Building a safe Industrial Control System (ICS) is certainly one of the major concerns of any Infrastructure facility, be it a substation, pipeline, water and transportation system, utility, refinery, chemical plant, or other manufacturing operation.
The ICS moves from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks, and the Internet has made them more vulnerable to attacks. Consequently, the security of some SCADA-based systems has come into question as they are seen as potentially vulnerable to cyber attacks.
Some of these vulnerabilities arise from common facts, like:
- The lack of concern about security and authentication in the design, deployment and operation of some existing SCADA networks;
- The belief that SCADA systems have the benefit of security through obscurity by using of specialized protocols and proprietary interfaces;
- The belief that SCADA networks are safe because they are physically secured;
- The belief that SCADA networks are safe because they are disconnected from the Internet.
Major risk elements to SCADA systems can be summarized as follows:
- Connections to additional, possibly vulnerable networks;
- Using standard hardware platforms with known vulnerabilities;
- Using standard software with known vulnerabilities;
- Other vulnerable remote connections;
- Real-time deterministic requirements in contrast to information security controls that might cause delays.
SCADA Attack Routes
In order to become a reality, a threat must have a means to access the SCADA system. Because SCADA systems are now typically connected to the Internet, corporate networks, and the public switched telephone network, there are a variety of paths into the SCADA control network. Additional paths to the control network are viasatellite and wireless communication systems. Some typical SCADA attack routes are listed here:
- Internet connections
- Business or enterprise network connections
- Connections to other networks that contain vulnerabilities
- Compromised virtual private networks (VPNs)
- Back-door connections through dial-up modems
- Unsafe wireless connections discovered by war-driving laptop users
- Malformed IP packets, in which packet header information conflicts with actual packet data
- IP fragmentation attacks, where a small transmitted fragment forces some of the TCP header field into a second fragment
- Through vulnerabilities in the simple network management protocol (SNMP), which is used to gather network information and provide notification of network events
- Open computer ports, such as UDP or TCP ports, that are unprotected or left open unnecessarily
- Weak authentication in protocols and SCADA elements
- Maintenance hooks or trap doors, which are means to circumvent security controls during SCADA system development, testing, and maintenance
- E-mail transactions on control network
- Buffer overflow attacks on SCADA control servers, which are accessed by PLCs and SCADA human machine interfaces
- Leased, private telephone lines
Typical Attacker Privilege Goals
If an attacker were successful in penetrating a SCADA system, the next step would be to gain some level of control of the SCADA system components. The degree of control acquired is a function of the protections associated with each component, its visibility to the attacker, and the capabilities and intentions of the attacker. Examples of exploitations that might be accomplished by a hacker through a malicious attack on a SCADA system are listed here:
- Obtain access to the SCADA system
- Obtain access to SCADA master control station
- Compromise the RTU or local PLCs
- Compromise the SCADA master control station
- Obtain SCADA system passwords from master control station
- Obtain access to RTUs or local PLCs
- Spoof RTU and send incorrect data to master control station
- Spoof master control station and send incorrect data to RTU
- Shut down the master control station
- Shut down local control RTUs
- Disrupt communications between SCADA master control station and RTUs
- Modify RTU control program
Proactive Cyber Security
Ensuring cyber security in control systems may at first seem like a daunting task as it requires a commitment from the entire organization. Upper management needs to recognize the numerous benefits of a secure SCADA system. These advantages include ensuring system uptime, reliability and availability. Implementing good cyber security is smart business because a secure system is a trusted system, and customer retention and loyalty is built around trust. Vendors, system integrators, IT and control engineers all share this responsibility.
There are many resources available now to help critical infrastructure SCADA systems enhance their security. For example, the standard ISA99 – Industrial Automation and Control Systems Security, establishes best practices, technical reports, and related information to define procedures for implementing and assessing electronically secure systems. Compliance with this standard can improve manufacturing and control system electronic security, help identify and address vulnerabilities, and reduce the risk of compromised confidential information and system degradation.
Government regulations also exist and continue to evolve with the goal of securing critical infrastructure industries. The most ambitious one for influencing government policy is the non-profit North American Electric Reliability Corporation (NERC) – Critical Infrastructure Protection (CIP) standard. Known as NERC-CIP, this standard has its roots in the Electricity Modernization Act – which is part of the US Energy Policy Act of 2005. Within the Energy Policy Act of 2005, there is a section which dictates that the NERC-CIP standard requires all power plants and electric utility facilities to develop new cyber security systems and procedures in accordance with a 3-year implementation plan. There are eight different CIP standards covering everything from Security Management Control and Critical Cyber Assets, to Incident Reporting and Recovery Plans. Each one of the eight standards defines a series of specific requirements. The standards are:
• CIP-002-1: Critical Cyber Asset Identification
• CIP-003-1: Security Management Controls
• CIP-004-1: Personnel and Training
• CIP-005-1: Electronic Security Perimeter
• CIP-006-1: Physical Security of Critical Cyber Assets
• CIP-007-1: Systems Security Management
• CIP-008-1: Incident Reporting and Response Planning
• CIP-009-1: Recovery Plans for Critical Cyber Assets
Elipse E3/Power Actions/Configurations for NERC Compliance
Several features can be enabled or configured at Elipse E3/Elipse Power in order to help achieve a better system security. Basic procedures are:
- Enable Elipse E3/Power Domain user control with Windows Active Directory;
- E3 and Elipse Power are CFR 21 Part11 compliant. All features described in this rule are necessary and shall be enabled/configured. See the article below.
- Enable REC (Remote Elipse Call – Native TCP/IP protocol) communication compression;
- Enable Project Cryptography (password protection);
- Enable Tracing options;
- Working alongside Elipse Plant Manager (EPM), data can be stored using compression and cryptography techniques inside Microsoft SQL avoiding data replacement.
- Integration with other tools in order to provide auto backup and disaster recovery tools can also be used;
- Choose a tested/certified Anti-Virus and system environment application control.
|Requirement||NERC-CIP Standard||Elipse Solution|
|-Integration with Microsoft Active Directory
-If AD integration is disabled, E3 Domain offers:
|-Internal control and assignment of permissions (Screens, Alarms, Server Actions)
-User Administration features.
|Electronic Security Perimeter||CIP-003
|-Integration with Intrusion Detection/Control Systems (IDS/ICS) Ex: SNORT
-Port data paths configurable.
|Logging of Access and Usage||CIP-003
-Built-in Tracking and Event Monitoring;
-Audit Trail Database;
-User-Defined Log Entries for specific actions or unactions.
|-User rights revocable by Administrator or through Microsoft Active Directory.|
|Security Software Management||CIP-007||-Project cryptography;
-Integration with software management solutions like McAfee Application Control / Policy Orchestrator.
|Alerts and Notifications||CIP-005
|-Log and Trace of any kind of access and actions
-Can send notifications in several forms, like SMS, Email, SNMP, WebServices, other protocol messages, etc.
|Recovery Plans||CIP-009||-Auto-Backup, integration with versioning software like Subversion or SVN;
-Use Server redundancy (hot – standby);
-Usage of RAID disks;
Other steps in Implementing System Security
- Isolate the SCADA network using encryption, strong authentication, segmented network topologies, biometrics, and by disconnecting the network from unnecessary external connections.
- Conduct vulnerability analyses on the network and its nodes.
- Perform a risk assessment on the network and each connection point to the enterprise network.
- Develop and implement an incident response and remediation plan.
- Remove or disable all unnecessary services.
- Apply firewalls that are compatible with requirements of SCADA systems. Existing firewalls are not aware of SCADA protocols such as Foundation fieldbus and Modbus and cannot filter on content of such protocols.
Local control units at the facility under control are usually more vulnerable than the central control facility. Again, firewalls at field locations can use access control lists for some protection, but vulnerabilities still exist to most common types of attacks.
Many of today’s SCADA systems employ an organization’s enterprise wide area network to facilitate the exchange of data between the field sites and the central control location. Also, the enterprise network is usually connected to the Internet. If a filtering firewall is not properly implemented between the SCADA system and the enterprise network, both the central control servers and the PLCs and RTUs at the remote sites are susceptible to attacks such as spoofing, viruses, and denial of service.
- Install and operate intrusion detection systems.
- Provide for backup of critical software and data.
- Apply configuration management to SCADA and network software and hardware.
- Incorporate patch management to SCADA and network software and hardware.
- Conduct security audits.
- Implement an enterprise-wide security awareness program, including handouts, slogans, login banners, briefings, and training classes.
- Develop and test business continuity and disaster recovery plans.
Intrusion Detection Systems (IDS)
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces electronic reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. NIDS is a network security system focusing on the attacks that come from the inside of the network (authorized users). Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization.
Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used
to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more (See more at www.snort.org).