Trends in security incidents in the SCADA and process industries: a summary — Part 2

By Glenn Johnson*
Saturday, 20 October, 2007


In Part 1 of this article we discussed the findings from the Industrial Security Industry Database, which indicated a significant rise in cyber attacks on SCADA, manufacturing and processing systems.

The research from the British Columbia Institute of Technology (BCIT) showed that incidents from sources external to the organisation had increased from 26% for the period 1982-2001, to 60% between 2002 and 2006. Of the external attacks, 78% were caused by viruses, worms or trojans, 9% were system penetrations and a further 9% were deliberate sabotage attempts (see Figure 1).

Watching the back door

When I worked in the IT security industry, there was a saying about firewalls that there was no point putting a heavy steel security door on the front door of your house if the back door had only a fly screen. Many people in the SCADA and control systems world still hold the belief that control systems are secure because they are simply never connected to the internet. But if this is the case, how are all these viruses getting to the plant floor and infecting SCADA systems?

To answer this question, the study team at BCIT decided to look more closely at the category of events in the ISID reporting a remote point of entry. The data set was reduced to the 47 ‘remote’ incidents that occurred between 2002 and 2006.

  


Figure 1: The percent total of each external incident type category, 2002 to 2006

Figure 2 graphs the frequency distribution of each of the nine remote point-of-entry categories: Internet, Corporate WAN, Corporate Business LAN, Wireless System, Trusted Third Party, Virtual Private Network (VPN) Connection, Public Telecommunications Network and Dial-Up Modem.

The results clearly show that while the business network (either LAN or WAN) was a major source, it was certainly not the only source. Secondary pathways were all significant contributors.

 


Figure 2: Remote points of entry charted as a percentage from 2002 to 2006 (47 records)

 

The large number and variety of pathways common in automation systems is corroborated by a recent ARC Advisory Group survey, Manufacturing Security Status and Strategies (Bob Mick, October 2005). In the survey, control engineers were asked about the types of connections that their automation networks had to the outside world. The summary results were as follows:

  • 47.5% company intranet/business network
  • 42.5% internet directly
  • 35% direct dial-up
  • 20% wireless modems
  • 17.5% no connection
  • 8.0% other connections.

The fact that the percentages in the ARC study do not add up to 100% indicates many automation networks had multiple connections. Most facilities have not just one pathway, but rather multiple pathways into their control system. For example, according to the BCIT researchers, one survey at a site in 2004 uncovered 17 different pathways, while site management believed there was only one control system to business network link.

There are many pathways other than the corporate network which can allow access to a SCADA/control system. These include:

  • Modems — Both leased-line and dial-up modems have been in use for decades to allow the remote support of control systems and are still widespread. Unfortunately, many of these modem/device pairs have been shown to have either no password or trivial passwords.
  • Wireless — Traditionally, SCADA networks over large physical areas utilised licensed-band radio systems to allow remote nodes to communicate with a centralised management host. More recently, the large-scale deployment of wireless ethernet (IEEE 802.11) has created countless opportunities for intrusion and information theft.
  • Third-party connections — Generally used for remote support by control systems vendors or product transfer by raw materials suppliers, these connections interconnect the control system to an outside network that may not follow the same security policies.
  • Virtual private networks — Often deployed as part of a third-party connection. Since the traffic is encrypted, it is commonly believed to be secure, but they are only as secure as the computer or network at the other end of the VPN.
  • Mobile devices — Mobile devices such as laptops, PDAs and flash drives are often used in a variety of environments, each with different security policies and practices. This allows the spill-over of security issues from one system to the other.
  • Internet — While commonly denied, both the ARC study and a number of the incidents in the ISID show that control systems do get connected directly to the internet.

Figure 3 illustrates a few of the locations of possible pathways into organisations that employ segregated process control/SCADA networks, and all of them have been points of entry for at least one ISID incident. For example, database records show that the SQL Slammer worm had at least four different infiltration paths in the control systems it impacted:

  1. A nuclear power plant process computer via a contractor’s T1 line
  2. A power SCADA system via a VPN
  3. A petroleum control system via a laptop
  4. A paper machine HMI via a dial-up modem.

The bottom line is that security designs that assume all traffic into the control system will flow through a single choke point may be making a dangerous assumption.


Figure 3: Typical entry points in control network structure.

Improving the security of industrial control systems

So, organisations that operate SCADA and control systems have good reason to be concerned about cyber security. Not only have the number of incidents increased dramatically in the past five years, but the seriousness and cost of these events appears to be increasing as well. Even if there is no direct impact on production or revenue, there is cost associated with expenditure of employee time, the cost of upgrading or changing equipment, and the risk to corporate reputation.

The high frequency of virus and worm incidents suggests that security methods that are in place in many control systems are insufficient to mitigate virus-related risk. For example, a perimeter firewall protecting the business network offers little protection against internally released viruses from laptops that get connected to the control network.

The ISID analysis points to two areas where the security of the typical SCADA/PCN system could be improved significantly. First, the large number of incidents involving well known and easily addressed threat vectors indicate that many of the security issues need to be addressed through better policy, practices and education programs rather than through pure technology-based solutions. For example, the researchers say that incidents involving the Slammer worm continue to be submitted to the ISID, almost five years after the patch for this vulnerability was initially released, indicating that flaws in security policy and employee/contractor awareness are the root cause in nearly all these cases.

Second, the existence of the numerous secondary pathways into the SCADA and control system point to the need for comprehensive, in-depth defence strategies.

The need for comprehensive security programs

It is this human part of the equation that is critical to the success of any security program, not the technology. As the introduction to the ISO/IEC 17799:2005 (AS/NZS 7799) standard notes:

“Experience has shown that the following factors are critical to the successful implementation of information security within an organisation:

  1. Security policy, objectives and activities that reflect business objectives
  2. An approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the organisational culture
  3. Visible support and commitment from management
  4. A good understanding of the security requirements, risk assessment and risk management
  5. Effective marketing of information security to all managers, employees and other parties to achieve awareness
  6. Provision to fund information security management activities
  7. Distribution of guidance on information security policy and standards to all managers, employees and other parties
  8. Providing appropriate awareness, training and education
  9. Establishing an effective information security incident management process
  10. Implementation of a measurement system that is used to evaluate performance in information security management and feedback suggestions for improvement.”

It is critical that process and manufacturing control system owners and operators start by developing a comprehensive control system security management program that covers all aspects of industrial control system security, including electronic and physical security.

There are a number of excellent sources that provide guidance on how to create a control system security management system. The AS/NZS7799 and AS/NZS27001 standards specify a possible process from the IT perspective, while ‘ISA-99.00.02-Part 2: Establishing an Industrial Automation and Control System Security Program’ defines the key requirements from a process control perspective. In addition to these formal standards there have been many interpretive guides written that help translate the language of standards into everyday terminology.

The need for defence in depth

Modern security practice mandates that effective security requires a ‘defence in depth’ strategy, where critical systems are protected by layers of security. Depending on a single corporate firewall for control system security violates that strategy by creating a single point of security failure. In addition, the security needs of the business network are different from those of the control network — a single firewall cannot be all things to all departments. A good control system security strategy needs to offer layers of protection, starting with a dedicated control system firewall and progressing to specific protection for key devices and systems on the plant floor or SCADA system.

The primary control system firewall defines the security perimeter for the control system and acts as the choke point for all traffic between the outside world and the control system. Proper design and deployment of this firewall is critical. Similarly, using routers or switches with access control lists (ACL) is generally not acceptable.

Multifunction firewalls that combine firewall services, antivirus services, VPN services and intrusion detection services are also recommended. Combining the firewall function and VPN function in one appliance addresses the issue of being unable to check the content of VPN traffic because the firewall can be given the ability to decrypt (and if necessary re-encrypt) the VPN traffic. Similarly, the challenges of deploying A/V in the control network can be partially addressed by multifunction firewalls.

Once the electronic perimeter of the control system is secured, it is necessary to build the secondary layers of defence on the control system itself. This can be achieved using two primary techniques. For those control components (such as HMIs and data historians) that are based on traditional IT operating systems such as Windows and Linux, this can take advantage of proven IT security strategies. For those devices like PLCs, RTUs and DCS controllers, the use of distributed security appliances is recommended.

Layered protection for control devices

In many cases, the most critical devices in a control system are based on operating systems and architectures that do not allow the addition of security features such as A/V software or permit regular patching. Furthermore, the majority of control devices in use today offer no authentication, integrity or confidentiality mechanisms, and can be completely controlled by any individual that can ‘ping’ the device. Thus, the most critical devices on the plant floor are also the most vulnerable.

A rapidly evolving security solution is the use of low-cost security appliances deployed directly in front of each control device (or group of devices) that needs protection. These appliances provide protection directly at the critical edge device, similar to the way personal firewalls, antivirus software or intrusion detection systems provide local protection for desktop computers and servers. The result is a true ‘defence in depth’ strategy, so that even if a hacker or virus manages to get through the main corporate firewall, they will still be faced with an army of SCADA-focused security devices that need to be breached before any damage can be done.

*Glenn Johnson is the Editor of What’s New in Process Technology and has previously worked as an IT security consultant.

This article is based on, and is a summary of, a white paper titled Security Incidents and Trends in the SCADA and Process Industries — A statistical review of the Industrial Security Incident Database (ISID), prepared by Eric Byres, David Leversage and Nate Kube, for Symantec Corporation, 2007.

 

Related Articles

Anticipating maintenance problems with predictive analytics

By utilising predictive analytics, process manufacturers can predict failures, enhance...

Air-gapped networks give a false sense of security

So-called 'air-gapped' OT networks can still fall victim to cyber attacks, so what is the...

Maximising automation flexibility: the ISV-driven approach

Vendor lock-in has long been a significant barrier to innovation in the industrial sector, making...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd