Protecting industrial control systems and SCADA networks

March 14th, 2014, Published in Articles: EngineerIT

 

Cyber attacks on critical infrastructures are now a reality. Power generation facilities, metropolitan traffic control systems, water treatment systems and factories have become targets of attackers and have been hit with an array of network breach, data theft and denial of service activity. Service uptime, data integrity, compliance and even public safety require that organisations implement steps to deal with these security concerns. It is time to take action.

Probably the most well-known critical infrastructure attack is was Stuxnet – a sabotage of the operation of an Iranian nuclear facility that targeted Siemens programmable logic controllers (PLCs) used in the facility for process automation and control. Stuxnet exploited several previously undisclosed vulnerabilities in Microsoft Windows. It was initially propagated via intentionally infected USB memory devices, which were inserted into Windows PCs that were connected to the PLC network, with subsequent infection of the PLCs.

Fig. 1: 198 incidents reported and investigated by US ICS-CERT in 2012.

Fig. 1: 198 incidents reported and investigated by US ICS-CERT in 2012.

Industrial control systems from leading vendors are vulnerable and exploits are now freely available on the iternet. The vulnerabilities vary from basic issues like systems without passwords or with hard-coded passwords to configuration issues and software bugs. Once an attacker is able to run software that has access to a controller the likelihood of a successful attack is very high.

In the last 20 years, the IT world has gained significance experience in protecting computer networks. Reusing some of the know-how and technologies developed over the years can save significant time and money, but it can only be done when understanding the difference between ICS/SCADA and IT environments.

The White Paper by Checkpoint Software technologies presents a summary description of the threats to critical infrastructure and suggests guidelines for mitigating this risk using a multi-layered security strategy. The full paper is available for download (see end of article).

Industry, manufacturing and critical infrastructure facilities (electricity, oil, gas, water, waste, etc.) rely heavily on electrical, mechanical, hydraulic and other types of equipment. These equipment are controlled and monitored by dedicated computer systems and are connected to management systems – together they form networks that leverage supervisory control and data acquisition (SCADA) and industrial control system (ICS) solutions. The benefits provided by ICS and SCADA systems make them equally capable of damaging infrastructure operations and processes.

Most SCADA/ICS networks have some level of perimeter defence, including network segmentation and firewall technologies. Bypassing such perimeter defences from the outside is typically relatively difficult, and so attackers are always looking for alternative ways to get inside – for instance, through a gate that is left open, or by triggering some operations from inside the organisation that opens up a communication channel to the outside.

Once inside, the attackers might leverage information that they have about the network, or else conduct reconnaissance to learn the environment. Or, they might just try well-known access methods to see if they work due to weak or incomplete network security policies. Very frequently, weaknesses in specific vendor implementations of a protocol or typical system/security configuration mistakes are taken advantage of.

A common belief is that ICS and SCADA networks are physically separated from corporate IT networks. This might be accurate physically, in the sense that some companies operate distinct LANs or airgap their control and corporate networks from one another.

In the last 20 years, the IT world has gained significant experience in protecting computer networks – dealing with the growing problem of operating system and application software vulnerabilities by developing practices and processes that enable them to function in a secured manner. Reusing the know-how and technologies developed over the years can save significant time and money, but this can only be done when understanding the differences between SCADA and IT environments and while using specialised security practices and technologies as part of the solution.

SCADA networks make use of specific and sometimes proprietary protocols. Many of these protocols have known shortcoming that make them susceptible to attack.

MODBUS is an application-layer communication protocol. It provides client/server communication between devices connected on different types of buses or networks. MODBUS is mainly used for supervision and control of automation equipment. The protocol provides no security against unauthorised commands or interception of data. An attacker with IP connectivity and a MODBUS client simulator (available from the internet and potentially embedded in malware) can create various types of attacks.

Understanding your environment

We can protect what we know. The problem is that many legacy environments include devices, communication links, software versions, accounts and users, which were added over time, and for which there are incomplete records. Step one in securing any network is making sure there is an up-to-date mapping and list of its components

Initial analysis

Based on the mapping conducted, it is possible to start with an initial analysis of security risks. This process assesses what would be the severity, probability and business impact of an attack – that is, how severely a successful attack would affect the environment, how easy it would be for the attacker to launch an attack and what would be the business consequences of the attack.

A security strategy

To achieve the level of protection needed for industrial and critical networks, security needs to grow from a collection of disparate technologies and practices to an effective business process. Check Point recommends organisations to look at three dimensions when deploying a security strategy and solution:

  • Policies: Security starts with a widely understood and well-defined policy
  • People: Users of computer systems are a critical part of the security process. It is often users who make mistakes that result in malware infections and information leakage. Organisations should pay much attention to the involvement of users in the security process. Employees need to be informed and educated on the security policy and their expected behaviour when surfing the Internet or sharing sensitive data. At the same time, security should be as seamless and transparent as possible and should not change the way users work.
  • Enforcement: Deployment of security technology solutions such as security gateways and endpoint software is critical for automated analysis of traffic, prevention of attacks and regulation of work procedure.

Management

Managing a large network consisting of hundreds or thousands of devices is a complex task. Remote, centra management of security policies and effective situational visibility are keys to effectively securing the infrastructure.

As security of organisations is comprised of many layers, it is important to have a single view of all security incidents in one place. Standardising and unifying security solutions can allow use of expertise already present in the organisation and provide a better overall view of the security posture across ICS security devices, IT systems security devices and endpoint computers.

  • Visibility into the entire information security environment with centralised monitoring and reporting capability of network and security
  • Actionable information with drill down capabilities to actual forensic data such as device logs and packet captures
  • Reduction of administration overhead by allowing centralised management, monitoring and universal updateability of all security enforcement points
  • Consistent and updated security policies across the network and promotes regulatory compliance by more easily enforcing and auditing corporate security policy.

Security updates

In a constantly changing threat environment, defences must evolve with or ahead of threats. The ability of security products to deal with the latest vulnerabilities and exploits is as good as the ability of the vendor to conduct comprehensive security research and provide frequent security updates.

Securing ICS and SCADA networks is critical for ensuring manufacturing capability, service continuity and public safety. It is a complex task that can be achieved by employing planning, common sense, understanding of business requirements and people aspects – as well as employing the right technologies.

The White Paper includes many examples of how threats can be avoided. It provides details of the kind of analyses companies should do and how to implement preventative measures. It is well worth a read, see contact details below.

Contact Doros Hadjizenonos, Check Point South Africa,  doros@checkpoint.com

Related Articles

  • SATNAC to probe changing requirements of the telecom sector
  • South Africa is tracking another moon landing
  • Phoenix Contact bids farewell to GM Peter Mauff
  • South African engineering excellence celebrated
  • New bidirectional power supply launched