Security in SCADA systems

March 14th, 2014, Published in Articles: EngineerIT

 

by Hans van de Groenendaal, features editor, EngineerIT

Supervisory control and data acquisition (SCADA) security is being taken more seriously, but is it still fragile? Is action required to beef up security on SCADA systems? What are the concerns? We put these and a number of other questions to a panel of industry leaders in the automation field.

There appears to be a view in some sectors of the automaton industry that the security of SCADA systems is not robust enough to meet the current security requirements. Do you share this view?

Frits Kok, Adroit Technologies; Robert Wright, RJ Connect; Avin Ramjeeth, Schneider Electric and David Bean, IDX.

Frits Kok, Adroit Technologies; Robert Wright, RJ Connect; Avin Ramjeeth, Schneider Electric and David Bean, IDX.

Frits Kok, chief technology officer, Adroit Technologies believes that most modern SCADA systems offer high-level and low-level security features in order to provide fine-grained control over transport/network security, data security and user interface security. “Invariably with increased security comes increased inconvenience either for the end user, or for the system integrator during project implementation, hence most SCADA implementations either ignore the security configuration, or only implement it as an afterthought.”

Robert Wright, MD, RJ Connect agrees that security of SCADA systems leaves a lot to be desired. “Many SCADA systems deployed in industrial applications have descended from a legacy installation where they have been installed on previous generations of communication systems, i.e. RS-232 and 485s. These communication systems use protocols known as Modbus. They were isolated networks and dedicated to their applications and, typically, do not share communication connectivity to the commercial IT network. With the uptake of industrial Ethernet and the convergence of technology within the IT and the industrial automation networks, SCADA systems have been migrated onto Ethernet with connectivity to the company’s IT infrastructure. This poses unique security challenges and cyber threats to SCADA systems.

Deon van Aardt, Wonderware, Doros Hadjizenonos, Check Point, Scott Orton, Triple 4 and Selvan Murugan, Royal HaskoningDHV.

Deon van Aardt, Wonderware, Doros Hadjizenonos, Check Point, Scott Orton, Triple 4 and Selvan Murugan, Royal HaskoningDHV.

Avin Ramjeeth, SCADA and telemetry product manger, Schneider Electric disagrees. He says that SCADA systems are at a level capable of meeting current security requirements. “SCADA architectures lend themselves to multilevel security handling. There are audit trails available to analyse security breaches, and to secure vulnerabilities. There is support for various secure protocols as well as protection of SCADA servers utilising demilitarised zones.”

David Bean, managing member, IDX: “While both the technology and formal business processes exist to provide a high degree of security the reality is that the security encountered varies from nil to very secure. The ISA99 (and more recently IEC 62443 series) provide a continuously evolving framework to address electronic security for manufacturing and control systems. Physical security of facilities is not part of this scope but obviously goes hand in hand with the above framework. Those responsible for the availability and safety of operation are well advised to revisit security on a regular basis as the methods of cyber-attack are never static.”

Deon van Aardt, technology director, Wonderware said that he cannot speak for SCADA vendors but he can comment that the Wonderware SCADA software was designed in close collaboration with Microsoft. The system design utilises robust modern security practices such as the “Secure by design” and “Secure by default” philosophies. This close collaboration ensures that no security gaps exist between the operating system and the SCADA systems and also allows development teams to identify possible risks and address them not only from the Wonderware application’s perspective but also on the lower level operating system.”

Doros Hadjizenonos, sales manager, Check Point South Africa makes the point that SCADA and industrial control system (IDC) networks and devices were designed to provide manageability and control with maximum reliability. “Often they do not feature mechanisms to avoid unauthorised access or to cope with the evolving security threats originating from external or internal networks that have become so common in the IT world. SCADA controllers are essentially small computers. They use standard computer elements such as operating systems (often embedded Windows or Unix), software applications, accounts and logins, communication protocols, etc. As a result, the familiar challenges associated with vulnerabilities and exploits apply to ICS and SCADA systems, with the additional challenge of such systems operating in environments that can be physically difficult to reach or that can never be brought offline.”

Scott Orton, sales director, Triple 4: coming from a mining perspective said, “I have found that more often than not, the IT team who are responsible for security don’t have the necessary control over the SCADA systems to assist with the security of the environment, these systems are often in a silo environment to the engineering department. This presents a risk in terms of security, because it is more difficult to maintain security standards.”

Selvan Murugan, associate, Royal HaskoningDHV shares the point of view that security with SCADA system is vulnerable. “Some of the well-known and documented incidents reveal that SCADA systems are inherently insecure and that attacks have definitely increased since the large scale commercialisation of SCADA technology:

  • November 2012, a security researcher claims that he found 23 vulnerabilities in industrial control software from several vendors after a different security company last week showcased vulnerabilities in applications from some of the same manufacturers, but chose not to report them, published in Networkasia.net
  • October 2013, US researchers find 25 security vulnerabilities in SCADA systems. These US researchers have identified 25 zero-day vulnerabilities in industrial control SCADA software from 20 suppliers that are used to control critical infrastructure systems, published in ComputerWeekly.com
  • May 2013, Arabian Oil and Gas reports that cyber security in the region is under review due to various attacks on oil and gas systems.

The rapid rise of network security appliances, which are external to the SCADA system further leads me to believe that these software systems are, themselves, insecure and require external measures to prevent attacks.”

SCADA networks were initially designed to maximise functionality, with little attention paid to security. As a result performance, reliability, flexibility and safety of distributed SCADA systems are robust, while the security of these systems is often weak. This makes some SCADA networks potentially vulnerable to disruption of service, process redirection, or manipulation of operational data. What is your experience? Do you believe that the industry has done enough to prevent systems being compromised?

Most of the panellist agree that more can be done to secure SCADA systems, the views vary from definitely not to not enough. The most comprehensive comment came from Selvan Murugan: “Most SCADA software platforms have been designed to be installed on COTS Microsoft operating software systems and the required connectivity options i.e. networks that are required to support communications were selected with this in mind. As a result, OLE, COM and DCOM technologies became widely supported. These were designed to provide a common bridge for Windows based software applications and process control hardware.

”These technologies were developed by Microsoft for the Microsoft Windows operating system and defined a standard set of objects, interfaces and methods for use in process control and manufacturing automation applications to facilitate interoperability and maximise functionality. The most common technology is OPC. The use of these ‘open’ technologies has made SCADA networks vulnerable and exploitable by anyone who has access to the networks and who understand these technologies.

“My experience in the field is that SCADA networks and systems are unprotected and common causes for this are: inadequate use of passwords and role authentication; uncontrolled and unmanaged remote access; free access to systems via USB, CD drives etc.; inadequate network access mechanisms; inadequate policies and procedures for cyber-security and patch management; and no hardening of SCADA hardware such as workstations and servers. The SCADA industry has definitely not done enough to prevent systems being compromised.”

To ensure the highest degree of security of SCADA systems it is recommended by many international experts that the SCADA network is isolated from other networks. Any connection to another network introduces security risks, particularly if the connection creates a pathway from or to the internet. In your view, given today’s sophistication of internet security, is this still an issue?

Frits Kok: “Although an Air Gap is a solution for a totally isolated, physically separate and protected environment, it is not always possible neither desirable from a production point of view. A SCADA environment should follow a similar security methodology to those that financial institutions employ. Even though these financial institutions make sensitive information available to the right user, it also employs various security policies to prevent prying eyes from accessing that same information. Consider online banking as an example of such a system. Even though online banking allows bank users to transact conveniently from anywhere, it also opens up various opportunities for abuse. The more important the information, the more money and time need to be spent in an ongoing basis to ensure that the environment is protected. Unfortunately this leads to an important quandary in terms of investment vs. return for a SCADA and its associated security policies – a big reason why this is still an afterthought in many projects today.”

Many of the panellist share the same view as Frits Kok. Prehaps the most significant point in the discussion was made by Selvan Murugan “Yes, this is still an issue. It is common knowledge that the “air-gap” principle used for many years has many short comings that, in fact, can be used to exploit systems e.g. software patching and virus updates would require to be done manually, using portable storage media.”

If isolation of the SCADA network is a primary goal to provide needed protection, can strategies such as the utilisation of so-called “demilitarised zones” and data warehousing facilitate the secure transfer of data from the SCADA network to business networks?

Robert Wright says: “Recognising the unique security challenges facing ICS networks, the American National Standards Institute (ANSI) and the International Society of Automation (ISA) have promulgated the ANSI/ISA-99 (IEC 62443) standards, which describe best practices for ICS security. Central to the ANSI/ISA-99 standard is the “zone and conduit” security model, which is implemented with a “defence-in-depth” strategy. In the ANSI/ISA-99 model, ICS devices are segmented into independent “zones” composed of interconnected devices that work closely together to achieve a specific function. While communications within a zone are less restricted, different zones are required to communicate with each other through a single point called a “conduit,” which is usually protected by a secure router or firewall. The conduits are robustly protected to only allow the specific data that is needed to coordinate the functions of the different zones. Any communications that are irrelevant to the function of a certain zone, such as http traffic to a Modbus TCP zone, will be blocked by the secure router.”

SCADA control servers built on commercial or open-source operating systems can be exposed to attack through default network services. How can this be prevented?

Frits Kok: “Firewalls and intelligent IDS and IPS specifically aimed at SCADA protocols and computing is required in order to better protect the SCADA network, compared to standard firewall offerings aimed at IT networks in general.”

Robert Wright: “Li Peng of Moxa writes in his White Paper entitled Protecting Industrial Control Systems with Gigabit Cybersecurity: The most critical part of an ISA-99 security model is the “conduit,” which is protected by a secure router and must handle a number of responsibilities: High network performance – as the point of contact between two network zones, the secure routers must have the level of network performance needed to filter and deliver all of the traffic in a timely enough manner so that network availability is not affected; deep packet inspection – as the security guardian between adjacent zones, the secure routers must be able to accurately inspect the content of the packets of industrial protocols for abnormalities and security threats; deployment complexity – the high-density deployment of secure routers needed for well-protected ICS networks requires more effort to maintain both Ethernet switches (for the network infrastructure) and secure routers (for the firewall).”

Avin Ramjeeth: ”We promote a “defence in depth” approach to protect customers from cyber security threats. This approach underpins responsibility at end-user (customer/ system integrator) and product vendor level. At the end-user level it is recommended that customer systems implement plans which cover the following areas: security plan: Focuses on creation and application of security policies and procedures. The policies and procedures must provide a mechanism to monitor the network, assess vulnerabilities, mitigate and avoid risks and define how to recover from disaster; network separation – the industrial automation and control system (IACS) must be fully separated from internal and external networks by creating a buffer de-militarised zone (DMZ) between the IACS network and rest of the world using switches. All in-bound traffic into IACS should be blocked except through the DMZ firewall. Non-critical servers (e.g. historian, web servers, anti-virus servers, authentication servers, wireless access points) should be primarily hosted in the DMZ; perimeter protection – industrial automation and control systems (IACS) must be protected by unauthorised access by using firewalls, authentication, authorisation, VPN, network intrusion detection systems and anti-virus software. All these mechanisms must also handle remote access to IACS; network segmentation – customers must use switches and virtual local area networks (VLANS) to divide the network into sub-networks. This enables containment of a potential security breach to the segment affected; device hardening – customer must configure PCs, switches, I/OS and instruments for increased security which encompasses serious password management, user profile definition and deactivation of unused services and interfaces; monitoring and update – customers must ensure permanent surveillance of network communications and all operator activities. They need to implement a risk based patch management mechanism to ensure that software and firmware updates are adequately applied based on the risk; security assessments – customers must perform security assessments to identify gaps within their IT & ICS network infrastructure which should include a physical assessment, server and network assessment, web application assessment, wireless assessment, SCADA assessment etc; product vendor level – we have implemented a security strategy that encompasses security at the product level, training of employees on security, infrastructure to communicate security issues to customers and well-defined processes to deal with security issues when they occur. We also regularly conduct external penetration testing on our products to proactively identify security issues.”

David Bean: “Sufficient to say, there are numerous guidelines and techniques to follow but I recommend an adherence to the ISA99 framework relative to the risk/cost of the monitored process.”

Deon van Aardt: “These kinds of threats exist because operating system providers attempt to make their products as usable and standardised as possible to maximise their market share. Ease-of-use can conflict directly with security and for this reason we have formed a close relationship with Microsoft. This collaboration has resulted in Microsoft gaining a very good understanding of the risks involved when SCADA security is compromised. It also resulted in us incorporating hardening techniques for the Microsoft operating systems to discourage the abuse of default network services, as well as default system services. It is important to “secure by design” – meaning that the design of the software should always be mindful of security. The other principle of “secure by default” means that: Where the market has demanded options that may result in weaker security, the option is disabled by default and has to be consciously enabled by the client.”

Doros Hadjizenonos: “In the last 20 years, the IT world has gained significant experience in protecting computer networks – dealing with the growing problem of operating system and application software vulnerabilities, by developing practices and processes that enable them to function in a secured manner. Re-using the know-how and technologies developed over the years can save significant time and money, but this can only be done when understanding the differences between SCADA and IT environments, and while using specialised security practices and technologies as part of the solution. Security solutions working in SCADA environments must be able to: perform protocol validation and anomaly detection i.e. identification and prevention of traffic that does not comply with protocol standards and that can create device malfunction; provide identification and enforcement of allowed commands, queries and responses within the protocol based on allow/block rules; provide prevention of transmission of payloads that are not known or can potentially exploit a specific vulnerability; provide prevention of excessive rates of communication that can create denial of service; log traffic details such as source, destination, users, time, protocol methods, queries and responses, login attempts, etc., used for forensic and trend analysis; ensure connectivity and minimal latency at all times including any hardware and software failures; be managed and updated from remote locations without the need to physically access them; be updated without any interruption/downtime to the SCADA network traffic.”

Selvan Murugan: “SCADA servers built on commercial or COTS operating systems are often exposed to attack through default network services. A through security risk assessment will generally recommend the removal of all unused network and application services in order to enhance the integrity of the system. This is particularly important when SCADA networks are interconnected with other networks. Default network services should be disabled as far as possible and the most common of these are email services and internet access services.”

Are systems safeguarded against the use of memory sticks?

Frits Kok: “Security needs to become part of the culture of an organisation. Once it becomes a given aspect of consideration, resistance to the security requirements will be less. Examples of trying to balance the requirements of production and a security policy is to isolate (Air Gap isolated) a specific PC for checking memory sticks. This PC is consistently updated with the latest patches and antivirus signatures. This PC is then used to scan a memory stick (or to copy files from it to another, formatted memory stick) – before the files are transferred to the SCADA network for example and it is part of the security policy to “sterilise” a memory stick before use in the SCADA network.”

Robert Wright: “I do not think that systems are safeguarded against the use of memory sticks. USB memory sticks are widely used by people and are commonly found working on computers carrying more than one in their possession. Computers have an increased number of USB interfaces and today it is commonplace to have four USB ports available. Many, if not all, of these ports are not secured in any way. This creates a risk for infection of computers and network security.”

Brian Contos, CISSP, VP and chief information security officer within Blue Coat’s Advanced Threat Protection Group says in his blog “Availability does trump everything else across critical infrastructure and it should. This is followed closely by integrity, but confidentially is a distant third. Default passwords are the excuse. I’ve heard that if something happens and anyone needs to access the system at any time, he or she can’t be hunting for the right password.” Availability is critical, but with these highly complex and connected systems, poor security can have an equally devastating impact on operational uptime. Are we in South Africa taking security of SCADA systems seriously enough to the prevent electricity and water supply systems from any compromise?

Robert Wright: “The conventional way of deploying cybersecurity on an ICS network is to add secure routers or firewall equipment that act as secure conduits, which is in addition to the existing network hardware such as layer 2 switches. Protecting one factory site requires only one or two high performance secure routers, whereas protecting network zones could require tens of secure routers. However, cybersecurity best practice dictates that security must be implemented at the device cell level, which could involve hundreds of secure routers or firewalls to be deployed at field sites. As you can easily surmise, installing and managing such a device structure would require both a high cost and herculean effort.”

Avin Ramjeeth: “The SCADA packages available in the South African market place have the necessary security tools required to provide adequate level of protection. It is up to the end-users to hold their service integrators accountable, by insisting that they employ best security practices during the design, implementation and maintenance of their systems, thus ensuring the effective utilisation of the features available from these tools.”

David Bean: “Probably not! That said, I am more concerned with the continuing exodus of very experienced plant operators/maintenance staff from these environments and the potential inability of those left behind to cope with an ‘incident’, whether or not the root cause was some cyber-attack. All the more reason to be able to harness remote monitoring and remote expert support.”

Deon van Aardt: “We certainly are taking it extremely seriously. We also constantly communicate this to our customers. To this end we have part of our wonderware developer network dedicated to security. On this page we publish new cyber security updates on a daily basis to make sure customers are aware of new threats and how to avoid them. The site also contains best practises and how-to guides to help customers plan, develop and deploy secure systems that are of the highest standard. But with all the best intentions disaster can still occur. One needs to be ready for this with well-defined change management and disaster recovery systems in place. Ideally it should work automatically in the background without having to remind users to make backups of the system. Recovery should be an easy and seamless process to minimise downtime.”

Selvan Murugan: “I totally agree that focus on the availability of systems that monitor and control critical infrastructure is paramount but that an equal focus needs to be placed on the security design of these systems. We, in South Africa are definitely not taking the security of SCADA systems seriously enough. From personal experience within municipalities, I can point out the following common issues that I encounter on a daily basis: uncontrolled access to SCADA workstations and server; unmanaged remote access, contractors are given passwords and access to the SCADA network for fault-finding purposes; uncontrolled access to network media e.g. switches, firewalls etc; no software patch management procedures; a single firewall being deployed with no management processes to determine whether this strategy is, in fact, working e.g. interrogation of access logs etc; unsecured SCADA wireless networks; unsecured wireless radio telemetry networks that connect plant systems to remote systems.

“In addition to this, the SA Centre for Information Security CEO, Beza Belayneh, says South Africa is not doing well in global comparisons in terms of the number of victims and the amount of money lost. “Different surveys find SA is between third-and sixth-worst in cybercrime,” he says. The 2013 Norton Report has found that South Africa has the third-highest number of cybercrime victims, after Russia and China.”

Thank you to our panellists for the forthright way in which they have shared their views. SCADA security in South Africa is far from ideal and could cause major disruption if not more closely monitored and continually adapted to ensure that systems are in place, so as to be one step ahead of cyber criminals.

Your views and comments on the opinions expressed in this virtual panel discussion are welcome.

Send your comments to hans.vandegroenendaal@ee.co.za

Subscribe to our leading email newsletters

FREE-OF-CHARGE

CLICK for other EE Publishers information products