SlideShare una empresa de Scribd logo

Introduction To SCADA

Descargar como DOCX, PDF
Kunal gupta
Kunal gupta
1 de 28
www.lucideus.com 2016 Introduction to SCADA system & Security.
1 www.lucideus.com 1. Introduction It is impossible to keep control and supervision on all industrial activities manually. Some automated tool is required which can control, supervise, collect data, analyses data and generate reports. A unique solution is introduced to meet all this demand is SCADA system. SCADA stands for supervisory control and data acquisition. It is an industrial control system where a computer system monitoring and controlling a process
2 www.lucideus.com The term SCADA usually refers to centralized systems which monitor and control entire sites, or complexes of systems spread out over large areas (anything from an industrial plant to a nation). Most control actions are performed automatically by rtus or by plcs. Host control functions are usually restricted to basic overriding or supervisory level intervention. For example, a PLC may control the flow of cooling water through part of an industrial process, but the SCADA system may allow operators to change the set points for the flow, and enable alarm conditions, such as loss of flow and high temperature, to be displayed and recorded. The feedback control loop passes through the RTU or PLC, while the SCADA system monitors the overall performance of the loop. SCADA's schematic overview Data acquisition begins at the RTU or PLC level and includes meter readings and equipment status reports that are communicated to SCADA as required. Data is then compiled and formatted in such a way that a control room operator using the HMI can make supervisory decisions to adjust or override normal RTU (PLC) controls. Data may also be fed to a Historian, often built on a commodity Database Management System, to allow trending and other analytical auditing. SCADA systems typically implement a distributed database, commonly referred to as a tag database, which contains data elements called tags or points. A point represents a single input or output value monitored or controlled by the system. Points can be either "hard" or "soft". A hard point represents an actual input or
3 www.lucideus.com output within the system, while a soft point results from logic and math operations applied to other points. (Most implementations conceptually remove the distinction by making every property a "soft" point expression, which may, in the simplest case, equal a single hard point.) Points are normally stored as value-timestamp pairs: a value, and the timestamp when it was recorded or calculated. A series of value-timestamp pairs gives the history of that point. It is also common to store additional metadata with tags, such as the path to a field device or PLC register, design time comments, and alarm information. Common system components A SCADA system usually consists of the following subsystems: Remote terminal units (RTUS) connect to sensors in the process and convert sensor signals to digital data. They have telemetry hardware capable of sending digital data to the supervisory system, as well as receiving digital commands from the supervisory system. Rtus often have embedded control capabilities such as ladder logic in order to accomplish boolean logic operations. Programmable logic controller (PLCS) connect to sensors in the process and convert sensor signals to digital data. Plcs have more sophisticated embedded control capabilities (typically one or more IEC 61131-3 programming languages) than rtus. Plcs do not have telemetry hardware, although this functionality is typically installed alongside them. Plcs are sometimes used in place of rtus as field devices because they are more economical, versatile, flexible, and configurable. A telemetry system is typically used to connect plcs and rtus with control centers, data warehouses, and the enterprise. Examples of wired telemetry media used in SCADA systems include leased telephone lines and WAN circuits. Examples of wireless telemetry media used in SCADA systems include satellite (VSAT), licensed and unlicensed radio, cellular and microwave. A data acquisition server is a software service which uses industrial protocols to connect software services, via telemetry, with field devices such as rtus and plcs. It allows clients to access data from these field devices using standard protocols.
4 www.lucideus.com A Human–Machine Interface or HMI is the apparatus or device which presents processed data to a human operator, and through this, the human operator monitors and interacts with the process. The HMI is a client that requests data from a data acquisition server or in most installations the HMI is the graphical user interface for the operator, collects all data from external devices, creates reports, performs alarming, sends notifications, etc. A historian is a software service which accumulates time-stamped data, boolean events, and boolean alarms in a database which can be queried or used to populate graphic trends in the HMI. The historian is a client that requests data from a data acquisition server.[5] A supervisory (computer) system, gathering (acquiring) data on the process and sending commands (control) to the SCADA system. 1.Human machine interface(HMI) A human–machine interface (HMI) is the input-output device through which the human operator controls the process, and which presents process data to a human operator. HMI (human machine interface) is usually linked to the SCADA system's databases and softwareprograms, to providetrending, diagnostic data, and management information such as scheduled maintenance procedures, logistic information, detailed schematics for a particular sensor or machine, and expert-systemtroubleshooting guides. SCADA components Human Machine Interface(HMI) Remote Terminal units(RTU) Programmable logic controller(PLC) supervisroy (computer) system communication infrastructure
5 www.lucideus.com The HMI systemusually presents the information to the operating personnel graphically, in the formof a mimic diagram. This means that the operator can see a schematic representation of the plant being controlled. For example, a picture of a pump connected to a pipe can show the operator that the pump is running and how much fluid it is pumping through the pipe at the moment. The operator can then switch the pump off. The HMI softwarewillshow the flow rate of the fluid in the pipe decrease in real time. Mimic diagrams may consistof line graphics and schematic symbols to representprocess elements, or may consistof digital photographs of the process equipment overlain with animated symbols. The HMI packagefor the SCADA systemtypically includes a drawing programthatthe operators or systemmaintenance personnel useto changethe way these points are represented in the interface. These representations can be as simple as an on-screen traffic light, which represents the state of an actual traffic light in the field, or as complex as a multi- projector display representing the position of all of the elevators in a skyscraper or allof the trains on a railway. 2.Remote terminal units(RTU) A remote terminal unit (RTU) is a microprocessor-controlled electronic device that interfaces objects in the physical world to a distributed control system or SCADA (supervisory control and data acquisition) system by transmitting telemetry data to a
6 www.lucideus.com master system, and by using messages from the master supervisory system to control connected objects. Another term that may be used for RTU is remote telecontrol unit. An RTU monitors the field digital and analog parameters and transmits data to the Central Monitoring Station. It contains setup software to connect data input streams to data output streams, define communication protocols, and troubleshoot installation problems. An RTU may consist of one complex circuit card consisting of various sections needed to do a custom fitted function or may consist of many circuit cards including CPU or processing with communications interface(s), and one or more of the following: (AI) analog input, (DI) digital input, (DO/CO) digital or control (relay) output, or (AO) analog output card(s). 3. Programmable logic controller (PLC) A programmable logic controller (PLC) or programmable controller is a digital computer used for automation of industrial processes, suchas controlof machinery on factory assembly lines. Unlike general-purpose computers, the PLC is designed for multiple inputs and output arrangements, extended temperature ranges, immunity to electrical noise, and resistance to vibration and impact. Programs to control machine operation are typically stored in battery- backed or non-volatile memory. A PLC is an example of a real time system since output results must be produced in responseto input conditions within a bounded time, otherwise unintended operation will result. Hence, a programmable logic controller is a specialized computer used to controlmachines and processes. It therefore shares common terms with typical PCs like central processingunit, memory, software and communications. Unlike a personal computer though the PLCis designed to survive in a rugged industrial atmosphere and to be very flexible in how it interfaces with inputs and outputs to the real world.
7 www.lucideus.com 4. Supervisory station The term supervisorystation refers to the servers and softwareresponsiblefor communicating with the field equipment (RTUs, PLCs, SENSORS etc.), and then to the HMI softwarerunning on workstations in the control room, or elsewhere. In smaller SCADA systems, the master station may be composed of a single PC. In larger SCADA systems, themaster station may include multiple servers, distributed softwareapplications, and disaster recovery sites. To increasethe integrity of the systemthe multiple servers willoften be configured in a dual-redundantor hot-standby formation providing continuous controland monitoring in the event of a server malfunction or breakdown. 5.Communication infrastructure and methods SCADA systems havetraditionally used combinations of radio and direct wired connections, although SONET/SDH is also frequently used for large systems such as railways and power stations. The remote management or monitoring function of a SCADA systemis often referred to as telemetry. Some users wantSCADA data to travel over their pre-established corporate networks or to sharethe network with other applications. The legacy of the early low- bandwidth protocols remains, though. SCADA protocols are designed to be very compact. Many are designed to send information only when the master station polls the RTU. Typical legacy SCADA protocols include Modbus RTU, RP-570, Profibus and Conitel. These communication protocols are all SCADA-vendor specific but are widely adopted and used. Standard protocols are IEC60870-5-101 or 104, IEC 61850 and DNP3. Thesecommunication protocols are standardized and recognized by all major SCADA vendors. Many of these protocols now contain extensions to operate over TCP/IP. Although the use of conventional networking specifications, such as TCP/IP, blurs the line between traditional and industrial networking, they each fulfill fundamentally differing requirements.
8 www.lucideus.com The importance of security requirements in design of SCADA systems. Excerpt from the article published on the last edition of PenTest AUDITING & STANDARDS 06 2012 The article exposes the main issues related to the use of SCADA systems in critical infrastructures, providing a carefulanalysis of the relative level of security on a global scale. It discusses themain vulnerabilities of critical systems exploitable by cyber attacks and possible solutions to implement to ensuretheir safety. Over the last years worldwidecountries have discovered their critical infrastructures too vulnerable to cyber attacks due the increasing attention in cyber security matter and successfully attacks to SCADA systems. Events such as the spread of Stuxnet virus have alerted the international security community on the risks related to a cyber attacks and the relative disastrous consequences, wehavelearned how much powerfulis a cyber weapon and which is real involvement of governments in cyber warfare. SCADA (supervisorycontroland data acquisition) is an industrial controlsystem(ICS) used for the controland monitor of industrialprocesses, itis typically presentin all thosepotential targets of a cyber attack such as a critical infrastructures or a utility facility. Being related to industrialprocesses wefind this family of devices everywhere, manufacturing, production, power generation and many times they are implemented to control of activities of critical systems such as water treatment and, electrical power transmission and distribution and large communication systems. These components are privileged targets for cyber attacks, with a virus is possibleto destroy the processes insidea nuclear plant as it happened in Natanz nuclear site during the offensive against Iran and its nuclear program. Western countries have been the firstto explore the possibility of a cyber offensiveusing a cyber weapon such as a malware, the operation Olympic Games demonstrates the high attention of US governmentin cyber operations and the strong commitment provided by Bush administration firstand after by the Obama one. The scenario is really alarming, an attack on a SCADA systemof a sensible structurecould materialize the nightmare of every government, similar incidents can undermine the safety of
9 www.lucideus.com millions of individuals and can compromisethe homeland security. Dozens, hundreds, thousands of installations all over the world are potentially vulnerable to attack from anywhereon the planet, the offensiveoption is moved into whatit is defined as the fourth dimension, the cyberspace, butthat could also lead to the loss of many human lives. Not necessarily our minds mustfly to a nuclear plant thinking to a possibleaccident in its control systems, wecan think for example of the impact of an attack on the processes in a chemical plant. The main problem of SCADA systems is that they are in large number, each industrial process has its own, and many of them are exposed on internet withoutproper protection. In similar structure is possible to imagine several entry points for the external agents such as malware, the supervisory system is usually a computer based on the commercial OS for which is possible to exploit known vulnerabilities and in case of state sponsored attacks also 0-day vulnerabilities. Incidents occurred in SCADA systems have been demonstrated that these systems could be infected in different ways, we can imagine the inoculation of a virus through a USB stick or via a network interface. After the recent events many security firms have started the design of specific solutions to address security problems of SCADA systems, but the major challenge
10 www.lucideus.com is for governments that have to include the protection of these critical components in their cyber strategies. Several audits executed by governments on their critical infrastructures have illustrated a dangerous scenario, the lack of security mechanisms for the many systems located all over the world, but it is really alarming the absence of a precise census of the SCADA systems for many of the principal industrialized countries. Events such as the virus Stuxnet diffusion and the alleged incident to the water facility in Illinois occurred last year have shown to the world that it is possible to conduct a terrorist attacks on foreign state remotely, this has increased the awareness of cyber threats and the necessity to implement right countermeasures to mitigate the risks. Defense mechanisms virtually absent, the SCADA system components are often under the government of local authorities who do not deal with adequately trained personnel and that operates with limited budgets. This means that this kind of control devices is installed everywhere without being qualified in the installation phase. There are many systems deployed with factory settings, pre-set standard configurations and common to entire classes of devices. To this we add that even those who maintain them, should not exceed security, thus making it accessible for remote diagnostics without necessary attention. Fortunately, something is changed, precise guidelines identify best practices to follow in the management of SCADA systems and operations groups monitor the operation of facilities around the country. The last “INTERNET SECURITY THREAT REPORT” published by Symantec reports that during 2011 have been detected several weaknesses in Critical Infrastructure Systems, the security firm has seen a dramatic increase in the number of publicly-reported SCADA vulnerabilities from 15 in 2010 to 129 in 2011. Since the emergence of the Stuxnet worm in 2010 36, SCADA systems has
11 www.lucideus.com attracted wider attention from security researchers. However, 93 of the 129 new published vulnerabilities were the product of just one security researcher. In December the Industrial Control System – Cyber emergency Response Team (ICS-CERT) has distributed a new alert to provide timely notification to critical infrastructure owners and operators concerning threats or activity with a potential impact on critical infrastructure computing networks. ICS-CERT informed that some models of the Modicon Quantum PLC used in industrial control systems contain multiple hidden accounts that use predetermined passwords to grant remote access Palatine, Illinois–based Schneider Electric, the maker of the device, has produced fixes for some of the weaknesses and continues to develop additional mitigations. ICS-CERT encourages researchers to coordinate vulnerability details before public release. In a SCADA system the programmable logic controllers (PLCs) are directly connected to in-field sensors that provide data to control critical component (e.g. Centrifugal or turbines). Often the default passwords are hard-coded into Ethernet cards the systems use to funnel commands into the devices, allowing administrators to remotely log into the machinery. An independent security researcher Rubén Santamarta reported that the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals. Even in cases where the passcodes are obscured using cryptographic hashes, they are trivial to recover thanks to documented weaknesses in the underlying VxWorks operating system. As a result, an attacker can exploit the weakness to log into devices and gain privileged access to its controls. Hard-coded passwords are a common weakness built into many industrial control systems, including some S7 series of PLCs from Siemens. Because the systems control the machinery connected to dams, gasoline refineries, and water treatment
12 www.lucideus.com plants, unauthorized access are considered a national security threat because it could be used to sabotage their operation. Doing a search on the server search engine known as Shodan it’s possible to discover what appear to be working links to several of the vulnerable Schneider models. Santamarta said there is no fix for the devices other than to retire the faulty Ethernet cards and replace them with better-designed ones. The ICS-CERT advisory issued on December said the fixes from Schneider removes the telnet and Windriver services. The advisory made no mention of changes to FTP services. The scenario is very worrying and reveals the need for a radical change, fortunately, the emergency has been perceived by most Nations. The ENISA (European Network Information Security Agency, has produced a recommendation for Europe and Member States on how to protect Industrial Control Systems. The document describes the current scenario of Industrial Control System security and proposes seven recommendations to improve it. The recommendations call for the creation of the national and pan-European ICS security strategies, the development of a Good Practices Guide on the ICS security, fostering awareness and education as well as research activities or the establishment of a common test bed and ICS-computer emergency response capabilities. In June The Pacific Northwest National Laboratory (PNNL), a federal contractor to the U.S. Department of Energy (DOE), in collaboration with McAfee has published an interesting report entitled “Technology Security Assessment for Capabilities and Applicability in Energy Sector Industrial Control Systems: McAfee Application Control, Change Control, Integrity Control.”
13 www.lucideus.com The Case Immediately after the Stuxnet virus, governments and intelligence agencies all over the world requested assessment of security for critical infrastructure of their countries. Much of the focus was on evaluating efficiency offered by defensive measures adopted to protect scadas and icses from cyber attacks. After Stuxnet, debate on the use of software and malicious applications of information warfare have increased. Governments are investing to improve cyber capabilities working on both the defensive and the offensive side. Despite greater awareness of cyber threats, critical infrastructures of countries are still too vulnerable. Many security experts are convinced that an imminent incident caused by a cyber attack is likely soon. Just a few days ago, Eugene Kaspersky, CEO of Kasperky Security, revealed that a staffer at the unnamed nuclear Russian plant informed him of an infection. “The staffer said their nuclear plant network which was disconnected from the internet … was badly infected by Stuxnet. So unfortunately these people who were responsible for offensive technologies, they recognize cyber weapons as an opportunity.” Stuxnet had infected the internal network of a Russian nuclear plant, exactly in the same way it compromised the control system in Iranian nuclear facilities in Natanz. That’s happening despite cyber threats being well known, and various security solutions are able to neutralize it. Stuxnet infected the network within a Russian nuclear plant isolated from the Internet. Attackers probably used as USB or mobile devices to spread the malware. Russian Intelligence agencies in the past have already observed this infection mode to cross a physically separated ‘air-gapped’ network. For example, Russian astronauts had carried a virus on removable media to the International Space Station infecting machines there, according to Kaspersky. “NASA has confirmed that laptops carried to the ISS in July were infected with a virus known as Gammima.AG. The worm was first detected on Earth in August 2007 and lurks on infected machines waiting to steal login names for popular online games. Nasa said it was not the first time computer viruses had travelled into space and it was investigating how the machines were infected. ” I mentioned the Stuxnet malware because it’s considered a case study. The malicious agent is so notorious, it’s still able to compromise networks and control systems within critical infrastructure. Let’s try to figure out the effect of unknown cyber threats, developed by governments as cyber weapons, for example. In this article, i’ll analyze major security issues related to SCADA systems, and best practices to follow to protect them.
14 www.lucideus.com Figure: - Russian Nuclear Plant According to the last “SANS SCADA and Process ControlSecurity Survey” conducted by the SANS Institute, the awareness of cyber threats and the perception of the risks related to a cyber attacks are high. Nearly 70% of respondents believe the threat to be high (53%) to severe (16%). Recent reports from Computer Emergency ResponseTeams (CERT), government offices, and private companies confirm an escalating risk of cybersecurity events, specifically for the energy sector. The survey indicates that the top threats for controlsystems are advanced zero-day malware such as Stuxnet, cyber operations conducted by groups of hacktivists, and hacking campaigns of cyber terrorists and state-sponsored hackers. Recently, US CERT alerted to the continuous spear-phishing campaign that targeted the energy sectorto gain remote access to control systems. SCADA system protection must be approached at different levels, defending control systems and educating operational and maintenance personnel. “Training should includespecific operational topics on spear-phishing,zero-day activities and managing internalthreats.”
15 www.lucideus.com A Look Back at past SCADA hacking in 2015 It should come as no surprise that Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) that control key functions in critical infrastructure are especially at risk of cyber attack. If saboteurs manage to compromise critical infrastructure services, a country’s economy and military defenses can be severely hampered. In addition, since organizations that operate critical infrastructure often own valuable intellectual property, this information can be a target for foreign state actors trying to steal intellectual property to advance their economies or to win competitive bids. In the past year we have seen some disturbing news that highlights the growing risk of SCADA attacks:  December 2014 - SCADA attack causes physical damage: In late 2014, an unnamed German Steel Mill suffered extensive damage from a cyber attack. The attackers were able to disrupt the control system and prevent a blast furnace from being shut down,resulting in ‘massive’ damage . In late December, the annual German Federal Office for Information Security report revealed a disturbing cyberattack on a steel mill that resulted in “massive damage” to the foundry. This case is just one of the latest examples of Hollywood fears coming true through the Internet of Things (IoT). Through the judicious use of online translation engines, we have learned several key things about the attack, although specific details about the company and the full extent of the damage are still unknown.
16 www.lucideus.com According to the report, the attacker used sophisticated social engineering and spear-phishing tactics to gain initial access to the steel mill’s office network. Individual industrial control components were compromised, which prevented the blast furnace from being shut down. The technical capabilities of the attacker were very advanced, demonstrating a familiarity not only with conventional IT security, but also with the specific applied industrial control and production processes. Although not explicitly stated, we can infer the attacker was likely an insider — or worked with an insider — or was familiar with industry-standard protocols used in the operation of the mill. Because of the jump from office network to industrial control system, we can also assume the mill’s office network had to be connected to the industrial controlsystem. The more familiar the attacker was with this specific company’s systems, the easier that link would have been to find and exploit. SCADA Attacks Double in 2014 Dell Security’s annual threat report shows not only a significant surge in the number of attacks on retail credit card systems, but industrial SCADA systems as well, which are much more likely to go unreported.
17 www.lucideus.com For Dell to report an annual surge inpoint-of-sale (POS) attacks aimedat payment card infrastructures might notbe such a surprise to people whopay any attention to the news.We know that the retail industrywas hit hard by cybersecurityattacks in 2014—Target wasn’t the only target, so to speak, though it got the year started,and was the largest breach in the history of U.S.retail until Home Depot was hit evenharder later in the year. There were also significantattacks on Michaels,Staples,Goodwill andmore. But don’tbe thinkingthat the attacks are justfocusedthere. WhatDell also foundin its annual threat report was that the numberof attacks on SCADA systemsdoubledfrom 2013 to 2014. Obviously,that has significantbearingon process industries,whichuse SCADA systemsto control remote equipmentandcollect data on that equipment’s performance. As industrial manufacturers face threats, othercompanies withinthe same space might not evenknow a SCADA threat existsuntil they are targeted themselves.“Since companiesare onlyrequiredto report data breachesthat involve personal or payment information,SCADA attacks oftengo unreported,” saidPatrick Sweeney,executive director for Dell Security.“This lack of informationsharing combinedwith an aging industrial machinery infrastructure presentshuge security challengesthat will to continue to grow inthe coming months and years.”
18 www.lucideus.com Unlike the retail breaches,whichare likelygearedtoward financial gain, attacks against SCADA systemstend to be political in nature, targetingoperational capabilitieswithinpowerplants,factories and refineries. Dell’sannual threat report reliesonresearch from its Global Response Intelligence Defense (GRID) networkand telemetrydata from Dell SonicWall network trafficto identifyemergingthreats.For SCADA systems,bufferoverflow vulnerabilitiescontinue tobe the primary point of attack, according to the Dell SonicWall ResearchTeam, accounting for a quarter of the attacks. The majority of the SCADA attacks targeted Finland,the UKand the U.S. One likelyreasonfor that, however,is that SCADA systemsare more common in these regionsand more likelyto be connectedto the Internet.In 2014, Dell saw 202,322 SCADA attacks in Finland;69,656 in the UK;and 51,258 in the U.S. Along withthe doublingof SCADA attacks from 2013 to 2014, a lookat January numbersalone shows a staggering rise,year over year. Worldwide SCADAattacks increasedfrom 91,676 in January 2012 to 163,228 in January 2013, and 675,186 in January 2014. “Everyone knowsthe threats are real and the consequencesare dire,so we can no longerblame lack ofawarenessfor the attacks that succeed,” Sweeneysaid.“Hacks and attacks continue to occur, not because companiesaren’t taking securitymeasures,but because theyaren’t taking the right ones.” Dell recommendsa fewgeneral ways to protect against SCADA attacks. For one,make sure all software and systems are up to date.“Too oftenwith industrial companies, systemsthat are not used everyday remain installedand untouchedas longas theyare not activelycausing problems,” Dell’sreportexplains.“However,shouldanemployee one day connect that system to the Internet,itcould become a threat vector for SCADA attacks.” Make sure your networkonly allows connectionswithapproved IPs; and followoperational best practices for limiting exposure,suchas restrictingor disablingUSBports and Bluetooth. Hacks and attacks continue to occur, not because companiesaren’t taking security measures,but because theyaren’t taking the right ones. Dell also urges manufacturers to report and share informationabout SCADA attacks to helpensure the industrial community as a whole isappropriately aware of emergingthreats. Mobile security As mobilitycontinuesto take hold in the manufacturing space and the bring-your-own-device (BYOD) trendgrows,it’s worth noting another sectionof Dell’sthreat report focusedon sophisticated,newmalware techniquestargeting smartphones.“Smartphone attacks have beena securityconcern since mobile devicesbeganto reach widespread adoption,but it wasn’t until 2014 that smartphone malware began to look and act like its desktoppredecessors,” Dell’sreport notes. Both Android and iOS malware took hold in2014, and Dell expectsmalware to emerge thisyear targeting wearables, televisionsandotherancillary devices.“The pairing ofthese devicesto laptops and smartphones will give hackers an
19 www.lucideus.com easy attack vector, and these deviceswill become much more enticingas the market grows inthe coming months,” the report details. Common factors Though Dell’sreport detailsseveral keyfindingsin a variety of industriesand attack points,there were some key common denominators.For example,several ofthe breachesthroughout the year involvedcompaniesthat overlookedone or more basic threat vectors: outdated, unpatchedsoftware; under-restrictedcontractor accessto networks; under-securednetworkaccessfor mobile or distributedusers;and under-regulatedInternetaccessforall employees. “Some of these threat vectors have posed securitychallengesforyears, while othersare emergingas a result of today’s highlymobile,consumer-tech-empoweredworkforce,” the reportsays. “Asalways, cyber criminals remain adept at findingnew ways to exploitcommon blindspots and evenuse companies’best securityintentionsagainst them.” The most effective approachmanufacturers can take isa defense-in-depthprogram,Dell concluded,establishing multiple layersof securityand threat intelligenceforpreventingandrespondingto attacks on the network. Security issues SCADA systemsthat tie together decentralizedfacilitiessuchas power,oil,gas pipelines,waterdistributionand wastewater collectionsystemswere designedtobe open,robust, and easilyoperatedand repaired, but not necessarilysecure.The move from proprietary technologiestomore standardizedand open solutionstogetherwith the increasednumberof connectionsbetweenSCADAsystems,office networksand the Internethas made themmore vulnerable to typesof network attacks that are relativelycommon in computersecurity. For example,UnitedStates ComputerEmergency ReadinessTeam(US-CERT) releaseda vulnerabilityadvisorythat allowedunauthenticatedusers to download sensitive configurationinformationincludingpasswordhasheson an Inductive Automation Ignition systemutilizinga standard attack type leveragingaccessto the Tomcat EmbeddedWebserver.Securityresearcher Jerry Brown submitteda similaradvisory regarding a bufferoverflowvulnerability ina Wonderware inbatchclient activexcontrol. Both vendorsmade updatesavailable prior to publicvulnerabilityrelease.Mitigation recommendationswere standard patching practices and requiringVPN access for secure connectivity.Consequently, the securityof some SCADA-basedsystemshas come into questionas they are seenas potentiallyvulnerable tocyber attacks. In particular, security researchersare concernedabout: The lack of concern about security and authenticationin the design,deploymentandoperationof some existing SCADA networks The beliefthatSCADA systems have the benefitofsecuritythrough obscuritythrough the use ofspecializedprotocols and proprietary interfaces The beliefthatSCADA networks are secure because they are physicallysecured
20 www.lucideus.com The beliefthatSCADA networks are secure because they are disconnectedfromthe Internet. SCADA systemsare used to control and monitor physical processes,examplesof which are transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of modern society. The security of these SCADA systems is important because compromise or destruction of these systems would impact multiple areas of society far removed from the original compromise. For example, a blackout caused by a compromised electrical SCADA system would cause financial losses to all the customers that received electricity from that source. How security will affect legacy SCADA and new deployments remains to be seen. There are many threat vectors to a modern SCADA system. One is the threat of unauthorized access to the control software, whether it be human access or changes induced intentionally or accidentally by virus infections and other software threats residing on the control host machine. Another is the threat of packet access to the network segments hosting SCADA devices. In many cases, the control protocol lacks any form of cryptographic security, allowing an attacker to control a SCADA device by sending commands over a network. In many cases SCADA users have assumed that having a VPN offered sufficient protection, unaware that security can be trivially bypassed with physical access to SCADA-related network jacks and switches. Industrial control vendors suggest approaching SCADA security like Information Security with a defense in depth strategy that leverages common IT practices. The reliable function of SCADA systems in our modern infrastructure may be crucial to public health and safety. As such, attacks on these systems may directly or indirectly threaten public health and safety. Such an attack has already occurred, carried out on Maroochy Shire Council's sewage control system in Queensland, Australia. Shortly after a contractor installeda SCADA system inJanuary 2000, systemcomponentsbegan to function erratically.Pumps didnot run when needed and alarms were not reported. More critically, sewage flooded a nearby park and contaminated an open surface-water drainage ditch and flowed 500 meters to a tidal canal. The SCADA system was directing sewage valvesto openwhenthe designprotocol shouldhave kept themclosed.Initially this was believed to be a system bug. Monitoring of the system logs revealed the malfunctions were the result of cyber attacks. Investigators reported 46 separate instances of malicious outside interference before the culprit was identified. The attacks were made by a disgruntled ex-employee of the company that had installed the SCADA system. The ex-employee was hoping to be hired by the utility full-time to maintain the system. In April 2008, the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack issued a Critical Infrastructures Report which discussed the extreme vulnerability of SCADA systems to an electromagnetic pulse (EMP) event. After testing and analysis, the Commission concluded: "SCADA systems are vulnerable to EMP insult. The large numbers and widespread reliance on such systems by all of the Nation’s critical infrastructures represent a systemic threat to their continued operation following an EMP event. Additionally, the necessity to reboot, repair, or replace large numbers of geographically widely dispersed systems will considerably impede the Nation’s recovery from such an assault." Many vendors of SCADA and control products have begun to address the risks posed by unauthorized access by developing lines of specialized industrial firewall and VPN solutions for TCP/IP-based SCADA networks as well as external SCADA monitoring and recording equipment. The International Society of Automation (ISA) started formalizing SCADA security requirements in 2007 with a working group, WG4. WG4 "deals specifically with unique
21 www.lucideus.com technical requirements, measurements, and other features required to evaluate and assure security resilience and performance of industrial automation and control systems devices". The increasedinterestinSCADA vulnerabilitieshas resulted in vulnerability researchers discovering vulnerabilities in commercial SCADA software and more general offensive SCADA techniques presented to the general security community. In electric and gas utility SCADA systems, the vulnerability of the large installed base of wired and wireless serial communications links is addressed in some cases by applying bump-in-the-wire devices that employ authentication and Advanced Encryption Standard encryption rather than replacing all existing nodes. In June 2010, anti-virus security company virusblokada reported the first detection of malware that attacks SCADA systems (Siemens' wincc/PCS 7 systems) running on Windows operating systems. The malware is called Stuxnet and uses four zero-day attacks to install a rootkit which in turn logs into the SCADA's database and steals design and control files. The malware is also capable of changing the control system and hiding those changes. The malware was found on 14 systems, the majority of which were located in Iran. In October 2013 National Geographicreleasedadocudrama titled,"AmericanBlackout" which dealt with a large-scale cyber attack on SCADA and the United States' electrical grid. Common SCADA System Threats and Vulnerabilities As any IT manager understands, particularly those managing SCADA and industrial control networks, keeping SCADA systemssafe fromsecuritythreatsisn’tjustaboutpeace of mind.These systemscontrol critical componentsof industrial automationnetworks.If there’sa problem with them, essential services – such as water and power – could shut down services for thousands or millions of people. However,despite knowingthis,there’safrighteningtruthmanyof usare ignoring:attackson SCADA systemsare on the rise,andit ispossible thatmanyinfiltratedsystems have gone undetected. Cyber criminals often “infect” systems and silentlymonitortraffic,observe activity,andwaitformonthsorevenyearsbefore takinganyaction.Thisallows them to strike when they can cause the most damage. While we’d rather not have to face the fact our critical infrastructures could very well be compromised, there is good news. Understanding common SCADA system threats and vulnerabilities allow us to develop a clear, actionable framework for overcoming these security issues Many if not most SCADA systems are currently vulnerable to cyber-attacks due to the following: Lack of monitoring. Without active network monitoring, it is impossible to detect suspicious activity, identify potential threats,andquicklyreacttocyber-attacks.Slow updates.AsSCADA systemsbecome more advanced,they also become more vulnerable tonewattacks.Maintainingfirmwareandsoftware updatesmaybe inconvenient(without the proper systems in place), but they’re necessary for maximum protection.
22 www.lucideus.com Lack of knowledge about devices. Connecting devices to a SCADA System allows for remote monitoring and updates,butnotall deviceshave equalreportingcapabilities.SincemostSCADA systemshave beendevelopedgradually overtime, it’snotuncommonto see technologythat’s5yearsoldpairedwithtechnologythat’s20 yearsold.Thismeans the knowledge about network connected devices is often incomplete. Not understanding traffic. Managers need to know what type of traffic is going through their networks. Only then they can make informed decisions about how to respond to potential threats. With advanced data analysis, managers can get a big picture view of data gathered from traffic monitoring, and translate that into actionable intelligence. For example, an infiltrated system might check with a foreign server once every 30, 45, or 180 days. Authenticationholes.Authenticationsolutionsare designedtokeepthe wrongpeople from accessing the SCADA system. However, this can easily be defeated due to common unsafe practices such as poor passwords, username sharing, and weak authentication Security countermeasures for SCADA Physical security Physical security is another aspect that must be properly managed. All plants that host SCADA systems and networks must be assessed. SCADA systems are usually distributed over large distances in multiple locations with different physical security measures. Their protection must be carefully evaluated. It’s important to evaluate the overall infrastructure to identify weaknesses, evaluate defense measures to implement, and the expected benefits.Best practices include the assessment of the physical security of remote environments that are directly connected to a SCADA. “Any location that has a connection to the SCADA network is a target, especially unmanned or unguarded remote sites. Conduct a physical security survey and inventory access points at each facility that has a connection to the SCADA system.” Establish proper physical security through the adoption of defensive measures like guards and gates to protect equipment from unauthorized access and sabotage. Every external connection to the perimeter of the facility has to be assessed. It’s suggested to use security products for perimeter protection that meet NIST FIPS standards. Physical restrictions that could be applied to improve security to prevent incidents are: Restricted access to the site Restricted number of technicians responsible for maintenance No use of mobile support
23 www.lucideus.com Segregated control network, no connection to other networks Each computer is locked in a restricted room or cabinet Roles and responsibility – management Management has a crucial role in security. Its primary task is to provide a strong commitment for the implementation of an efficient cyber strategy. That includes the assignment of cyber security roles, responsibilities, and authorities for personnel. Each employee needs to know their responsibilities to protect information and assets of scadas. Key personnel need to be given sufficient authority to carry out their assigned responsibilities. A detailed security policy must be in place that describes how management defines roles and responsibilities. Each employee must be informed of all procedures adopted to keep architecture secure. The first goal of management is to define a structured security program with mandated requirements to reach expectations and provide personnel with formalized policies and procedures. Senior management must establish expectations for cyber security performance and hold individuals accountable for their performance. Compliance with current security standards is necessary to provide a harmonious approach to cyber security. Policies and procedures need to be assigned to employees regarding specific security responsibilities. Guidance regarding actions to be taken in response to incidents and security policy must identify the critical systems within the SCADA network, their functions and classify the information they manage. The security requirements must be identified within security policy to minimize cyber threats, including menaces from insiders. Personnel training is one of the most important responsibilities for management. Managers have to provide a strong commitment to organizing of training courses. Training also helps to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls deployed. Only the people involved explicitly need to have access to the above information. Personnel must be trained to recognize social engineering attacks made by hackers to gather sensitive information about a computer or computer network. Typically these attacks prelude more invasive and dangerous offensives. The more information revealed about internal configuration, the more vulnerable the network is. Keep secret data related to a SCADA network, including manufacturers, key people, computer operating systems and physical distributions of SCADA. The responsibility of management is the definition of proper protection strategies, highlighting the risks related to cyber attackers and the necessary defense systems, for each component. The rapid and continuous evolution of cyber threats needs frequent revision of protection strategy to ensure it remains effective. Each risk must be evaluated, analyzing the probability of occurrence for the incident and the related severity. It’s crucial that the identification of residual risk is accepted by management. Configuration management processes and assessment
24 www.lucideus.com Configuration management is a critical component for the security of the infrastructure, for both hardware and software configurations. Each modification to the overall infrastructure could have a serious impact on its security. Changes could introduce vulnerabilities that undermine security. “Configuration management begins with well-tested and documented security baselines for your various systems. Robust performance evaluation processes are needed to provide organizations with feedback on the effectiveness of cyber security policy and technical implementation. “ The impact of any modification of the infrastructure must be correctly evaluated with assessment processes conducted by both internal and external professionals. Routine vulnerability assessment and automated auditing of the network and systems must be part of the configuration management process. The NSA document titled “Securing Supervisory Control and Data Acquisition (SCADA) and Control Systems (CS)” introduces the following suggestions for configuration management: Map out and document the entire CS network, including CS and infrastructure device configurations Prepare and configure new equipment off-line Sanitize old equipment before disposal Keep CS infrastructure security features current with device moves, additions, and decommissions Enable auditing features and periodically examine the resulting logs for signs of unusual activity Synchronize to a common time reference, so audit logs become more useful during incident response Develop a Disaster Recovery Plan (DRP) for the CS, and if possible test it! System backups and disaster recovery plans Recovery is the ability to restore a compromised system to its operational status. Establishing a disaster recovery plan is fundamental for rapid recovery from any incidents, such as cyber attacks. System backups are an essential part of any plan and they allow rapid reconstruction of and network. Routinely exercise disaster recovery plans to ensure that the work and that all employees know the procedure to follow. Every change to the overall architecture has to trigger a review of the plan to apply the appropriate changes to disaster recovery plans. Recovery plans usually include: Adoption of redundant hardware and fault tolerant systems Fallback mechanisms
25 www.lucideus.com System backup procedure The disaster recovery plan allows corporate to prepare for, respond to and recover from a disruptive event, including a cyber attack. The following criteria should be considered in case of a hardware failure: Determine and document the procedures for responding to a disaster that involves the SCADA center and its services. Acquire additional hardware for disaster recovery plan or locate current backup hardware to a different location. Periodically test the disaster recovery plan. Related to software components, it’s possible to follow the criteria below in case of malfunction: Determine ways to recover from any type of loss including historical data, installation media, application files, configuration files, documents, and software licenses. Establish a strategy to keep the system up-to-date. Evaluate the set of data and application to restore to its previous state in the event of a disaster. Create a centralized inventory of all software titles and licenses, evaluate the possibility to replicate it in different locations. Perform regular system backups and send copies of backup files to storage array networks off-site. Periodically test backup copied and restoring procedures operated by the personnel. Conclusions SCADA systems are increasing in complexity, due to the integration of different components, in many cases produced by different manufacturers. It’s necessary to address the security level of each device and the overall environment. The design of SCADAs must totally change and have to take care of all the security requirements. That’s done by considering their surface of attack and exposure to cyber threats that could arm the systems. There must be a collective effort by all governments to produce continuous report on the security status of critical infrastructures and related SCADA systems. The overall security will pass through a global collaboration and information sharing on the possible cyber threats and the vulnerabilities of every device that is qualified in the market. The security component must become part of the project of an industrial system. It must be considered a specific requirement. The overall security of critical infrastructures must be audited during the entire lifecycle of its components.
26 www.lucideus.com Recently the heads of the Federal Bureau of Investigation (FBI), Department of Homeland Security, and National Counterterrorism Center have declared cyber attacks are the most likely form of terrorism against the United States in the coming years. “That’s where the bad guys will go. There are no safe neighborhoods. All of us are neighbors [online].” FBI director James Comey said about cyberterrorism. These words should make us think about the real importance of security for critical systems of our infrastructure, including SCADAs. Refrences: 1. http://electrical-engineering-portal.com/an-introduction-to-scada-for-electrical-engineers.html 2. http://securityaffairs.co/wordpress/7314/security/the-importance-of-security-requirements-in-design-of- scada-systems.html 3. http://thehackernews.com/2012/10/scada-hacking-exploit-released-to-hack.html 4. https://www.opswat.com/blog/look-back-scada-security-2015 5. https://www.opswat.com/blog/attacks-rise-how-can-scada-security-be-improved 6. https://en.wikipedia.org/wiki/SCADA 7. http://www.automationworld.com/scada-attacks-double-2014 8. http://patriot-tech.com/common-scada-system-threats-and-vulnerabilities/ 9. http://resources.infosecinstitute.com/improving-scada-system-security/ 10. http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada- industrial-control-systems/protecting-industrial-control-systems.-recommendations-for-europe-and-member- states 11. http://www.tsips.com/SCADA.html Kunal Gupta, Lucideus Student www.lucideus.com
27 www.lucideus.com

Recomendados

A presentation on scada system
A presentation on scada systemA presentation on scada system
A presentation on scada systemIIT INDORE
 
SCADA Introduction
SCADA IntroductionSCADA Introduction
SCADA IntroductionPranavAutomation
 
67469276 scada
67469276 scada67469276 scada
67469276 scadathangbd
 
Scada classification
Scada classificationScada classification
Scada classificationAhmed Sebaii
 
Scada system
Scada systemScada system
Scada systemPulakesh k kalita
 
SCADA
SCADASCADA
SCADAMd. Rimon Mia
 
Scada system ( Overview )
Scada system ( Overview )Scada system ( Overview )
Scada system ( Overview )Ali Al Sarraf
 
Scada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraScada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraRahul Mehra
 

Recomendados

A presentation on scada system
A presentation on scada systemA presentation on scada system
A presentation on scada systemIIT INDORE
 
SCADA Introduction
SCADA IntroductionSCADA Introduction
SCADA IntroductionPranavAutomation
 
67469276 scada
67469276 scada67469276 scada
67469276 scadathangbd
 
Scada classification
Scada classificationScada classification
Scada classificationAhmed Sebaii
 
Scada system
Scada systemScada system
Scada systemPulakesh k kalita
 
SCADA
SCADASCADA
SCADAMd. Rimon Mia
 
Scada system ( Overview )
Scada system ( Overview )Scada system ( Overview )
Scada system ( Overview )Ali Al Sarraf
 
Scada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraScada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraRahul Mehra
 
Scada systems automating electrical distribution
Scada systems automating electrical distributionScada systems automating electrical distribution
Scada systems automating electrical distributionSHUBHAM SAINI
 
SCADA System ? Supervisory Control & Data Acquisition
SCADA System ? Supervisory Control & Data AcquisitionSCADA System ? Supervisory Control & Data Acquisition
SCADA System ? Supervisory Control & Data AcquisitionPower System Operation
 
All about scada
All about scadaAll about scada
All about scadaStella Hermias
 
Scada and power system automation
Scada and power system automationScada and power system automation
Scada and power system automationShubham Kapoor
 
Scada
ScadaScada
Scadabilly_lx
 
SCADA PPT.pdf
SCADA PPT.pdfSCADA PPT.pdf
SCADA PPT.pdfSyedMoazzamAliAli1
 
123126804 scada
123126804 scada123126804 scada
123126804 scadathangbd
 
Scada System
Scada SystemScada System
Scada SystemArifbhatti
 
Supervisory Contro and Data Acquisition - SCADA
Supervisory Contro and Data Acquisition - SCADASupervisory Contro and Data Acquisition - SCADA
Supervisory Contro and Data Acquisition - SCADAAhmed Elsayed
 
SCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTSCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTDeepeshK4
 
SCADA
SCADASCADA
SCADAalmuamar
 
Scada ppt
Scada pptScada ppt
Scada pptAKANSHA GURELE
 
Scada ppt
Scada pptScada ppt
Scada pptzudakki
 
PLC and SCADA summer training report- government engineering college ajmer
PLC and SCADA summer training report- government engineering college ajmerPLC and SCADA summer training report- government engineering college ajmer
PLC and SCADA summer training report- government engineering college ajmerNemichand sencha
 
Scada & hmi
Scada & hmiScada & hmi
Scada & hmimunishgargg
 
Digital control systems
Digital control systemsDigital control systems
Digital control systemsavenkatram
 
Everything you should know about SCADA
Everything you should know about SCADAEverything you should know about SCADA
Everything you should know about SCADAChaiTik Yong
 
plc scada
plc scada plc scada
plc scadaAyush Gautam
 
supervisory control and data acquisition system
supervisory control and data acquisition systemsupervisory control and data acquisition system
supervisory control and data acquisition systemselvakumar R
 
SCADA
SCADASCADA
SCADASushant Kumar Sinha
 
OVERVIEW OF PLC AND SCADA
OVERVIEW OF PLC AND SCADAOVERVIEW OF PLC AND SCADA
OVERVIEW OF PLC AND SCADASandeep Sahu
 
System concept of scada
System concept of scadaSystem concept of scada
System concept of scadaStella Hermias
 

Más contenido relacionado

La actualidad más candente

Scada systems automating electrical distribution
Scada systems automating electrical distributionScada systems automating electrical distribution
Scada systems automating electrical distributionSHUBHAM SAINI
 
SCADA System ? Supervisory Control & Data Acquisition
SCADA System ? Supervisory Control & Data AcquisitionSCADA System ? Supervisory Control & Data Acquisition
SCADA System ? Supervisory Control & Data AcquisitionPower System Operation
 
Scada and power system automation
Scada and power system automationScada and power system automation
Scada and power system automationShubham Kapoor
 
123126804 scada
123126804 scada123126804 scada
123126804 scadathangbd
 
Supervisory Contro and Data Acquisition - SCADA
Supervisory Contro and Data Acquisition - SCADASupervisory Contro and Data Acquisition - SCADA
Supervisory Contro and Data Acquisition - SCADAAhmed Elsayed
 
SCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTSCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTDeepeshK4
 
Scada ppt
Scada pptScada ppt
Scada pptzudakki
 
PLC and SCADA summer training report- government engineering college ajmer
PLC and SCADA summer training report- government engineering college ajmerPLC and SCADA summer training report- government engineering college ajmer
PLC and SCADA summer training report- government engineering college ajmerNemichand sencha
 
Digital control systems
Digital control systemsDigital control systems
Digital control systemsavenkatram
 
Everything you should know about SCADA
Everything you should know about SCADAEverything you should know about SCADA
Everything you should know about SCADAChaiTik Yong
 
supervisory control and data acquisition system
supervisory control and data acquisition systemsupervisory control and data acquisition system
supervisory control and data acquisition systemselvakumar R
 

La actualidad más candente (20)

Scada systems automating electrical distribution
Scada systems automating electrical distributionScada systems automating electrical distribution
Scada systems automating electrical distribution
 
SCADA System ? Supervisory Control & Data Acquisition
SCADA System ? Supervisory Control & Data AcquisitionSCADA System ? Supervisory Control & Data Acquisition
SCADA System ? Supervisory Control & Data Acquisition
 
All about scada
All about scadaAll about scada
All about scada
 
Scada and power system automation
Scada and power system automationScada and power system automation
Scada and power system automation
 
Scada
ScadaScada
Scada
 
SCADA PPT.pdf
SCADA PPT.pdfSCADA PPT.pdf
SCADA PPT.pdf
 
123126804 scada
123126804 scada123126804 scada
123126804 scada
 
Scada System
Scada SystemScada System
Scada System
 
Supervisory Contro and Data Acquisition - SCADA
Supervisory Contro and Data Acquisition - SCADASupervisory Contro and Data Acquisition - SCADA
Supervisory Contro and Data Acquisition - SCADA
 
SCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTSCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPT
 
SCADA
SCADASCADA
SCADA
 
Scada ppt
Scada pptScada ppt
Scada ppt
 
Scada ppt
Scada pptScada ppt
Scada ppt
 
PLC and SCADA summer training report- government engineering college ajmer
PLC and SCADA summer training report- government engineering college ajmerPLC and SCADA summer training report- government engineering college ajmer
PLC and SCADA summer training report- government engineering college ajmer
 
Scada & hmi
Scada & hmiScada & hmi
Scada & hmi
 
Digital control systems
Digital control systemsDigital control systems
Digital control systems
 
Everything you should know about SCADA
Everything you should know about SCADAEverything you should know about SCADA
Everything you should know about SCADA
 
plc scada
plc scada plc scada
plc scada
 
supervisory control and data acquisition system
supervisory control and data acquisition systemsupervisory control and data acquisition system
supervisory control and data acquisition system
 
SCADA
SCADASCADA
SCADA
 

Destacado

OVERVIEW OF PLC AND SCADA
OVERVIEW OF PLC AND SCADAOVERVIEW OF PLC AND SCADA
OVERVIEW OF PLC AND SCADASandeep Sahu
 
System concept of scada
System concept of scadaSystem concept of scada
System concept of scadaStella Hermias
 
Basics of Automation, PLC and SCADA
Basics of Automation, PLC and SCADABasics of Automation, PLC and SCADA
Basics of Automation, PLC and SCADAIndira Kundu
 
Scada systems basics winnie mbau
Scada systems basics winnie mbauScada systems basics winnie mbau
Scada systems basics winnie mbauwinnie15
 
SCADA PPT-21.08.2016 (Revised)
SCADA PPT-21.08.2016 (Revised)SCADA PPT-21.08.2016 (Revised)
SCADA PPT-21.08.2016 (Revised)Virendra Bharadwaj
 
SCADA packages for Power Distribution Utilities
SCADA packages for Power Distribution UtilitiesSCADA packages for Power Distribution Utilities
SCADA packages for Power Distribution UtilitiesChanmeet Singh
 
automation slides,plc,scada,HMI
automation slides,plc,scada,HMIautomation slides,plc,scada,HMI
automation slides,plc,scada,HMIBOSCH
 

Destacado (11)

OVERVIEW OF PLC AND SCADA
OVERVIEW OF PLC AND SCADAOVERVIEW OF PLC AND SCADA
OVERVIEW OF PLC AND SCADA
 
System concept of scada
System concept of scadaSystem concept of scada
System concept of scada
 
Basics of Automation, PLC and SCADA
Basics of Automation, PLC and SCADABasics of Automation, PLC and SCADA
Basics of Automation, PLC and SCADA
 
Scada systems basics winnie mbau
Scada systems basics winnie mbauScada systems basics winnie mbau
Scada systems basics winnie mbau
 
SCADA PPT-21.08.2016 (Revised)
SCADA PPT-21.08.2016 (Revised)SCADA PPT-21.08.2016 (Revised)
SCADA PPT-21.08.2016 (Revised)
 
ongc project
ongc projectongc project
ongc project
 
ONGC final ppt
ONGC final pptONGC final ppt
ONGC final ppt
 
SCADA packages for Power Distribution Utilities
SCADA packages for Power Distribution UtilitiesSCADA packages for Power Distribution Utilities
SCADA packages for Power Distribution Utilities
 
automation slides,plc,scada,HMI
automation slides,plc,scada,HMIautomation slides,plc,scada,HMI
automation slides,plc,scada,HMI
 
PLC SCADA
PLC SCADAPLC SCADA
PLC SCADA
 
ppt on PLC
ppt on PLCppt on PLC
ppt on PLC
 

Similar a Introduction To SCADA

SCADA - Wikipedia, the free encyclopedia
SCADA - Wikipedia, the free encyclopediaSCADA - Wikipedia, the free encyclopedia
SCADA - Wikipedia, the free encyclopediaRaj Bakshi
 
Airtificial Intelligence in Power System
Airtificial Intelligence in Power SystemAirtificial Intelligence in Power System
Airtificial Intelligence in Power SystemPratik Doshi
 
SCADA only for the advance version of the module
SCADA only for the advance version of the moduleSCADA only for the advance version of the module
SCADA only for the advance version of the moduleAJITTHAKUR68
 
Scada system Final Hakeem luqman pak version.pptx
Scada system Final Hakeem luqman pak version.pptxScada system Final Hakeem luqman pak version.pptx
Scada system Final Hakeem luqman pak version.pptxFaisalSheraz4
 
SCADA Assignment.pptx
SCADA Assignment.pptxSCADA Assignment.pptx
SCADA Assignment.pptxssuser1831ba
 
SCAD system (overview)
SCAD system (overview)SCAD system (overview)
SCAD system (overview)Hassen Lazhar
 
scada system
scada system scada system
scada system surangagw
 
elements of scada.pptx
elements of scada.pptxelements of scada.pptx
elements of scada.pptxchetanharihar2
 
Paper id 37201531
Paper id 37201531Paper id 37201531
Paper id 37201531IJRAT
 
Scada presentation (group 10)
Scada presentation (group 10)Scada presentation (group 10)
Scada presentation (group 10)Ritvik Bhatia
 
How scada systems work
How scada systems workHow scada systems work
How scada systems workelprocus
 
SCADA ... Supervisory control and data acquisition
SCADA ... Supervisory control and data acquisitionSCADA ... Supervisory control and data acquisition
SCADA ... Supervisory control and data acquisitionManohar Tatwawadi
 

Similar a Introduction To SCADA (20)

03 scada.synopsis
03 scada.synopsis03 scada.synopsis
03 scada.synopsis
 
Fps scada
Fps scadaFps scada
Fps scada
 
SCADA Overview
SCADA OverviewSCADA Overview
SCADA Overview
 
SCADA - Wikipedia, the free encyclopedia
SCADA - Wikipedia, the free encyclopediaSCADA - Wikipedia, the free encyclopedia
SCADA - Wikipedia, the free encyclopedia
 
Airtificial Intelligence in Power System
Airtificial Intelligence in Power SystemAirtificial Intelligence in Power System
Airtificial Intelligence in Power System
 
SCADA only for the advance version of the module
SCADA only for the advance version of the moduleSCADA only for the advance version of the module
SCADA only for the advance version of the module
 
Scada system Final Hakeem luqman pak version.pptx
Scada system Final Hakeem luqman pak version.pptxScada system Final Hakeem luqman pak version.pptx
Scada system Final Hakeem luqman pak version.pptx
 
SCADA Assignment.pptx
SCADA Assignment.pptxSCADA Assignment.pptx
SCADA Assignment.pptx
 
Scada pdf
Scada pdfScada pdf
Scada pdf
 
SCAD system (overview)
SCAD system (overview)SCAD system (overview)
SCAD system (overview)
 
What is SCADA
What is SCADAWhat is SCADA
What is SCADA
 
Whatisaplc
WhatisaplcWhatisaplc
Whatisaplc
 
Dcs vs scada
Dcs vs scadaDcs vs scada
Dcs vs scada
 
scada system
scada system scada system
scada system
 
elements of scada.pptx
elements of scada.pptxelements of scada.pptx
elements of scada.pptx
 
Paper id 37201531
Paper id 37201531Paper id 37201531
Paper id 37201531
 
Scada
ScadaScada
Scada
 
Scada presentation (group 10)
Scada presentation (group 10)Scada presentation (group 10)
Scada presentation (group 10)
 
How scada systems work
How scada systems workHow scada systems work
How scada systems work
 
SCADA ... Supervisory control and data acquisition
SCADA ... Supervisory control and data acquisitionSCADA ... Supervisory control and data acquisition
SCADA ... Supervisory control and data acquisition
 

Introduction To SCADA

  • 2. 1 www.lucideus.com 1. Introduction It is impossible to keep control and supervision on all industrial activities manually. Some automated tool is required which can control, supervise, collect data, analyses data and generate reports. A unique solution is introduced to meet all this demand is SCADA system. SCADA stands for supervisory control and data acquisition. It is an industrial control system where a computer system monitoring and controlling a process
  • 3. 2 www.lucideus.com The term SCADA usually refers to centralized systems which monitor and control entire sites, or complexes of systems spread out over large areas (anything from an industrial plant to a nation). Most control actions are performed automatically by rtus or by plcs. Host control functions are usually restricted to basic overriding or supervisory level intervention. For example, a PLC may control the flow of cooling water through part of an industrial process, but the SCADA system may allow operators to change the set points for the flow, and enable alarm conditions, such as loss of flow and high temperature, to be displayed and recorded. The feedback control loop passes through the RTU or PLC, while the SCADA system monitors the overall performance of the loop. SCADA's schematic overview Data acquisition begins at the RTU or PLC level and includes meter readings and equipment status reports that are communicated to SCADA as required. Data is then compiled and formatted in such a way that a control room operator using the HMI can make supervisory decisions to adjust or override normal RTU (PLC) controls. Data may also be fed to a Historian, often built on a commodity Database Management System, to allow trending and other analytical auditing. SCADA systems typically implement a distributed database, commonly referred to as a tag database, which contains data elements called tags or points. A point represents a single input or output value monitored or controlled by the system. Points can be either "hard" or "soft". A hard point represents an actual input or
  • 4. 3 www.lucideus.com output within the system, while a soft point results from logic and math operations applied to other points. (Most implementations conceptually remove the distinction by making every property a "soft" point expression, which may, in the simplest case, equal a single hard point.) Points are normally stored as value-timestamp pairs: a value, and the timestamp when it was recorded or calculated. A series of value-timestamp pairs gives the history of that point. It is also common to store additional metadata with tags, such as the path to a field device or PLC register, design time comments, and alarm information. Common system components A SCADA system usually consists of the following subsystems: Remote terminal units (RTUS) connect to sensors in the process and convert sensor signals to digital data. They have telemetry hardware capable of sending digital data to the supervisory system, as well as receiving digital commands from the supervisory system. Rtus often have embedded control capabilities such as ladder logic in order to accomplish boolean logic operations. Programmable logic controller (PLCS) connect to sensors in the process and convert sensor signals to digital data. Plcs have more sophisticated embedded control capabilities (typically one or more IEC 61131-3 programming languages) than rtus. Plcs do not have telemetry hardware, although this functionality is typically installed alongside them. Plcs are sometimes used in place of rtus as field devices because they are more economical, versatile, flexible, and configurable. A telemetry system is typically used to connect plcs and rtus with control centers, data warehouses, and the enterprise. Examples of wired telemetry media used in SCADA systems include leased telephone lines and WAN circuits. Examples of wireless telemetry media used in SCADA systems include satellite (VSAT), licensed and unlicensed radio, cellular and microwave. A data acquisition server is a software service which uses industrial protocols to connect software services, via telemetry, with field devices such as rtus and plcs. It allows clients to access data from these field devices using standard protocols.
  • 5. 4 www.lucideus.com A Human–Machine Interface or HMI is the apparatus or device which presents processed data to a human operator, and through this, the human operator monitors and interacts with the process. The HMI is a client that requests data from a data acquisition server or in most installations the HMI is the graphical user interface for the operator, collects all data from external devices, creates reports, performs alarming, sends notifications, etc. A historian is a software service which accumulates time-stamped data, boolean events, and boolean alarms in a database which can be queried or used to populate graphic trends in the HMI. The historian is a client that requests data from a data acquisition server.[5] A supervisory (computer) system, gathering (acquiring) data on the process and sending commands (control) to the SCADA system. 1.Human machine interface(HMI) A human–machine interface (HMI) is the input-output device through which the human operator controls the process, and which presents process data to a human operator. HMI (human machine interface) is usually linked to the SCADA system's databases and softwareprograms, to providetrending, diagnostic data, and management information such as scheduled maintenance procedures, logistic information, detailed schematics for a particular sensor or machine, and expert-systemtroubleshooting guides. SCADA components Human Machine Interface(HMI) Remote Terminal units(RTU) Programmable logic controller(PLC) supervisroy (computer) system communication infrastructure
  • 6. 5 www.lucideus.com The HMI systemusually presents the information to the operating personnel graphically, in the formof a mimic diagram. This means that the operator can see a schematic representation of the plant being controlled. For example, a picture of a pump connected to a pipe can show the operator that the pump is running and how much fluid it is pumping through the pipe at the moment. The operator can then switch the pump off. The HMI softwarewillshow the flow rate of the fluid in the pipe decrease in real time. Mimic diagrams may consistof line graphics and schematic symbols to representprocess elements, or may consistof digital photographs of the process equipment overlain with animated symbols. The HMI packagefor the SCADA systemtypically includes a drawing programthatthe operators or systemmaintenance personnel useto changethe way these points are represented in the interface. These representations can be as simple as an on-screen traffic light, which represents the state of an actual traffic light in the field, or as complex as a multi- projector display representing the position of all of the elevators in a skyscraper or allof the trains on a railway. 2.Remote terminal units(RTU) A remote terminal unit (RTU) is a microprocessor-controlled electronic device that interfaces objects in the physical world to a distributed control system or SCADA (supervisory control and data acquisition) system by transmitting telemetry data to a
  • 7. 6 www.lucideus.com master system, and by using messages from the master supervisory system to control connected objects. Another term that may be used for RTU is remote telecontrol unit. An RTU monitors the field digital and analog parameters and transmits data to the Central Monitoring Station. It contains setup software to connect data input streams to data output streams, define communication protocols, and troubleshoot installation problems. An RTU may consist of one complex circuit card consisting of various sections needed to do a custom fitted function or may consist of many circuit cards including CPU or processing with communications interface(s), and one or more of the following: (AI) analog input, (DI) digital input, (DO/CO) digital or control (relay) output, or (AO) analog output card(s). 3. Programmable logic controller (PLC) A programmable logic controller (PLC) or programmable controller is a digital computer used for automation of industrial processes, suchas controlof machinery on factory assembly lines. Unlike general-purpose computers, the PLC is designed for multiple inputs and output arrangements, extended temperature ranges, immunity to electrical noise, and resistance to vibration and impact. Programs to control machine operation are typically stored in battery- backed or non-volatile memory. A PLC is an example of a real time system since output results must be produced in responseto input conditions within a bounded time, otherwise unintended operation will result. Hence, a programmable logic controller is a specialized computer used to controlmachines and processes. It therefore shares common terms with typical PCs like central processingunit, memory, software and communications. Unlike a personal computer though the PLCis designed to survive in a rugged industrial atmosphere and to be very flexible in how it interfaces with inputs and outputs to the real world.
  • 8. 7 www.lucideus.com 4. Supervisory station The term supervisorystation refers to the servers and softwareresponsiblefor communicating with the field equipment (RTUs, PLCs, SENSORS etc.), and then to the HMI softwarerunning on workstations in the control room, or elsewhere. In smaller SCADA systems, the master station may be composed of a single PC. In larger SCADA systems, themaster station may include multiple servers, distributed softwareapplications, and disaster recovery sites. To increasethe integrity of the systemthe multiple servers willoften be configured in a dual-redundantor hot-standby formation providing continuous controland monitoring in the event of a server malfunction or breakdown. 5.Communication infrastructure and methods SCADA systems havetraditionally used combinations of radio and direct wired connections, although SONET/SDH is also frequently used for large systems such as railways and power stations. The remote management or monitoring function of a SCADA systemis often referred to as telemetry. Some users wantSCADA data to travel over their pre-established corporate networks or to sharethe network with other applications. The legacy of the early low- bandwidth protocols remains, though. SCADA protocols are designed to be very compact. Many are designed to send information only when the master station polls the RTU. Typical legacy SCADA protocols include Modbus RTU, RP-570, Profibus and Conitel. These communication protocols are all SCADA-vendor specific but are widely adopted and used. Standard protocols are IEC60870-5-101 or 104, IEC 61850 and DNP3. Thesecommunication protocols are standardized and recognized by all major SCADA vendors. Many of these protocols now contain extensions to operate over TCP/IP. Although the use of conventional networking specifications, such as TCP/IP, blurs the line between traditional and industrial networking, they each fulfill fundamentally differing requirements.
  • 9. 8 www.lucideus.com The importance of security requirements in design of SCADA systems. Excerpt from the article published on the last edition of PenTest AUDITING & STANDARDS 06 2012 The article exposes the main issues related to the use of SCADA systems in critical infrastructures, providing a carefulanalysis of the relative level of security on a global scale. It discusses themain vulnerabilities of critical systems exploitable by cyber attacks and possible solutions to implement to ensuretheir safety. Over the last years worldwidecountries have discovered their critical infrastructures too vulnerable to cyber attacks due the increasing attention in cyber security matter and successfully attacks to SCADA systems. Events such as the spread of Stuxnet virus have alerted the international security community on the risks related to a cyber attacks and the relative disastrous consequences, wehavelearned how much powerfulis a cyber weapon and which is real involvement of governments in cyber warfare. SCADA (supervisorycontroland data acquisition) is an industrial controlsystem(ICS) used for the controland monitor of industrialprocesses, itis typically presentin all thosepotential targets of a cyber attack such as a critical infrastructures or a utility facility. Being related to industrialprocesses wefind this family of devices everywhere, manufacturing, production, power generation and many times they are implemented to control of activities of critical systems such as water treatment and, electrical power transmission and distribution and large communication systems. These components are privileged targets for cyber attacks, with a virus is possibleto destroy the processes insidea nuclear plant as it happened in Natanz nuclear site during the offensive against Iran and its nuclear program. Western countries have been the firstto explore the possibility of a cyber offensiveusing a cyber weapon such as a malware, the operation Olympic Games demonstrates the high attention of US governmentin cyber operations and the strong commitment provided by Bush administration firstand after by the Obama one. The scenario is really alarming, an attack on a SCADA systemof a sensible structurecould materialize the nightmare of every government, similar incidents can undermine the safety of
  • 10. 9 www.lucideus.com millions of individuals and can compromisethe homeland security. Dozens, hundreds, thousands of installations all over the world are potentially vulnerable to attack from anywhereon the planet, the offensiveoption is moved into whatit is defined as the fourth dimension, the cyberspace, butthat could also lead to the loss of many human lives. Not necessarily our minds mustfly to a nuclear plant thinking to a possibleaccident in its control systems, wecan think for example of the impact of an attack on the processes in a chemical plant. The main problem of SCADA systems is that they are in large number, each industrial process has its own, and many of them are exposed on internet withoutproper protection. In similar structure is possible to imagine several entry points for the external agents such as malware, the supervisory system is usually a computer based on the commercial OS for which is possible to exploit known vulnerabilities and in case of state sponsored attacks also 0-day vulnerabilities. Incidents occurred in SCADA systems have been demonstrated that these systems could be infected in different ways, we can imagine the inoculation of a virus through a USB stick or via a network interface. After the recent events many security firms have started the design of specific solutions to address security problems of SCADA systems, but the major challenge
  • 11. 10 www.lucideus.com is for governments that have to include the protection of these critical components in their cyber strategies. Several audits executed by governments on their critical infrastructures have illustrated a dangerous scenario, the lack of security mechanisms for the many systems located all over the world, but it is really alarming the absence of a precise census of the SCADA systems for many of the principal industrialized countries. Events such as the virus Stuxnet diffusion and the alleged incident to the water facility in Illinois occurred last year have shown to the world that it is possible to conduct a terrorist attacks on foreign state remotely, this has increased the awareness of cyber threats and the necessity to implement right countermeasures to mitigate the risks. Defense mechanisms virtually absent, the SCADA system components are often under the government of local authorities who do not deal with adequately trained personnel and that operates with limited budgets. This means that this kind of control devices is installed everywhere without being qualified in the installation phase. There are many systems deployed with factory settings, pre-set standard configurations and common to entire classes of devices. To this we add that even those who maintain them, should not exceed security, thus making it accessible for remote diagnostics without necessary attention. Fortunately, something is changed, precise guidelines identify best practices to follow in the management of SCADA systems and operations groups monitor the operation of facilities around the country. The last “INTERNET SECURITY THREAT REPORT” published by Symantec reports that during 2011 have been detected several weaknesses in Critical Infrastructure Systems, the security firm has seen a dramatic increase in the number of publicly-reported SCADA vulnerabilities from 15 in 2010 to 129 in 2011. Since the emergence of the Stuxnet worm in 2010 36, SCADA systems has
  • 12. 11 www.lucideus.com attracted wider attention from security researchers. However, 93 of the 129 new published vulnerabilities were the product of just one security researcher. In December the Industrial Control System – Cyber emergency Response Team (ICS-CERT) has distributed a new alert to provide timely notification to critical infrastructure owners and operators concerning threats or activity with a potential impact on critical infrastructure computing networks. ICS-CERT informed that some models of the Modicon Quantum PLC used in industrial control systems contain multiple hidden accounts that use predetermined passwords to grant remote access Palatine, Illinois–based Schneider Electric, the maker of the device, has produced fixes for some of the weaknesses and continues to develop additional mitigations. ICS-CERT encourages researchers to coordinate vulnerability details before public release. In a SCADA system the programmable logic controllers (PLCs) are directly connected to in-field sensors that provide data to control critical component (e.g. Centrifugal or turbines). Often the default passwords are hard-coded into Ethernet cards the systems use to funnel commands into the devices, allowing administrators to remotely log into the machinery. An independent security researcher Rubén Santamarta reported that the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals. Even in cases where the passcodes are obscured using cryptographic hashes, they are trivial to recover thanks to documented weaknesses in the underlying VxWorks operating system. As a result, an attacker can exploit the weakness to log into devices and gain privileged access to its controls. Hard-coded passwords are a common weakness built into many industrial control systems, including some S7 series of PLCs from Siemens. Because the systems control the machinery connected to dams, gasoline refineries, and water treatment
  • 13. 12 www.lucideus.com plants, unauthorized access are considered a national security threat because it could be used to sabotage their operation. Doing a search on the server search engine known as Shodan it’s possible to discover what appear to be working links to several of the vulnerable Schneider models. Santamarta said there is no fix for the devices other than to retire the faulty Ethernet cards and replace them with better-designed ones. The ICS-CERT advisory issued on December said the fixes from Schneider removes the telnet and Windriver services. The advisory made no mention of changes to FTP services. The scenario is very worrying and reveals the need for a radical change, fortunately, the emergency has been perceived by most Nations. The ENISA (European Network Information Security Agency, has produced a recommendation for Europe and Member States on how to protect Industrial Control Systems. The document describes the current scenario of Industrial Control System security and proposes seven recommendations to improve it. The recommendations call for the creation of the national and pan-European ICS security strategies, the development of a Good Practices Guide on the ICS security, fostering awareness and education as well as research activities or the establishment of a common test bed and ICS-computer emergency response capabilities. In June The Pacific Northwest National Laboratory (PNNL), a federal contractor to the U.S. Department of Energy (DOE), in collaboration with McAfee has published an interesting report entitled “Technology Security Assessment for Capabilities and Applicability in Energy Sector Industrial Control Systems: McAfee Application Control, Change Control, Integrity Control.”
  • 14. 13 www.lucideus.com The Case Immediately after the Stuxnet virus, governments and intelligence agencies all over the world requested assessment of security for critical infrastructure of their countries. Much of the focus was on evaluating efficiency offered by defensive measures adopted to protect scadas and icses from cyber attacks. After Stuxnet, debate on the use of software and malicious applications of information warfare have increased. Governments are investing to improve cyber capabilities working on both the defensive and the offensive side. Despite greater awareness of cyber threats, critical infrastructures of countries are still too vulnerable. Many security experts are convinced that an imminent incident caused by a cyber attack is likely soon. Just a few days ago, Eugene Kaspersky, CEO of Kasperky Security, revealed that a staffer at the unnamed nuclear Russian plant informed him of an infection. “The staffer said their nuclear plant network which was disconnected from the internet … was badly infected by Stuxnet. So unfortunately these people who were responsible for offensive technologies, they recognize cyber weapons as an opportunity.” Stuxnet had infected the internal network of a Russian nuclear plant, exactly in the same way it compromised the control system in Iranian nuclear facilities in Natanz. That’s happening despite cyber threats being well known, and various security solutions are able to neutralize it. Stuxnet infected the network within a Russian nuclear plant isolated from the Internet. Attackers probably used as USB or mobile devices to spread the malware. Russian Intelligence agencies in the past have already observed this infection mode to cross a physically separated ‘air-gapped’ network. For example, Russian astronauts had carried a virus on removable media to the International Space Station infecting machines there, according to Kaspersky. “NASA has confirmed that laptops carried to the ISS in July were infected with a virus known as Gammima.AG. The worm was first detected on Earth in August 2007 and lurks on infected machines waiting to steal login names for popular online games. Nasa said it was not the first time computer viruses had travelled into space and it was investigating how the machines were infected. ” I mentioned the Stuxnet malware because it’s considered a case study. The malicious agent is so notorious, it’s still able to compromise networks and control systems within critical infrastructure. Let’s try to figure out the effect of unknown cyber threats, developed by governments as cyber weapons, for example. In this article, i’ll analyze major security issues related to SCADA systems, and best practices to follow to protect them.
  • 15. 14 www.lucideus.com Figure: - Russian Nuclear Plant According to the last “SANS SCADA and Process ControlSecurity Survey” conducted by the SANS Institute, the awareness of cyber threats and the perception of the risks related to a cyber attacks are high. Nearly 70% of respondents believe the threat to be high (53%) to severe (16%). Recent reports from Computer Emergency ResponseTeams (CERT), government offices, and private companies confirm an escalating risk of cybersecurity events, specifically for the energy sector. The survey indicates that the top threats for controlsystems are advanced zero-day malware such as Stuxnet, cyber operations conducted by groups of hacktivists, and hacking campaigns of cyber terrorists and state-sponsored hackers. Recently, US CERT alerted to the continuous spear-phishing campaign that targeted the energy sectorto gain remote access to control systems. SCADA system protection must be approached at different levels, defending control systems and educating operational and maintenance personnel. “Training should includespecific operational topics on spear-phishing,zero-day activities and managing internalthreats.”
  • 16. 15 www.lucideus.com A Look Back at past SCADA hacking in 2015 It should come as no surprise that Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) that control key functions in critical infrastructure are especially at risk of cyber attack. If saboteurs manage to compromise critical infrastructure services, a country’s economy and military defenses can be severely hampered. In addition, since organizations that operate critical infrastructure often own valuable intellectual property, this information can be a target for foreign state actors trying to steal intellectual property to advance their economies or to win competitive bids. In the past year we have seen some disturbing news that highlights the growing risk of SCADA attacks:  December 2014 - SCADA attack causes physical damage: In late 2014, an unnamed German Steel Mill suffered extensive damage from a cyber attack. The attackers were able to disrupt the control system and prevent a blast furnace from being shut down,resulting in ‘massive’ damage . In late December, the annual German Federal Office for Information Security report revealed a disturbing cyberattack on a steel mill that resulted in “massive damage” to the foundry. This case is just one of the latest examples of Hollywood fears coming true through the Internet of Things (IoT). Through the judicious use of online translation engines, we have learned several key things about the attack, although specific details about the company and the full extent of the damage are still unknown.
  • 17. 16 www.lucideus.com According to the report, the attacker used sophisticated social engineering and spear-phishing tactics to gain initial access to the steel mill’s office network. Individual industrial control components were compromised, which prevented the blast furnace from being shut down. The technical capabilities of the attacker were very advanced, demonstrating a familiarity not only with conventional IT security, but also with the specific applied industrial control and production processes. Although not explicitly stated, we can infer the attacker was likely an insider — or worked with an insider — or was familiar with industry-standard protocols used in the operation of the mill. Because of the jump from office network to industrial control system, we can also assume the mill’s office network had to be connected to the industrial controlsystem. The more familiar the attacker was with this specific company’s systems, the easier that link would have been to find and exploit. SCADA Attacks Double in 2014 Dell Security’s annual threat report shows not only a significant surge in the number of attacks on retail credit card systems, but industrial SCADA systems as well, which are much more likely to go unreported.
  • 18. 17 www.lucideus.com For Dell to report an annual surge inpoint-of-sale (POS) attacks aimedat payment card infrastructures might notbe such a surprise to people whopay any attention to the news.We know that the retail industrywas hit hard by cybersecurityattacks in 2014—Target wasn’t the only target, so to speak, though it got the year started,and was the largest breach in the history of U.S.retail until Home Depot was hit evenharder later in the year. There were also significantattacks on Michaels,Staples,Goodwill andmore. But don’tbe thinkingthat the attacks are justfocusedthere. WhatDell also foundin its annual threat report was that the numberof attacks on SCADA systemsdoubledfrom 2013 to 2014. Obviously,that has significantbearingon process industries,whichuse SCADA systemsto control remote equipmentandcollect data on that equipment’s performance. As industrial manufacturers face threats, othercompanies withinthe same space might not evenknow a SCADA threat existsuntil they are targeted themselves.“Since companiesare onlyrequiredto report data breachesthat involve personal or payment information,SCADA attacks oftengo unreported,” saidPatrick Sweeney,executive director for Dell Security.“This lack of informationsharing combinedwith an aging industrial machinery infrastructure presentshuge security challengesthat will to continue to grow inthe coming months and years.”
  • 19. 18 www.lucideus.com Unlike the retail breaches,whichare likelygearedtoward financial gain, attacks against SCADA systemstend to be political in nature, targetingoperational capabilitieswithinpowerplants,factories and refineries. Dell’sannual threat report reliesonresearch from its Global Response Intelligence Defense (GRID) networkand telemetrydata from Dell SonicWall network trafficto identifyemergingthreats.For SCADA systems,bufferoverflow vulnerabilitiescontinue tobe the primary point of attack, according to the Dell SonicWall ResearchTeam, accounting for a quarter of the attacks. The majority of the SCADA attacks targeted Finland,the UKand the U.S. One likelyreasonfor that, however,is that SCADA systemsare more common in these regionsand more likelyto be connectedto the Internet.In 2014, Dell saw 202,322 SCADA attacks in Finland;69,656 in the UK;and 51,258 in the U.S. Along withthe doublingof SCADA attacks from 2013 to 2014, a lookat January numbersalone shows a staggering rise,year over year. Worldwide SCADAattacks increasedfrom 91,676 in January 2012 to 163,228 in January 2013, and 675,186 in January 2014. “Everyone knowsthe threats are real and the consequencesare dire,so we can no longerblame lack ofawarenessfor the attacks that succeed,” Sweeneysaid.“Hacks and attacks continue to occur, not because companiesaren’t taking securitymeasures,but because theyaren’t taking the right ones.” Dell recommendsa fewgeneral ways to protect against SCADA attacks. For one,make sure all software and systems are up to date.“Too oftenwith industrial companies, systemsthat are not used everyday remain installedand untouchedas longas theyare not activelycausing problems,” Dell’sreportexplains.“However,shouldanemployee one day connect that system to the Internet,itcould become a threat vector for SCADA attacks.” Make sure your networkonly allows connectionswithapproved IPs; and followoperational best practices for limiting exposure,suchas restrictingor disablingUSBports and Bluetooth. Hacks and attacks continue to occur, not because companiesaren’t taking security measures,but because theyaren’t taking the right ones. Dell also urges manufacturers to report and share informationabout SCADA attacks to helpensure the industrial community as a whole isappropriately aware of emergingthreats. Mobile security As mobilitycontinuesto take hold in the manufacturing space and the bring-your-own-device (BYOD) trendgrows,it’s worth noting another sectionof Dell’sthreat report focusedon sophisticated,newmalware techniquestargeting smartphones.“Smartphone attacks have beena securityconcern since mobile devicesbeganto reach widespread adoption,but it wasn’t until 2014 that smartphone malware began to look and act like its desktoppredecessors,” Dell’sreport notes. Both Android and iOS malware took hold in2014, and Dell expectsmalware to emerge thisyear targeting wearables, televisionsandotherancillary devices.“The pairing ofthese devicesto laptops and smartphones will give hackers an
  • 20. 19 www.lucideus.com easy attack vector, and these deviceswill become much more enticingas the market grows inthe coming months,” the report details. Common factors Though Dell’sreport detailsseveral keyfindingsin a variety of industriesand attack points,there were some key common denominators.For example,several ofthe breachesthroughout the year involvedcompaniesthat overlookedone or more basic threat vectors: outdated, unpatchedsoftware; under-restrictedcontractor accessto networks; under-securednetworkaccessfor mobile or distributedusers;and under-regulatedInternetaccessforall employees. “Some of these threat vectors have posed securitychallengesforyears, while othersare emergingas a result of today’s highlymobile,consumer-tech-empoweredworkforce,” the reportsays. “Asalways, cyber criminals remain adept at findingnew ways to exploitcommon blindspots and evenuse companies’best securityintentionsagainst them.” The most effective approachmanufacturers can take isa defense-in-depthprogram,Dell concluded,establishing multiple layersof securityand threat intelligenceforpreventingandrespondingto attacks on the network. Security issues SCADA systemsthat tie together decentralizedfacilitiessuchas power,oil,gas pipelines,waterdistributionand wastewater collectionsystemswere designedtobe open,robust, and easilyoperatedand repaired, but not necessarilysecure.The move from proprietary technologiestomore standardizedand open solutionstogetherwith the increasednumberof connectionsbetweenSCADAsystems,office networksand the Internethas made themmore vulnerable to typesof network attacks that are relativelycommon in computersecurity. For example,UnitedStates ComputerEmergency ReadinessTeam(US-CERT) releaseda vulnerabilityadvisorythat allowedunauthenticatedusers to download sensitive configurationinformationincludingpasswordhasheson an Inductive Automation Ignition systemutilizinga standard attack type leveragingaccessto the Tomcat EmbeddedWebserver.Securityresearcher Jerry Brown submitteda similaradvisory regarding a bufferoverflowvulnerability ina Wonderware inbatchclient activexcontrol. Both vendorsmade updatesavailable prior to publicvulnerabilityrelease.Mitigation recommendationswere standard patching practices and requiringVPN access for secure connectivity.Consequently, the securityof some SCADA-basedsystemshas come into questionas they are seenas potentiallyvulnerable tocyber attacks. In particular, security researchersare concernedabout: The lack of concern about security and authenticationin the design,deploymentandoperationof some existing SCADA networks The beliefthatSCADA systems have the benefitofsecuritythrough obscuritythrough the use ofspecializedprotocols and proprietary interfaces The beliefthatSCADA networks are secure because they are physicallysecured
  • 21. 20 www.lucideus.com The beliefthatSCADA networks are secure because they are disconnectedfromthe Internet. SCADA systemsare used to control and monitor physical processes,examplesof which are transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of modern society. The security of these SCADA systems is important because compromise or destruction of these systems would impact multiple areas of society far removed from the original compromise. For example, a blackout caused by a compromised electrical SCADA system would cause financial losses to all the customers that received electricity from that source. How security will affect legacy SCADA and new deployments remains to be seen. There are many threat vectors to a modern SCADA system. One is the threat of unauthorized access to the control software, whether it be human access or changes induced intentionally or accidentally by virus infections and other software threats residing on the control host machine. Another is the threat of packet access to the network segments hosting SCADA devices. In many cases, the control protocol lacks any form of cryptographic security, allowing an attacker to control a SCADA device by sending commands over a network. In many cases SCADA users have assumed that having a VPN offered sufficient protection, unaware that security can be trivially bypassed with physical access to SCADA-related network jacks and switches. Industrial control vendors suggest approaching SCADA security like Information Security with a defense in depth strategy that leverages common IT practices. The reliable function of SCADA systems in our modern infrastructure may be crucial to public health and safety. As such, attacks on these systems may directly or indirectly threaten public health and safety. Such an attack has already occurred, carried out on Maroochy Shire Council's sewage control system in Queensland, Australia. Shortly after a contractor installeda SCADA system inJanuary 2000, systemcomponentsbegan to function erratically.Pumps didnot run when needed and alarms were not reported. More critically, sewage flooded a nearby park and contaminated an open surface-water drainage ditch and flowed 500 meters to a tidal canal. The SCADA system was directing sewage valvesto openwhenthe designprotocol shouldhave kept themclosed.Initially this was believed to be a system bug. Monitoring of the system logs revealed the malfunctions were the result of cyber attacks. Investigators reported 46 separate instances of malicious outside interference before the culprit was identified. The attacks were made by a disgruntled ex-employee of the company that had installed the SCADA system. The ex-employee was hoping to be hired by the utility full-time to maintain the system. In April 2008, the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack issued a Critical Infrastructures Report which discussed the extreme vulnerability of SCADA systems to an electromagnetic pulse (EMP) event. After testing and analysis, the Commission concluded: "SCADA systems are vulnerable to EMP insult. The large numbers and widespread reliance on such systems by all of the Nation’s critical infrastructures represent a systemic threat to their continued operation following an EMP event. Additionally, the necessity to reboot, repair, or replace large numbers of geographically widely dispersed systems will considerably impede the Nation’s recovery from such an assault." Many vendors of SCADA and control products have begun to address the risks posed by unauthorized access by developing lines of specialized industrial firewall and VPN solutions for TCP/IP-based SCADA networks as well as external SCADA monitoring and recording equipment. The International Society of Automation (ISA) started formalizing SCADA security requirements in 2007 with a working group, WG4. WG4 "deals specifically with unique
  • 22. 21 www.lucideus.com technical requirements, measurements, and other features required to evaluate and assure security resilience and performance of industrial automation and control systems devices". The increasedinterestinSCADA vulnerabilitieshas resulted in vulnerability researchers discovering vulnerabilities in commercial SCADA software and more general offensive SCADA techniques presented to the general security community. In electric and gas utility SCADA systems, the vulnerability of the large installed base of wired and wireless serial communications links is addressed in some cases by applying bump-in-the-wire devices that employ authentication and Advanced Encryption Standard encryption rather than replacing all existing nodes. In June 2010, anti-virus security company virusblokada reported the first detection of malware that attacks SCADA systems (Siemens' wincc/PCS 7 systems) running on Windows operating systems. The malware is called Stuxnet and uses four zero-day attacks to install a rootkit which in turn logs into the SCADA's database and steals design and control files. The malware is also capable of changing the control system and hiding those changes. The malware was found on 14 systems, the majority of which were located in Iran. In October 2013 National Geographicreleasedadocudrama titled,"AmericanBlackout" which dealt with a large-scale cyber attack on SCADA and the United States' electrical grid. Common SCADA System Threats and Vulnerabilities As any IT manager understands, particularly those managing SCADA and industrial control networks, keeping SCADA systemssafe fromsecuritythreatsisn’tjustaboutpeace of mind.These systemscontrol critical componentsof industrial automationnetworks.If there’sa problem with them, essential services – such as water and power – could shut down services for thousands or millions of people. However,despite knowingthis,there’safrighteningtruthmanyof usare ignoring:attackson SCADA systemsare on the rise,andit ispossible thatmanyinfiltratedsystems have gone undetected. Cyber criminals often “infect” systems and silentlymonitortraffic,observe activity,andwaitformonthsorevenyearsbefore takinganyaction.Thisallows them to strike when they can cause the most damage. While we’d rather not have to face the fact our critical infrastructures could very well be compromised, there is good news. Understanding common SCADA system threats and vulnerabilities allow us to develop a clear, actionable framework for overcoming these security issues Many if not most SCADA systems are currently vulnerable to cyber-attacks due to the following: Lack of monitoring. Without active network monitoring, it is impossible to detect suspicious activity, identify potential threats,andquicklyreacttocyber-attacks.Slow updates.AsSCADA systemsbecome more advanced,they also become more vulnerable tonewattacks.Maintainingfirmwareandsoftware updatesmaybe inconvenient(without the proper systems in place), but they’re necessary for maximum protection.
  • 23. 22 www.lucideus.com Lack of knowledge about devices. Connecting devices to a SCADA System allows for remote monitoring and updates,butnotall deviceshave equalreportingcapabilities.SincemostSCADA systemshave beendevelopedgradually overtime, it’snotuncommonto see technologythat’s5yearsoldpairedwithtechnologythat’s20 yearsold.Thismeans the knowledge about network connected devices is often incomplete. Not understanding traffic. Managers need to know what type of traffic is going through their networks. Only then they can make informed decisions about how to respond to potential threats. With advanced data analysis, managers can get a big picture view of data gathered from traffic monitoring, and translate that into actionable intelligence. For example, an infiltrated system might check with a foreign server once every 30, 45, or 180 days. Authenticationholes.Authenticationsolutionsare designedtokeepthe wrongpeople from accessing the SCADA system. However, this can easily be defeated due to common unsafe practices such as poor passwords, username sharing, and weak authentication Security countermeasures for SCADA Physical security Physical security is another aspect that must be properly managed. All plants that host SCADA systems and networks must be assessed. SCADA systems are usually distributed over large distances in multiple locations with different physical security measures. Their protection must be carefully evaluated. It’s important to evaluate the overall infrastructure to identify weaknesses, evaluate defense measures to implement, and the expected benefits.Best practices include the assessment of the physical security of remote environments that are directly connected to a SCADA. “Any location that has a connection to the SCADA network is a target, especially unmanned or unguarded remote sites. Conduct a physical security survey and inventory access points at each facility that has a connection to the SCADA system.” Establish proper physical security through the adoption of defensive measures like guards and gates to protect equipment from unauthorized access and sabotage. Every external connection to the perimeter of the facility has to be assessed. It’s suggested to use security products for perimeter protection that meet NIST FIPS standards. Physical restrictions that could be applied to improve security to prevent incidents are: Restricted access to the site Restricted number of technicians responsible for maintenance No use of mobile support
  • 24. 23 www.lucideus.com Segregated control network, no connection to other networks Each computer is locked in a restricted room or cabinet Roles and responsibility – management Management has a crucial role in security. Its primary task is to provide a strong commitment for the implementation of an efficient cyber strategy. That includes the assignment of cyber security roles, responsibilities, and authorities for personnel. Each employee needs to know their responsibilities to protect information and assets of scadas. Key personnel need to be given sufficient authority to carry out their assigned responsibilities. A detailed security policy must be in place that describes how management defines roles and responsibilities. Each employee must be informed of all procedures adopted to keep architecture secure. The first goal of management is to define a structured security program with mandated requirements to reach expectations and provide personnel with formalized policies and procedures. Senior management must establish expectations for cyber security performance and hold individuals accountable for their performance. Compliance with current security standards is necessary to provide a harmonious approach to cyber security. Policies and procedures need to be assigned to employees regarding specific security responsibilities. Guidance regarding actions to be taken in response to incidents and security policy must identify the critical systems within the SCADA network, their functions and classify the information they manage. The security requirements must be identified within security policy to minimize cyber threats, including menaces from insiders. Personnel training is one of the most important responsibilities for management. Managers have to provide a strong commitment to organizing of training courses. Training also helps to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls deployed. Only the people involved explicitly need to have access to the above information. Personnel must be trained to recognize social engineering attacks made by hackers to gather sensitive information about a computer or computer network. Typically these attacks prelude more invasive and dangerous offensives. The more information revealed about internal configuration, the more vulnerable the network is. Keep secret data related to a SCADA network, including manufacturers, key people, computer operating systems and physical distributions of SCADA. The responsibility of management is the definition of proper protection strategies, highlighting the risks related to cyber attackers and the necessary defense systems, for each component. The rapid and continuous evolution of cyber threats needs frequent revision of protection strategy to ensure it remains effective. Each risk must be evaluated, analyzing the probability of occurrence for the incident and the related severity. It’s crucial that the identification of residual risk is accepted by management. Configuration management processes and assessment
  • 25. 24 www.lucideus.com Configuration management is a critical component for the security of the infrastructure, for both hardware and software configurations. Each modification to the overall infrastructure could have a serious impact on its security. Changes could introduce vulnerabilities that undermine security. “Configuration management begins with well-tested and documented security baselines for your various systems. Robust performance evaluation processes are needed to provide organizations with feedback on the effectiveness of cyber security policy and technical implementation. “ The impact of any modification of the infrastructure must be correctly evaluated with assessment processes conducted by both internal and external professionals. Routine vulnerability assessment and automated auditing of the network and systems must be part of the configuration management process. The NSA document titled “Securing Supervisory Control and Data Acquisition (SCADA) and Control Systems (CS)” introduces the following suggestions for configuration management: Map out and document the entire CS network, including CS and infrastructure device configurations Prepare and configure new equipment off-line Sanitize old equipment before disposal Keep CS infrastructure security features current with device moves, additions, and decommissions Enable auditing features and periodically examine the resulting logs for signs of unusual activity Synchronize to a common time reference, so audit logs become more useful during incident response Develop a Disaster Recovery Plan (DRP) for the CS, and if possible test it! System backups and disaster recovery plans Recovery is the ability to restore a compromised system to its operational status. Establishing a disaster recovery plan is fundamental for rapid recovery from any incidents, such as cyber attacks. System backups are an essential part of any plan and they allow rapid reconstruction of and network. Routinely exercise disaster recovery plans to ensure that the work and that all employees know the procedure to follow. Every change to the overall architecture has to trigger a review of the plan to apply the appropriate changes to disaster recovery plans. Recovery plans usually include: Adoption of redundant hardware and fault tolerant systems Fallback mechanisms
  • 26. 25 www.lucideus.com System backup procedure The disaster recovery plan allows corporate to prepare for, respond to and recover from a disruptive event, including a cyber attack. The following criteria should be considered in case of a hardware failure: Determine and document the procedures for responding to a disaster that involves the SCADA center and its services. Acquire additional hardware for disaster recovery plan or locate current backup hardware to a different location. Periodically test the disaster recovery plan. Related to software components, it’s possible to follow the criteria below in case of malfunction: Determine ways to recover from any type of loss including historical data, installation media, application files, configuration files, documents, and software licenses. Establish a strategy to keep the system up-to-date. Evaluate the set of data and application to restore to its previous state in the event of a disaster. Create a centralized inventory of all software titles and licenses, evaluate the possibility to replicate it in different locations. Perform regular system backups and send copies of backup files to storage array networks off-site. Periodically test backup copied and restoring procedures operated by the personnel. Conclusions SCADA systems are increasing in complexity, due to the integration of different components, in many cases produced by different manufacturers. It’s necessary to address the security level of each device and the overall environment. The design of SCADAs must totally change and have to take care of all the security requirements. That’s done by considering their surface of attack and exposure to cyber threats that could arm the systems. There must be a collective effort by all governments to produce continuous report on the security status of critical infrastructures and related SCADA systems. The overall security will pass through a global collaboration and information sharing on the possible cyber threats and the vulnerabilities of every device that is qualified in the market. The security component must become part of the project of an industrial system. It must be considered a specific requirement. The overall security of critical infrastructures must be audited during the entire lifecycle of its components.
  • 27. 26 www.lucideus.com Recently the heads of the Federal Bureau of Investigation (FBI), Department of Homeland Security, and National Counterterrorism Center have declared cyber attacks are the most likely form of terrorism against the United States in the coming years. “That’s where the bad guys will go. There are no safe neighborhoods. All of us are neighbors [online].” FBI director James Comey said about cyberterrorism. These words should make us think about the real importance of security for critical systems of our infrastructure, including SCADAs. Refrences: 1. http://electrical-engineering-portal.com/an-introduction-to-scada-for-electrical-engineers.html 2. http://securityaffairs.co/wordpress/7314/security/the-importance-of-security-requirements-in-design-of- scada-systems.html 3. http://thehackernews.com/2012/10/scada-hacking-exploit-released-to-hack.html 4. https://www.opswat.com/blog/look-back-scada-security-2015 5. https://www.opswat.com/blog/attacks-rise-how-can-scada-security-be-improved 6. https://en.wikipedia.org/wiki/SCADA 7. http://www.automationworld.com/scada-attacks-double-2014 8. http://patriot-tech.com/common-scada-system-threats-and-vulnerabilities/ 9. http://resources.infosecinstitute.com/improving-scada-system-security/ 10. http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada- industrial-control-systems/protecting-industrial-control-systems.-recommendations-for-europe-and-member- states 11. http://www.tsips.com/SCADA.html Kunal Gupta, Lucideus Student www.lucideus.com