
Over the last years worldwidecountries have discovered their critical infrastructures too
vulnerable to cyber attacks due the increasing attention in cyber security matter and
successfully attacks to SCADA systems. Events such as the spread of Stuxnet virus have alerted
the international security community on the risks related to a cyber attacks and the relative
disastrous consequences, wehavelearned how much powerfulis a cyber weapon and which is
real involvement of governments in cyber warfare.
SCADA (supervisorycontroland data acquisition) is an industrial controlsystem(ICS) used for
the controland monitor of industrialprocesses, itis typically presentin all thosepotential
targets of a cyber attack such as a critical infrastructures or a utility facility.
Being related to industrialprocesses wefind this family of devices everywhere, manufacturing,
production, power generation and many times they are implemented to control of activities of
critical systems such as water treatment and, electrical power transmission and distribution
and large communication systems.
These components are privileged targets for cyber attacks, with a virus is possibleto destroy
the processes insidea nuclear plant as it happened in Natanz nuclear site during the offensive
against Iran and its nuclear program. Western countries have been the firstto explore the
possibility of a cyber offensiveusing a cyber weapon such as a malware, the operation Olympic
Games demonstrates the high attention of US governmentin cyber operations and the strong
commitment provided by Bush administration firstand after by the Obama one.
The scenario is really alarming, an attack on a SCADA systemof a sensible structurecould
materialize the nightmare of every government, similar incidents can undermine the safety of
10. 9 www.lucideus.com
millions of individuals and can compromisethe homeland security. Dozens, hundreds,
thousands of installations all over the world are potentially vulnerable to attack from
anywhereon the planet, the offensiveoption is moved into whatit is defined as the fourth
dimension, the cyberspace, butthat could also lead to the loss of many human lives.
Not necessarily our minds mustfly to a nuclear plant thinking to a possibleaccident in its
control systems, wecan think for example of the impact of an attack on the processes in a
chemical plant. The main problem of SCADA systems is that they are in large number, each
industrial process has its own, and many of them are exposed on internet withoutproper
protection.
In similar structure is possible to imagine several entry points for the external
agents such as malware, the supervisory system is usually a computer based on the
commercial OS for which is possible to exploit known vulnerabilities and in case of
state sponsored attacks also 0-day vulnerabilities. Incidents occurred in SCADA
systems have been demonstrated that these systems could be infected in different
ways, we can imagine the inoculation of a virus through a USB stick or via a
network interface.
After the recent events many security firms have started the design of specific
solutions to address security problems of SCADA systems, but the major challenge
11. 10 www.lucideus.com
is for governments that have to include the protection of these critical components
in their cyber strategies. Several audits executed by governments on their critical
infrastructures have illustrated a dangerous scenario, the lack of security
mechanisms for the many systems located all over the world, but it is really
alarming the absence of a precise census of the SCADA systems for many of the
principal industrialized countries.
Events such as the virus Stuxnet diffusion and the alleged incident to the water
facility in Illinois occurred last year have shown to the world that it is possible to
conduct a terrorist attacks on foreign state remotely, this has increased the
awareness of cyber threats and the necessity to implement right countermeasures to
mitigate the risks.
Defense mechanisms virtually absent, the SCADA system components are often
under the government of local authorities who do not deal with adequately trained
personnel and that operates with limited budgets. This means that this kind of
control devices is installed everywhere without being qualified in the installation
phase. There are many systems deployed with factory settings, pre-set standard
configurations and common to entire classes of devices. To this we add that even
those who maintain them, should not exceed security, thus making it accessible for
remote diagnostics without necessary attention.
Fortunately, something is changed, precise guidelines identify best practices to
follow in the management of SCADA systems and operations groups monitor the
operation of facilities around the country.
The last “INTERNET SECURITY THREAT REPORT” published by Symantec
reports that during 2011 have been detected several weaknesses in Critical
Infrastructure Systems, the security firm has seen a dramatic increase in the
number of publicly-reported SCADA vulnerabilities from 15 in 2010 to 129 in
2011. Since the emergence of the Stuxnet worm in 2010 36, SCADA systems has
12. 11 www.lucideus.com
attracted wider attention from security researchers. However, 93 of the 129 new
published vulnerabilities were the product of just one security researcher.
In December the Industrial Control System – Cyber emergency Response Team
(ICS-CERT) has distributed a new alert to provide timely notification to critical
infrastructure owners and operators concerning threats or activity with a potential
impact on critical infrastructure computing networks.
ICS-CERT informed that some models of the Modicon Quantum PLC used in
industrial control systems contain multiple hidden accounts that use predetermined
passwords to grant remote access Palatine, Illinois–based Schneider Electric, the
maker of the device, has produced fixes for some of the weaknesses and continues
to develop additional mitigations. ICS-CERT encourages researchers to coordinate
vulnerability details before public release.
In a SCADA system the programmable logic controllers (PLCs) are directly
connected to in-field sensors that provide data to control critical component (e.g.
Centrifugal or turbines). Often the default passwords are hard-coded into Ethernet
cards the systems use to funnel commands into the devices, allowing administrators
to remotely log into the machinery.
An independent security researcher Rubén Santamarta reported that the NOE 100
and NOE 771 modules contain at least 14 hard-coded passwords, some of which are
published in support manuals. Even in cases where the passcodes are obscured
using cryptographic hashes, they are trivial to recover thanks to documented
weaknesses in the underlying VxWorks operating system. As a result, an attacker
can exploit the weakness to log into devices and gain privileged access to its
controls.
Hard-coded passwords are a common weakness built into many industrial control
systems, including some S7 series of PLCs from Siemens. Because the systems
control the machinery connected to dams, gasoline refineries, and water treatment
13. 12 www.lucideus.com
plants, unauthorized access are considered a national security threat because it
could be used to sabotage their operation.
Doing a search on the server search engine known as Shodan it’s possible to
discover what appear to be working links to several of the vulnerable Schneider
models. Santamarta said there is no fix for the devices other than to retire the faulty
Ethernet cards and replace them with better-designed ones. The ICS-CERT
advisory issued on December said the fixes from Schneider removes the telnet and
Windriver services. The advisory made no mention of changes to FTP services.
The scenario is very worrying and reveals the need for a radical change, fortunately,
the emergency has been perceived by most Nations. The ENISA (European
Network Information Security Agency, has produced a recommendation for Europe
and Member States on how to protect Industrial Control Systems. The document
describes the current scenario of Industrial Control System security and proposes
seven recommendations to improve it. The recommendations call for the creation of
the national and pan-European ICS security strategies, the development of a Good
Practices Guide on the ICS security, fostering awareness and education as well as
research activities or the establishment of a common test bed and ICS-computer
emergency response capabilities.
In June The Pacific Northwest National Laboratory (PNNL), a federal contractor to
the U.S. Department of Energy (DOE), in collaboration with McAfee has published
an interesting report entitled “Technology Security Assessment for Capabilities and
Applicability in Energy Sector Industrial Control Systems: McAfee Application
Control, Change Control, Integrity Control.”
14. 13 www.lucideus.com
The Case
Immediately after the Stuxnet virus, governments and intelligence agencies all over the world requested
assessment of security for critical infrastructure of their countries. Much of the focus was on evaluating
efficiency offered by defensive measures adopted to protect scadas and icses from cyber attacks.
After Stuxnet, debate on the use of software and malicious applications of information warfare have increased.
Governments are investing to improve cyber capabilities working on both the defensive and the offensive side.
Despite greater awareness of cyber threats, critical infrastructures of countries are still too vulnerable. Many
security experts are convinced that an imminent incident caused by a cyber attack is likely soon.
Just a few days ago, Eugene Kaspersky, CEO of Kasperky Security, revealed that a staffer at the unnamed
nuclear Russian plant informed him of an infection.
“The staffer said their nuclear plant network which was disconnected from the internet … was badly infected by
Stuxnet. So unfortunately these people who were responsible for offensive technologies, they recognize cyber
weapons as an opportunity.”
Stuxnet had infected the internal network of a Russian nuclear plant, exactly in the same way it compromised
the control system in Iranian nuclear facilities in Natanz. That’s happening despite cyber threats being well
known, and various security solutions are able to neutralize it.
Stuxnet infected the network within a Russian nuclear plant isolated from the Internet. Attackers probably used
as USB or mobile devices to spread the malware. Russian Intelligence agencies in the past have already
observed this infection mode to cross a physically separated ‘air-gapped’ network. For example, Russian
astronauts had carried a virus on removable media to the International Space Station infecting machines there,
according to Kaspersky.
“NASA has confirmed that laptops carried to the ISS in July were infected with a virus known as
Gammima.AG. The worm was first detected on Earth in August 2007 and lurks on infected machines waiting to
steal login names for popular online games. Nasa said it was not the first time computer viruses had travelled
into space and it was investigating how the machines were infected. ”
I mentioned the Stuxnet malware because it’s considered a case study. The malicious agent is so notorious, it’s
still able to compromise networks and control systems within critical infrastructure. Let’s try to figure out the
effect of unknown cyber threats, developed by governments as cyber weapons, for example. In this article, i’ll
analyze major security issues related to SCADA systems, and best practices to follow to protect them.
15. 14 www.lucideus.com
Figure: - Russian Nuclear Plant
According to the last “SANS SCADA and Process ControlSecurity Survey” conducted by the
SANS Institute, the awareness of cyber threats and the perception of the risks related to a cyber
attacks are high. Nearly 70% of respondents believe the threat to be high (53%) to severe
(16%). Recent reports from Computer Emergency ResponseTeams (CERT), government
offices, and private companies confirm an escalating risk of cybersecurity events, specifically
for the energy sector.
The survey indicates that the top threats for controlsystems are advanced zero-day malware
such as Stuxnet, cyber operations conducted by groups of hacktivists, and hacking campaigns of
cyber terrorists and state-sponsored hackers.
Recently, US CERT alerted to the continuous spear-phishing campaign that targeted the energy
sectorto gain remote access to control systems. SCADA system protection must be approached
at different levels, defending control systems and educating operational and maintenance
personnel.
“Training should includespecific operational topics on spear-phishing,zero-day activities and
managing internalthreats.”
16. 15 www.lucideus.com
A Look Back at past SCADA hacking in 2015
It should come as no surprise that Supervisory Control and Data Acquisition
(SCADA) and Industrial Control Systems (ICS) that control key functions in critical
infrastructure are especially at risk of cyber attack. If saboteurs manage to
compromise critical infrastructure services, a country’s economy and military
defenses can be severely hampered. In addition, since organizations that operate
critical infrastructure often own valuable intellectual property, this information can
be a target for foreign state actors trying to steal intellectual property to advance
their economies or to win competitive bids.
In the past year we have seen some disturbing news that highlights the growing
risk of SCADA attacks:
December 2014 - SCADA attack causes physical damage: In late 2014, an unnamed
German Steel Mill suffered extensive damage from a cyber attack. The attackers were
able to disrupt the control system and prevent a blast furnace from being shut
down,resulting in ‘massive’ damage .
In late December, the annual German Federal Office for Information Security report
revealed a disturbing cyberattack on a steel mill that resulted in “massive damage” to the
foundry. This case is just one of the latest examples of Hollywood fears coming true
through the Internet of Things (IoT). Through the judicious use of online translation
engines, we have learned several key things about the attack, although specific details
about the company and the full extent of the damage are still unknown.
17. 16 www.lucideus.com
According to the report, the attacker used sophisticated social engineering and spear-phishing
tactics to gain initial access to the steel mill’s office network. Individual industrial control
components were compromised, which prevented the blast furnace from being shut down. The
technical capabilities of the attacker were very advanced, demonstrating a familiarity not only
with conventional IT security, but also with the specific applied industrial control and
production processes.
Although not explicitly stated, we can infer the attacker was likely an insider — or worked with
an insider — or was familiar with industry-standard protocols used in the operation of the mill.
Because of the jump from office network to industrial control system, we can also assume the
mill’s office network had to be connected to the industrial controlsystem. The more familiar the
attacker was with this specific company’s systems, the easier that link would have been to find
and exploit.
SCADA Attacks Double in 2014
Dell Security’s annual threat report shows not only a significant surge in the number of attacks
on retail credit card systems, but industrial SCADA systems as well, which are much more
likely to go unreported.
18. 17 www.lucideus.com
For Dell to report an annual surge inpoint-of-sale (POS) attacks aimedat payment card infrastructures might notbe
such a surprise to people whopay any attention to the news.We know that the retail industrywas hit hard by
cybersecurityattacks in 2014—Target wasn’t the only target, so to speak, though it got the year started,and was the
largest breach in the history of U.S.retail until Home Depot was hit evenharder later in the year. There were also
significantattacks on Michaels,Staples,Goodwill andmore.
But don’tbe thinkingthat the attacks are justfocusedthere. WhatDell also foundin its annual threat report was that
the numberof attacks on SCADA systemsdoubledfrom 2013 to 2014. Obviously,that has significantbearingon
process industries,whichuse SCADA systemsto control remote equipmentandcollect data on that equipment’s
performance.
As industrial manufacturers face threats, othercompanies withinthe same space might not evenknow a SCADA
threat existsuntil they are targeted themselves.“Since companiesare onlyrequiredto report data breachesthat
involve personal or payment information,SCADA attacks oftengo unreported,” saidPatrick Sweeney,executive
director for Dell Security.“This lack of informationsharing combinedwith an aging industrial machinery infrastructure
presentshuge security challengesthat will to continue to grow inthe coming months and years.”
19. 18 www.lucideus.com
Unlike the retail breaches,whichare likelygearedtoward financial gain, attacks against SCADA systemstend to be
political in nature, targetingoperational capabilitieswithinpowerplants,factories and refineries.
Dell’sannual threat report reliesonresearch from its Global Response Intelligence Defense (GRID) networkand
telemetrydata from Dell SonicWall network trafficto identifyemergingthreats.For SCADA systems,bufferoverflow
vulnerabilitiescontinue tobe the primary point of attack, according to the Dell SonicWall ResearchTeam, accounting
for a quarter of the attacks.
The majority of the SCADA attacks targeted Finland,the UKand the U.S. One likelyreasonfor that, however,is that
SCADA systemsare more common in these regionsand more likelyto be connectedto the Internet.In 2014, Dell saw
202,322 SCADA attacks in Finland;69,656 in the UK;and 51,258 in the U.S.
Along withthe doublingof SCADA attacks from 2013 to 2014, a lookat January numbersalone shows a staggering
rise,year over year. Worldwide SCADAattacks increasedfrom 91,676 in January 2012 to 163,228 in January 2013, and
675,186 in January 2014.
“Everyone knowsthe threats are real and the consequencesare dire,so we can no longerblame lack ofawarenessfor
the attacks that succeed,” Sweeneysaid.“Hacks and attacks continue to occur, not because companiesaren’t taking
securitymeasures,but because theyaren’t taking the right ones.”
Dell recommendsa fewgeneral ways to protect against SCADA attacks. For one,make sure all software and systems
are up to date.“Too oftenwith industrial companies, systemsthat are not used everyday remain installedand
untouchedas longas theyare not activelycausing problems,” Dell’sreportexplains.“However,shouldanemployee
one day connect that system to the Internet,itcould become a threat vector for SCADA attacks.”
Make sure your networkonly allows connectionswithapproved IPs; and followoperational best practices for limiting
exposure,suchas restrictingor disablingUSBports and Bluetooth.
Hacks and attacks continue to occur, not because companiesaren’t taking security measures,but because theyaren’t
taking the right ones.
Dell also urges manufacturers to report and share informationabout SCADA attacks to helpensure the industrial
community as a whole isappropriately aware of emergingthreats.
Mobile security
As mobilitycontinuesto take hold in the manufacturing space and the bring-your-own-device (BYOD) trendgrows,it’s
worth noting another sectionof Dell’sthreat report focusedon sophisticated,newmalware techniquestargeting
smartphones.“Smartphone attacks have beena securityconcern since mobile devicesbeganto reach widespread
adoption,but it wasn’t until 2014 that smartphone malware began to look and act like its desktoppredecessors,”
Dell’sreport notes.
Both Android and iOS malware took hold in2014, and Dell expectsmalware to emerge thisyear targeting wearables,
televisionsandotherancillary devices.“The pairing ofthese devicesto laptops and smartphones will give hackers an
20. 19 www.lucideus.com
easy attack vector, and these deviceswill become much more enticingas the market grows inthe coming months,”
the report details.
Common factors
Though Dell’sreport detailsseveral keyfindingsin a variety of industriesand attack points,there were some key
common denominators.For example,several ofthe breachesthroughout the year involvedcompaniesthat
overlookedone or more basic threat vectors: outdated, unpatchedsoftware; under-restrictedcontractor accessto
networks; under-securednetworkaccessfor mobile or distributedusers;and under-regulatedInternetaccessforall
employees.
“Some of these threat vectors have posed securitychallengesforyears, while othersare emergingas a result of
today’s highlymobile,consumer-tech-empoweredworkforce,” the reportsays. “Asalways, cyber criminals remain
adept at findingnew ways to exploitcommon blindspots and evenuse companies’best securityintentionsagainst
them.”
The most effective approachmanufacturers can take isa defense-in-depthprogram,Dell concluded,establishing
multiple layersof securityand threat intelligenceforpreventingandrespondingto attacks on the network.
Security issues
SCADA systemsthat tie together decentralizedfacilitiessuchas power,oil,gas pipelines,waterdistributionand
wastewater collectionsystemswere designedtobe open,robust, and easilyoperatedand repaired, but not
necessarilysecure.The move from proprietary technologiestomore standardizedand open solutionstogetherwith
the increasednumberof connectionsbetweenSCADAsystems,office networksand the Internethas made themmore
vulnerable to typesof network attacks that are relativelycommon in computersecurity. For example,UnitedStates
ComputerEmergency ReadinessTeam(US-CERT) releaseda vulnerabilityadvisorythat allowedunauthenticatedusers
to download sensitive configurationinformationincludingpasswordhasheson an Inductive Automation Ignition
systemutilizinga standard attack type leveragingaccessto the Tomcat EmbeddedWebserver.Securityresearcher
Jerry Brown submitteda similaradvisory regarding a bufferoverflowvulnerability ina Wonderware inbatchclient
activexcontrol. Both vendorsmade updatesavailable prior to publicvulnerabilityrelease.Mitigation
recommendationswere standard patching practices and requiringVPN access for secure connectivity.Consequently,
the securityof some SCADA-basedsystemshas come into questionas they are seenas potentiallyvulnerable tocyber
attacks.
In particular, security researchersare concernedabout:
The lack of concern about security and authenticationin the design,deploymentandoperationof some existing
SCADA networks
The beliefthatSCADA systems have the benefitofsecuritythrough obscuritythrough the use ofspecializedprotocols
and proprietary interfaces
The beliefthatSCADA networks are secure because they are physicallysecured
21. 20 www.lucideus.com
The beliefthatSCADA networks are secure because they are disconnectedfromthe Internet.
SCADA systemsare used to control and monitor physical processes,examplesof which are transmission of electricity,
transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of
modern society. The security of these SCADA systems is important because compromise or destruction of these
systems would impact multiple areas of society far removed from the original compromise. For example, a blackout
caused by a compromised electrical SCADA system would cause financial losses to all the customers that received
electricity from that source. How security will affect legacy SCADA and new deployments remains to be seen.
There are many threat vectors to a modern SCADA system. One is the threat of unauthorized access to the control
software, whether it be human access or changes induced intentionally or accidentally by virus infections and other
software threats residing on the control host machine. Another is the threat of packet access to the network
segments hosting SCADA devices. In many cases, the control protocol lacks any form of cryptographic security,
allowing an attacker to control a SCADA device by sending commands over a network. In many cases SCADA users
have assumed that having a VPN offered sufficient protection, unaware that security can be trivially bypassed with
physical access to SCADA-related network jacks and switches. Industrial control vendors suggest approaching SCADA
security like Information Security with a defense in depth strategy that leverages common IT practices.
The reliable function of SCADA systems in our modern infrastructure may be crucial to public health and safety. As
such, attacks on these systems may directly or indirectly threaten public health and safety. Such an attack has already
occurred, carried out on Maroochy Shire Council's sewage control system in Queensland, Australia. Shortly after a
contractor installeda SCADA system inJanuary 2000, systemcomponentsbegan to function erratically.Pumps didnot
run when needed and alarms were not reported. More critically, sewage flooded a nearby park and contaminated an
open surface-water drainage ditch and flowed 500 meters to a tidal canal. The SCADA system was directing sewage
valvesto openwhenthe designprotocol shouldhave kept themclosed.Initially this was believed to be a system bug.
Monitoring of the system logs revealed the malfunctions were the result of cyber attacks. Investigators reported 46
separate instances of malicious outside interference before the culprit was identified. The attacks were made by a
disgruntled ex-employee of the company that had installed the SCADA system. The ex-employee was hoping to be
hired by the utility full-time to maintain the system.
In April 2008, the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack
issued a Critical Infrastructures Report which discussed the extreme vulnerability of SCADA systems to an
electromagnetic pulse (EMP) event. After testing and analysis, the Commission concluded: "SCADA systems are
vulnerable to EMP insult. The large numbers and widespread reliance on such systems by all of the Nation’s critical
infrastructures represent a systemic threat to their continued operation following an EMP event. Additionally, the
necessity to reboot, repair, or replace large numbers of geographically widely dispersed systems will considerably
impede the Nation’s recovery from such an assault."
Many vendors of SCADA and control products have begun to address the risks posed by unauthorized access by
developing lines of specialized industrial firewall and VPN solutions for TCP/IP-based SCADA networks as well as
external SCADA monitoring and recording equipment. The International Society of Automation (ISA) started
formalizing SCADA security requirements in 2007 with a working group, WG4. WG4 "deals specifically with unique
22. 21 www.lucideus.com
technical requirements, measurements, and other features required to evaluate and assure security resilience and
performance of industrial automation and control systems devices".
The increasedinterestinSCADA vulnerabilitieshas resulted in vulnerability researchers discovering vulnerabilities in
commercial SCADA software and more general offensive SCADA techniques presented to the general security
community. In electric and gas utility SCADA systems, the vulnerability of the large installed base of wired and
wireless serial communications links is addressed in some cases by applying bump-in-the-wire devices that employ
authentication and Advanced Encryption Standard encryption rather than replacing all existing nodes.
In June 2010, anti-virus security company virusblokada reported the first detection of malware that attacks SCADA
systems (Siemens' wincc/PCS 7 systems) running on Windows operating systems. The malware is called Stuxnet and
uses four zero-day attacks to install a rootkit which in turn logs into the SCADA's database and steals design and
control files. The malware is also capable of changing the control system and hiding those changes. The malware was
found on 14 systems, the majority of which were located in Iran.
In October 2013 National Geographicreleasedadocudrama titled,"AmericanBlackout" which dealt with a large-scale
cyber attack on SCADA and the United States' electrical grid.
Common SCADA System Threats and Vulnerabilities
As any IT manager understands, particularly those managing SCADA and industrial control networks, keeping SCADA
systemssafe fromsecuritythreatsisn’tjustaboutpeace of mind.These systemscontrol critical componentsof industrial
automationnetworks.If there’sa problem with them, essential services – such as water and power – could shut down
services for thousands or millions of people.
However,despite knowingthis,there’safrighteningtruthmanyof usare ignoring:attackson SCADA systemsare on the
rise,andit ispossible thatmanyinfiltratedsystems have gone undetected. Cyber criminals often “infect” systems and
silentlymonitortraffic,observe activity,andwaitformonthsorevenyearsbefore takinganyaction.Thisallows them to
strike when they can cause the most damage.
While we’d rather not have to face the fact our critical infrastructures could very well be compromised, there is good
news. Understanding common SCADA system threats and vulnerabilities allow us to develop a clear, actionable
framework for overcoming these security issues
Many if not most SCADA systems are currently vulnerable to cyber-attacks due to the following:
Lack of monitoring. Without active network monitoring, it is impossible to detect suspicious activity, identify
potential threats,andquicklyreacttocyber-attacks.Slow updates.AsSCADA systemsbecome more advanced,they also
become more vulnerable tonewattacks.Maintainingfirmwareandsoftware updatesmaybe inconvenient(without the
proper systems in place), but they’re necessary for maximum protection.
23. 22 www.lucideus.com
Lack of knowledge about devices. Connecting devices to a SCADA System allows for remote monitoring and
updates,butnotall deviceshave equalreportingcapabilities.SincemostSCADA systemshave beendevelopedgradually
overtime, it’snotuncommonto see technologythat’s5yearsoldpairedwithtechnologythat’s20 yearsold.Thismeans
the knowledge about network connected devices is often incomplete.
Not understanding traffic. Managers need to know what type of traffic is going through their networks. Only
then they can make informed decisions about how to respond to potential threats. With advanced data analysis,
managers can get a big picture view of data gathered from traffic monitoring, and translate that into actionable
intelligence. For example, an infiltrated system might check with a foreign server once every 30, 45, or 180 days.
Authenticationholes.Authenticationsolutionsare designedtokeepthe wrongpeople from accessing the SCADA
system. However, this can easily be defeated due to common unsafe practices such as poor passwords, username
sharing, and weak authentication
Security countermeasures for SCADA
Physical security
Physical security is another aspect that must be properly managed. All plants that host SCADA systems and
networks must be assessed. SCADA systems are usually distributed over large distances in multiple locations
with different physical security measures. Their protection must be carefully evaluated. It’s important to
evaluate the overall infrastructure to identify weaknesses, evaluate defense measures to implement, and the
expected benefits.Best practices include the assessment of the physical security of remote environments that are
directly connected to a SCADA.
“Any location that has a connection to the SCADA network is a target, especially unmanned or unguarded
remote sites. Conduct a physical security survey and inventory access points at each facility that has a
connection to the SCADA system.”
Establish proper physical security through the adoption of defensive measures like guards and gates to protect
equipment from unauthorized access and sabotage. Every external connection to the perimeter of the facility has
to be assessed. It’s suggested to use security products for perimeter protection that meet NIST FIPS standards.
Physical restrictions that could be applied to improve security to prevent incidents are:
Restricted access to the site
Restricted number of technicians responsible for maintenance
No use of mobile support
24. 23 www.lucideus.com
Segregated control network, no connection to other networks
Each computer is locked in a restricted room or cabinet
Roles and responsibility – management
Management has a crucial role in security. Its primary task is to provide a strong commitment for the
implementation of an efficient cyber strategy. That includes the assignment of cyber security roles,
responsibilities, and authorities for personnel. Each employee needs to know their responsibilities to protect
information and assets of scadas. Key personnel need to be given sufficient authority to carry out their assigned
responsibilities. A detailed security policy must be in place that describes how management defines roles and
responsibilities. Each employee must be informed of all procedures adopted to keep architecture secure.
The first goal of management is to define a structured security program with mandated requirements to reach
expectations and provide personnel with formalized policies and procedures. Senior management must establish
expectations for cyber security performance and hold individuals accountable for their performance.
Compliance with current security standards is necessary to provide a harmonious approach to cyber security.
Policies and procedures need to be assigned to employees regarding specific security responsibilities. Guidance
regarding actions to be taken in response to incidents and security policy must identify the critical systems
within the SCADA network, their functions and classify the information they manage.
The security requirements must be identified within security policy to minimize cyber threats, including
menaces from insiders. Personnel training is one of the most important responsibilities for management.
Managers have to provide a strong commitment to organizing of training courses.
Training also helps to minimize the likelihood that organizational personnel will inadvertently disclose sensitive
information regarding SCADA system design, operations, or security controls deployed.
Only the people involved explicitly need to have access to the above information. Personnel must be trained to
recognize social engineering attacks made by hackers to gather sensitive information about a computer or
computer network. Typically these attacks prelude more invasive and dangerous offensives. The more
information revealed about internal configuration, the more vulnerable the network is. Keep secret data related
to a SCADA network, including manufacturers, key people, computer operating systems and physical
distributions of SCADA.
The responsibility of management is the definition of proper protection strategies, highlighting the risks related
to cyber attackers and the necessary defense systems, for each component. The rapid and continuous evolution
of cyber threats needs frequent revision of protection strategy to ensure it remains effective. Each risk must be
evaluated, analyzing the probability of occurrence for the incident and the related severity. It’s crucial that the
identification of residual risk is accepted by management.
Configuration management processes and assessment
25. 24 www.lucideus.com
Configuration management is a critical component for the security of the infrastructure, for both hardware and
software configurations. Each modification to the overall infrastructure could have a serious impact on its
security. Changes could introduce vulnerabilities that undermine security.
“Configuration management begins with well-tested and documented security baselines for your various
systems. Robust performance evaluation processes are needed to provide organizations with feedback on the
effectiveness of cyber security policy and technical implementation. “
The impact of any modification of the infrastructure must be correctly evaluated with assessment processes
conducted by both internal and external professionals. Routine vulnerability assessment and automated auditing
of the network and systems must be part of the configuration management process.
The NSA document titled “Securing Supervisory Control and Data Acquisition (SCADA) and Control Systems
(CS)” introduces the following suggestions for configuration management:
Map out and document the entire CS network, including CS and infrastructure device configurations
Prepare and configure new equipment off-line
Sanitize old equipment before disposal
Keep CS infrastructure security features current with device moves, additions, and decommissions
Enable auditing features and periodically examine the resulting logs for signs of unusual activity
Synchronize to a common time reference, so audit logs become more useful during incident response
Develop a Disaster Recovery Plan (DRP) for the CS, and if possible test it!
System backups and disaster recovery plans
Recovery is the ability to restore a compromised system to its operational status. Establishing a disaster
recovery plan is fundamental for rapid recovery from any incidents, such as cyber attacks.
System backups are an essential part of any plan and they allow rapid reconstruction of and network. Routinely
exercise disaster recovery plans to ensure that the work and that all employees know the procedure to follow.
Every change to the overall architecture has to trigger a review of the plan to apply the appropriate changes to
disaster recovery plans.
Recovery plans usually include:
Adoption of redundant hardware and fault tolerant systems
Fallback mechanisms
26. 25 www.lucideus.com
System backup procedure
The disaster recovery plan allows corporate to prepare for, respond to and recover from a disruptive event,
including a cyber attack. The following criteria should be considered in case of a hardware failure:
Determine and document the procedures for responding to a disaster that involves the SCADA center and its
services.
Acquire additional hardware for disaster recovery plan or locate current backup hardware to a different location.
Periodically test the disaster recovery plan.
Related to software components, it’s possible to follow the criteria below in case of malfunction:
Determine ways to recover from any type of loss including historical data, installation media, application files,
configuration files, documents, and software licenses.
Establish a strategy to keep the system up-to-date.
Evaluate the set of data and application to restore to its previous state in the event of a disaster.
Create a centralized inventory of all software titles and licenses, evaluate the possibility to replicate it in
different locations.
Perform regular system backups and send copies of backup files to storage array networks off-site.
Periodically test backup copied and restoring procedures operated by the personnel.
Conclusions
SCADA systems are increasing in complexity, due to the integration of different components, in many cases
produced by different manufacturers. It’s necessary to address the security level of each device and the overall
environment. The design of SCADAs must totally change and have to take care of all the security requirements.
That’s done by considering their surface of attack and exposure to cyber threats that could arm the systems.
There must be a collective effort by all governments to produce continuous report on the security status of
critical infrastructures and related SCADA systems. The overall security will pass through a global
collaboration and information sharing on the possible cyber threats and the vulnerabilities of every device that is
qualified in the market.
The security component must become part of the project of an industrial system. It must be considered a
specific requirement. The overall security of critical infrastructures must be audited during the entire lifecycle
of its components.
27. 26 www.lucideus.com
Recently the heads of the Federal Bureau of Investigation (FBI), Department of Homeland Security, and
National Counterterrorism Center have declared cyber attacks are the most likely form of terrorism against the
United States in the coming years.
“That’s where the bad guys will go. There are no safe neighborhoods. All of us are neighbors [online].” FBI
director James Comey said about cyberterrorism.
These words should make us think about the real importance of security for critical systems of our
infrastructure, including SCADAs.
Refrences:
1. http://electrical-engineering-portal.com/an-introduction-to-scada-for-electrical-engineers.html
2. http://securityaffairs.co/wordpress/7314/security/the-importance-of-security-requirements-in-design-of-
scada-systems.html
3. http://thehackernews.com/2012/10/scada-hacking-exploit-released-to-hack.html
4. https://www.opswat.com/blog/look-back-scada-security-2015
5. https://www.opswat.com/blog/attacks-rise-how-can-scada-security-be-improved
6. https://en.wikipedia.org/wiki/SCADA
7. http://www.automationworld.com/scada-attacks-double-2014
8. http://patriot-tech.com/common-scada-system-threats-and-vulnerabilities/
9. http://resources.infosecinstitute.com/improving-scada-system-security/
10. http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-
industrial-control-systems/protecting-industrial-control-systems.-recommendations-for-europe-and-member-
states
11. http://www.tsips.com/SCADA.html
Kunal Gupta,
Lucideus Student
www.lucideus.com