Securing SCADA field systems — Part 1

The most famous attack on a SCADA system took place in Australia in 2001. As reported by news.com.au and other sources, Vitek Boden, a disgruntled former employee of the contractor who installed a computer system for the Maroochy Shire Council, near Brisbane, later hacked into the system.

According to a court statement, Boden “applied for a job with the council but was rejected and later hacked into the council’s sewage control computers, using radio transmissions to alter pump station operations.

“Up to one million litres of raw sewage flowed into the grounds of the Hyatt Regency Resort at Coolum and nearby Pacific Paradise, where it ended up in a storm water drain.” The court statement went on to describe the large amount of environmental damage those attacks caused.

Could this sort of attack happen to your system?

Standards development

Significant recent developments in SCADA security include the release of two key standards, ANSI/ISA-99 Part I and NERC CIP.

Entitled ‘Terminology, Concepts and Models’, Part I of ANSI/ISA-99-00-01-2007 ‘Security for Industrial Automation and Control Systems’ lays a solid groundwork for upcoming standards on establishing and operating a security program and technical security requirements. Approved on 29 October 2007, it introduces significant ‘common ground’ in definitions of security-related concepts, assets, risks, threats and vulnerabilities.

The NERC (North American Electric Reliability Council) CIP (Critical Infrastructure Protection) cyber security standards CIP-002-1 through CIP-009-1 (formerly known as the 1300 standards) have been approved as of 17 January 2008. CIP-002-1 through CIP-009-1 include numerous provisions that require compliance.

Among numerous concepts in ANSI/ISA-99 Part I, one of the most important is the Reference Architecture, which includes a security zone model. The model recognises the reality that various portions of a control system or SCADA system, whether logical or physical, vary in terms of risks and vulnerabilities, and therefore security requirements. It is noted that there is a distinct advantage in aligning security zones with physical areas or zones — for example, aligning a control centre with a control security zone.

ANSI/ISA-99 Part I defines zone characteristics — each zone has a set of characteristics and security requirements that are its attributes. They take the form of:

• Security policies
• Asset inventory
• Access requirements and controls
• Threats and vulnerabilities
• Consequences of a security breach
• Authorised technology
• Change management process.

For a SCADA system, ANSI/ISA-99, Part I defines various, logical zones to include the ‘Enterprise Zone’, which is generally considered the IT system, and the ‘SCADA Zone’, which includes the subsystems we normally associate with a SCADA system:

• Control centre zone or primary and backup control centre zones
• Serial or IP network
• Control zones, which are the remote sites normally associated with RTU installations.

ANSI/ISA-99 Part I includes two versions, one of which encloses the entire SCADA system in a single security zone. The other is the ‘separate zones’ model.

In the separate zones model, control centre zones and control zones are defined with differing characteristics. The control zones are the locations which are usually remote from the control centres and include the RTU equipment. It is conceivable that one control zone can have very different characteristics from another. For example, one location could be classified as more vulnerable or have higher risks than another.

NERC CIP-005-1 requires an electronic security perimeter for what are termed ‘critical cyber assets’. While it is not explicitly stated in CIP-005-1, the electronic security perimeter concept does apply to ANSI/ISA security zones and there is general consistency between the two standards in definitions of assets and other terms. CIP-006-1 provides physical security requirements and, again, is not inconsistent with ANSI/ISA-99 Part I.

Figure 1: A simplified representation of the security zones for SCADA systems.

The focus in this article will be on the control zones and their interfaces to the wide area network. Remote sites provide numerous characteristics which differ significantly from those associated with the enterprise zone or control centre zones. Since the latter two have been explored much more thoroughly, there is more to offer if we focus on control zones. In addition, the wide area network in SCADA systems presents a very interesting set of characteristics, as it is typically outside of any of the operator’s security zones.

Securing the RTU devices at remote sites

In SCADA systems, the control zones are normally in remote areas, away from control centre zones. This presents a number of unique characteristics, which are notably different from control centres as well as plant processes. We will consider both the cyber and physical threats and offer measures in terms of monitoring for intrusions as well as prevention.

The term ‘RTU’, will be used for the electronic monitoring and control device at these locations. Please keep in mind that the device could actually be a PAC or PLC.

Addressing RTU cyber threats — prevention

In many systems, it is simply too easy to gain access via an RTU local serial port or, even worse, a dial-up, radio or other network link that makes the RTU accessible from practically anywhere in the world.

How important is this aspect compared to the rest of the SCADA system? In the attack in Australia, Vitek Boden targeted the remote stations by using a radio to access serial ports and was able to operate pumps.

RTU ports can basically fall into one of two groups: local and remote. Local ports are wired directly to nearby equipment such as analysers, flowmeters, pressure transmitters, a PC or other HMI device. Wireless interfaces are becoming more popular for local links, eg, wireless HART between an RTU and pressure transmitter and Bluetooth between a laptop PC and the RTU.

If the RTU is not in a physically secure zone, a major risk is that anyone can plug into — or wirelessly access — the local port that is intended for configuration, taking readings and other local operations via a PC.

Unfortunately, it is too easy to say that it is mandatory for the RTU to be physically secure and be done with it. Today’s trend toward wireless communications, even for ‘local’ functions, reintroduces the risk of intrusion because the radio range can extend beyond the physically secure zone. A wireless local link is as much a major risk as a remote port, which is defined as one with a modem, radio or other physical connection to a wide area network. Since much of a SCADA wide area network is located, both physically and logically, outside of any of the operator’s secure zones, this is a major cause for concern.

Authentication has emerged as the cyber security provision-of-choice when it comes to remote port access. In some cases, protocol standards are being amended to adopt authentication. The DNP Users Group Steering Committee has recently ratified a security extension that mandates the authentication of master devices through the use of one-way cryptographic hash functions employing a shared key in order to access critical DNP functions. These critical functions include write, select, operate, direct operate, cold restart, warm restart, initialise application, start application, stop application, enable unsolicited responses, disable unsolicited responses, record current time and activate configuration.

Authentication ensures that messages arriving at the RTU come from the control centre or other legitimate assets in the SCADA system. Since the SCADA wide area network can be located mostly outside of any security zones, it is subject to eavesdropping.

A number of years ago, Bill Rush of the Gas Technology Institute (GTI) proposed SCADA message encryption to address this risk. As Rush pointed out, if someone can eavesdrop and learn to recognise messages, the party can likely also practise ‘spoofing’, that is, inject commands that can operate process equipment or corrupt proprietary information.

This is the thrust behind the SCADA encryption standardisation effort, which was originally proposed as American Gas Association (AGA) Report No 12. Since then, the technical standards community has favoured authentication over encryption primarily because it is much less resource-intensive and can more reasonably be retrofitted in existing systems.

Figure 2: While the SCADA protocol handles all operations messaging, SNMP is used for device status and security monitoring.

In any event, encryption standardisation efforts continue and encryption is finding its way into new installations. Some data communication devices, such as radios, offer it as an option. Many IP-based systems use encryption and, for those users replacing direct-wire local links with wireless, it is also a feature of Bluetooth.

Addressing RTU cyber threats — monitoring and detection At a minimum, the RTU must be able to log all activity on local or modem ports and report it to operators on the SCADA network. NERC CIP-005-1 requires 24/7 logging at all access points to the electronic security perimeter. The Simple Network Management Protocol (SNMP) is emerging as a vehicle for security monitoring in SCADA networks. Traditionally used by IT to monitor components such as routers, servers and switches, SNMP is now being employed to monitor remote sites. For example, such control zone parameters as main power status, battery voltage, cabinet temperature, and door switch status can be reported via SNMP. Similarly, SNMP can report activity on RTU serial ports. That information can be used for intrusion detection. SNMP operates over TCP/IP links and can function concurrently with other SCADA protocols. While DNP3 or IEC60870-5 protocols are used to transfer process or operational information between the SCADA server and the RTUs, SNMP is used over the same physical network in a background mode, transferring ‘shadow data’ that is used for system health monitoring and security. In Part 2 This article has introduced the standards efforts in relation to best practices in securing SCADA systems and introduced some key practices in protecting remote control systems. In Part 2, we will discuss physical protection of remote RTU systems and highlight best practices for dealing with system failure.

Figure 3: Semaphore RTU products such as the G30 are Industrial Defender Enabled, as they support Industrial Defender’s monitoring and reporting via SNMP.

*Kevin L Finnan is vice-president, marketing for CSE-Semaphore.

CSE-Semaphore
www.cse-semaphore.com