What if I told you that a worrying percentage of industry control systems (ICS) are vulnerable to cyber-attack? Most people stare back blankly at me when I discuss the security risks that relate to ICS and SCADA (supervisory control and data acquisition) and it's not because they don’t understand it, most of them simply haven’t heard of it.
ICS and SCADA systems use niche technology that isn’t prevalent across many sectors and it seems to have been left behind when we were devising cunning plans to protect our digital assets.
Consider for a second some of the places you will find ICS and SCADA in use. Power plants, oil and gas refineries or even transport control systems and you will realise the potential danger that presents itself if they are not resilient to cyber-attacks.
This danger prompted the Centre for the Protection of National Infrastructure (CPNI) to highlight the threat to UK industry and to release a series of SCADA security related guidelines that are designed to provide industry with advice on how to secure their SCADA systems.
What is SCADA?
SCADA technology is used to provide process automation, control and monitoring over another system where using human control is neither practical nor efficient. It allows a complex system to be controlled from a central computer that can process data, which is sent back from remote sensors, make control decisions using programmable logic and then send instructions to remote controllers. It is scalable, efficient and the computer automation removes a lot of the human error that would normally be found in this type of environment.
For example, imagine a water filtration facility that controls the flow of water from one area to another based on it being determined as clean. SCADA technology could be used here to provide monitoring of the water by using sensors to measure the levels of chemicals in the water.
That data could then be used to calculate when the water is ready to be moved to the next area of the facility. Once the water has been classified as clean the SCADA system could remotely control the opening and closing of the water flow valves to move the water to the next step of the filtration process. Even as we walk through a basic example of a SCADA system the potential dangers become clear.
Like most computer systems, SCADA comes in a variety of different architectures. These systems can vary greatly in complexity depending on the scale or age of them. However, when initially trying to understand how a SCADA system operates it can be broken down into four main components.
At the heart of a SCADA system we will find the supervisory computer system. As you can imagine from the name, this is the decision-making component of the system that listens to and controls the various remote devices.
The HMI (human machine interface) takes the data in the SCADA system and presents it to the operator in a manner that they can understand. When you see a group of engineers in a plant staring at a large screen showing animations and flashing lights there is a good chance it’s a SCADA HMI they are looking at.
The RTU (remote terminal units) may reside locally or remotely to the supervisor and is responsible for collecting sensor data, formatting it and transmitting it back to the supervisor. An RTU can also receive commands from the supervisor to pass to any controller equipment it is managing.
PLCs (programmable logic controller) are devices that can be programmed to control other devices based on the information they receive. For example, a PLC may receive an input telling it that the motor is spinning at 1000rpm.
The PLC could be programmed to keep the motor speed at 1100rpm. The input data will be computed and it would then output an instruction to the motor increasing the speed to 1100RPM. PLCs allow a great deal of flexibility to be achieved as the logic controlling the device can be programmed in specifically to suit the system.
When the Stuxnet virus wreaked havoc in the Iranian nuclear facility in Natanz it did so by compromising the SCADA system. The virus installed malware into the PLCs that controlled the rotational speed of the centrifuges used for uranium enrichment.
It altered the rotational speed of the centrifuge dramatically so that it caused damage and eventually malfunctioned catastrophically. In addition to the offensive effect, Stuxnet ensured the attack was covert by installing a rootkit that masked the rotational speed changes so that the operating values appeared normal. This delayed the Iranian efforts at diagnosing the cause of the centrifuge issues for some time and increased the attack impact by allowing it to continue.
The four components above work together to provide large-scale process control and automation. The supervisor will receive data from the RTUs, process it against the software logic and then issue instructions to RTUs and PLCs. The HMI provides an interface for operators to see a visual representation of the current state of the SCADA system.
Of course, there are other elements to a SCADA system, but the four above explain how the system operates at a basic level. There are various different connectivity methods available for SCADA systems and the benefits of computer networks systems have been realised in recent years, it is the enhanced level of management access through networking that has greatly increased the threats they are exposed to.
Historically, SCADA systems would have been physically segregated on air-gapped networks, but commercial drivers have introduced networked components and remote access. This enables operational support to be delivered from a central location to help improve response time and reduce operational cost, but it also increases the attack surface for threat actors.
A consequence of providing more methods of access to SCADA systems is that they are now accessible from the internet or via trusted third parties. For many SCADA sites this level of connectivity has grown inorganically and has been implemented by people who haven't appreciated the risks presented when networking sensitive or critical systems.
The modern cyber threat facing digital assets on the internet is far greater than the level of defences built into older SCADA components and as such the professional hacker can easily circumvent them. When older components were initially designed the threat from hackers hadn't been full realised and even if they had, they probably wouldn't have been classed as a threat due to the physical segregation at the time.
Furthermore, new components have exhibited software security vulnerabilities in the past, so the problem isn’t limited to older components but instead promotes better security design with layered controls.
A large number of SCADA implementations are in place to manage critical infrastructure and many installations are still running the original hardware and software versions.
When dealing with critical infrastructure and environments where downtime is difficult to justify there is little motivation to periodically shut down systems so that hardware and software upgrades can be performed when they are already serviceable. This has placed SCADA in a very precarious position as equipment that is vulnerable to security exploitation is now accessible to those who may want to access it for malicious purposes.
Due to the typical environments you will find SCADA systems deployed in, the impact of a SCADA system being compromised can be far reaching to society and the magnitude of risk has not gone unnoticed. In addition to CPNI’s efforts, The National Institute of Standards and Technology issued an excellent document Guide to Industrial Control Systems (ICS) Security to help those who manage critical infrastructure achieve high levels of security in the unique environments they work in.
Following best practice in general for information security will go a long way towards strengthening the security posture and achieving assurance. The standard security controls you see in any organisation that takes information security seriously can be highly effective at protecting your SCADA systems when selected as part of your overarching security strategy.
‘Understanding the principles of ICS and SCADA is essential for us to address the threats to our digital world. Although nothing new, ICS and SCADA become a higher priority every day as more of our essential infrastructure becomes interconnected." Andy Settle, Chief Cyber Security Consultant, Thales
SCADA security is a clear and present danger but fixing these issues is not an insurmountable task. Commitment from senior management is required to ensure that the proper course of action can be undertaken and I expect governance for critical infrastructure, isn’t too far away.
IT security will need to work closely with the professionals who are responsible for maintaining SCADA systems to build trust and demonstrate that security controls can be implemented effectively, without being disruptive or intrusive. Some companies are already tackling these challenges, but we need to raise awareness so that others who aren’t as well informed can start to address their systems.