Does scada have a fatal flaw?

Vulnerabilities in Scada systems make them an ideal target for cyber criminals and hacktivists, and those attacks could trigger serious real-world calamities

Tags: Codenomicon (www.codenomicon.com/)General ElectricHoneywell International Incorporatedhelp AG (www.helpag.com/)
  • E-Mail
Does scada have a fatal flaw? Scada systems are more secure than they were, according to Feroz Qureshi of Honeywell.
By  Georgina Enzer Published  May 2, 2014

Scada systems have an inherent and easily exploitable vulnerability left over from when the systems were analogue, according to industry experts. This vulnerability is in the underlying protocol being utilised in Scada systems.

Scada (supervisory control and data acquisition) systems are computer-controlled industrial installations that monitor and control industrial processes that exist in the physical world, including for oil & gas production, manufacturing, utilities and many other industries.

“When we went from the old signal types, analogue or terminals, to asynchronous communication between those devices, the manufacturers didn’t reinvent how those programmable logic controllers were being communicated; they just took those messaging protocols that they had in the past and put them into IP,” said Nicolai Solling, director of technology services at security advisory firm help AG Middle East.

“That means that one of the basic issues with Scada communication is that there is no kind of syndication of those messages, so if you have malware that comes into such an infrastructure [that] has the ability to manipulate those messages there is no way that the systems will know that this is happening. That means that in the actual start up protocols and in the communication, the way that things talk to each other, it is very vulnerable,” he adds.

Mohamed Karime, Oil and Gas Sales Leader, GE Intelligent Platforms, MEA added: “It is recommended that Industrial networks and Enterprise networks are not directly connected. Where data must be transferred from one to the other, a suitable device may be employed, such as a firewall/router or gateway device (this function may be performed by a Proficy Historian Server). Internally to the Industrial network, additional firewalls may be used to separate and protect Industrial sub-networks.”

According to Mike Ahmadi, CISSP, global director of Business Development at security and robustness testing solutions company Codenomicon, older systems and even newer systems have no authentication, which means that malware and man-in-the-middle attacks can intercept and modify the PLC messages.

The effect of such a cyber attack is essentially unlimited, according to Codenomicon. It could shut down safety and monitoring systems, for example, and cause ruptures, fires, leaks and breakdowns.

For example, a cyber attack on a Scada system running an intelligent oil rig or IP-enabled oil rig could manipulate how the drill operates (the speed and drilling pressure) and make it operate outside of safe parameters, causing massive drill-bit failure and potentially an environmentally catastrophic oil spill.

“It is difficult to envisage to what extent a well-targeted cyber-attack can impact real time operations,” said Feroz Qureshi, business development manager, Middle East, at process automation experts Honeywell Process Solutions.

“Thanks to the publicity that attacks like Stuxnet have gained, hackers and criminals have started discovering that Scada/ICSS products could be attractive targets. The ability to modify control parameters could, in a cyber-attack, create havoc, with implications seen anywhere between loss of data to compromising operations of a refinery as an example. The positive news is that this would be possible only if malware gets in. Developing malware for such highly targeted attacks and planning them requires in-depth knowledge about the Scada/ICSS systems and very specific skill sets,”

Karime points out that while Scada systems can be attacked remotely, most recent incidents appear to be caused by manual interference by insiders.

“Control systems must be designed in a way that prevents any unauthorised interaction with any ‘super’ user. For example, USB ports shall be disabled or hidden so that a casual user cannot inject a virus in the system through it. Keyboard shortcuts must be inhibited so that unauthorised users cannot exit the application and access the Operating System. Electronic signature approval for critical set point changes can also be implemented as an option, etc.

Scada in general is assumed to be more vulnerable by virtue of the openness and flexibility required by Scada to integrate with a range of systems. This is changing now with more security measures taken both by end users and vendors, according to Honeywell.

“Scada systems have come a long way today. With the growing awareness about cyber security within the end user community after recent incidents the process automation industry has taken this up and improved the overall network security for Scada systems,” said Qureshi.

According to Honeywell, Scada solutions being implemented on the market are getting smarter and the gap between the security and network standards followed between a DCS and Scada are closing down. End users today demand Scada solutions with the same flexibility but greater reliability and better security, similar to a DCS solution. A good example of this technology crossover from DCS to Scada is the use of controller-level protocol firewalls for Scada solutions and introduction of IPsec (Internet protocol security), which ensures each IP packet of a communication session is encrypted and authenticated, according to Honeywell.

“Such implementations and new solutions ensure that you could still use the robust and proven Scada protocols, but now create a secure encrypted shell around the data while passing over on an open communication network,” said Qureshi.

Other solutions include concepts like blacklisting (use of antivirus), whitelisting, system management, system hardening, keeping systems regularly updated and following a zone-and-conduit strategy as additional measures. But these practices may just not be enough to protect against determined, focused attacks on vulnerabilities.

“If you can first identify Scada vulnerabilities, you can protect somewhat at the perimeter and potentially other mitigations. These are band aids at best, however,” said Ahmadi.

There are a number of different ways that the industry is trying to address the vulnerabilities in Scada systems, including adding encryption on top of PLC communication, but ultimately it will have to be a case of neutral authentication between the device that is sending the messages and the device that processes those messages. However, experts have said that there is still a long way to go before these systems become fully secured and the legacy Scada infrastructure will be extremely expensive to replace and update.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code