Industrial Security: Securing SCADA/ICS
What is a SCADA/ICS?
Supervisory Control and Data Acquisition (SCADA) Industrial Control systems (ICS) are commonly used in industrial operations to control and monitor large systems. They help improve the overall efficiency of operations, distribute data for smarter decisions, and communicate system issues to help reduce downtime. SCADA systems are commonly used across a wide range of industries because they can be easily adapted and modified for many functions. Industries which commonly use SCADA/ICS include:
- Energy/Power Plants
- Water and waste water treatment facilities
- Food & beverage processing/packaging
- Manufacturing facilities
- Oil and gas refineries & pipelines
- Transportation (airports, ships, subways)
In the past, industrial facilities commonly relied on a "strong shell, weak core" security model to protect their networks. This idea was implemented through an air gapped network, meaning that the SCADA/ICS network was both physically and logically separated from the internet. This security model stopped external threats in the past, but with now it's not so effective. Many industries that use SCADA/ICS have a need for 24/7 monitoring and, in some cases, the need for near instantaneous response times. The most budget friendly means to achieve this is by implementing remote monitoring. By connecting SCADA/ICS to a wide area network, the system can remotely communicate with human controllers to alert them when something is wrong and allows human controllers to respond promptly by remotely accessing the systems to update configurations to resolve alerts. Unfortunately, having the ability to monitor systems remotely requires external access by some means (i.e. internet, telephone, or radio) thus removing the air gap and "strong shell" of security. While such connectivity to the system is convenient for the operators, providing a remote entry point into the network also creates a vector through which attackers can attempt to gain entry into the system.
Many industries that are using SCADA/ICS still believe in the idea that if they haven't been hacked yet it probably won't happen. They work on the idea of security through obscurity, the belief that the system is secure so long as nobody outside of its implementation group knows anything about its internal mechanisms. All of the equipment these industries use is proprietary so, theoretically, no hacker would have enough knowledge of the system to successfully attack it. But just because the specifications for equipment protocols are kept secret, doesn’t make the protocols themselves secure. In fact, limiting the amount of eyes and feedback on a protocol can actually reduce the overall security that can be provided to that protocol. By limiting the number of people allowed to evaluate a protocol, constructive feedback is also limited. Fewer eyes may be better for keeping secrets, but that means there will also be fewer eyes to help identify vulnerabilities in the protocol.
In addition, devices that communicate using these protocols are often extremely sensitive, meaning they are designed to communicate using only that protocol. Therefore, if something/someone were to try to communicate with a device using the wrong protocol, the device would become unresponsive. This sensitivity makes a denial of service attack a very easy and very effective way to cripple a system.
Common Oversights in SCADA/ICS Set-up
In most cases we have seen, companies set up their SCADA/ICS networks out of the box and once its up and running they forget about it. As long as it works, why change it? The reality is that just because something works doesn't mean it works in a secure way. Maintaining a secure network isn't always simple, but it's undeniably important.
When systems are setup "out of the box" they are often initially set up using the default credentials. If these credentials aren't changed, an attacker could easily use such an oversight to break into the system. Product information such as default credentials are commonly available online, so an attacker could simply search the web for the default passwords and use them to gain access.
We more often than not see controller servers or workstations being put online and then never being patched again. There are controllers still in production that are running Windows XP and which have never seen a patch over their entire existence. This means that every vulnerability or exploit that has been discovered for these un-patched systems is still present on the system. Patching your system is equally important to all the hardware on the network, controllers, plc, switches, routers, etc.
Another common oversight is setting up communication without encryption. Unencrypted communications can allow for anyone on the network to intercept, monitor and record all the network traffic between devices. Attackers could potentially exploit this vulnerability by communicating with the main server through a compromised device.
Setting up proper network infrastructure, authentication, authorization, and communication encryption would prevent most insider threats from gaining access to areas of the network they are not allowed or eavesdropping on network communications. In most cases we have seen, companies inherently trust their employees, so they believe there is no need to invest in implementing internal security measures like these. But setting up proper network infrastructure, authentication, authorization, and communication encryption can also help prevent a hacker from gaining control of an entire system by limiting the level of network access each connected device has.
SCADA/ICS allow our crucial utility, manufacturing, and production facilities to operate, but the simplicity of these systems make them vulnerable to those with malicious intent. Before SCADA/ICS were connected to networks and made remotely accessible, industries relied on air gapped networks for security and put little investment into internal security. Such hasty implementation of new technological advances has led to security shortfalls. We are dependent on SCADA/ICS to continue operating our industrial infrastructure, but the risks to these systems are greater than ever. This is just one issue that has stemmed from a lack of understanding about the importance of network security. Software must be continuously checked for vulnerabilities, patched, and improved upon in order to maintain security. Not updating and improving your security over time can be almost as bad as not having any at all. When you set up your network, make sure you do it right and make sure you take the time to maintain your systems.