An important portion of business of many companies and organizations worldwide is based on production processes controlled and monitored by special applications generally known as Industrial Control Systems (ICS), one of the most widely used types of which is SCADA (Supervisory Control and Data Acquisition).
SCADA systems comprise devices that gather real-time data from production equipment, determine whether the values are within acceptable ranges, and take corrective measures as necessary to maintain process stability and control.
Their basic architecture usually consists of one or several central servers and workstations that communicate with sensors and valves, programmable logic controllers (PLCs), remote terminal units (RTUs), and human-machine interfaces (HMIs), as well as other control and monitoring components.
These solutions are generally used in large-scale infrastructures such as transport systems (subway, trains, ports, and airports), automotive, chemical, oil and gas industries, thermal, hydroelectric, nuclear power generation, electricity, water, gas distribution and control systems, etc.
SCADA systems made a huge impact on advancing industrial automation by allowing operators not only to control performance of all the devices in real time, but also to set alarms and warnings to correct potential deviations. Therefore, ensuring their reliable operation is a critical task in many industries, since the entire production cycle depends on correct functioning of a few applications which, if they fail or function incorrectly, can cause major material losses or even put employees in danger and result in environmental disasters, sometimes jeopardizing whole countries and neighboring regions.
Early SCADA systems were created before the Internet appeared as isolated systems not connected to a network. Traditionally, they do not have any security devices such as firewalls, encryption mechanisms, or antivirus software, their design is focused entirely on functionality and reliability, while the security is restricted to the purely physical aspect of limiting access to their isolated and controlled environments.
In order make the process of development and improvement of new systems more affordable and efficient, SCADA systems are becoming increasingly reliant on standard technologies, such as Microsoft Windows, TCP/IP, web browsers, and wireless technologies. This increases their connectivity with other systems, making it possible to centralize control of multiple plants, integrate the process control data in administrative systems, and enhance performance.
While this advancement provides clear benefits, increased connectivity exposes the systems to new threats they are not prepared for (malware, hacking, etc.). Network connectivity increases the risks of cyber threats, since many standard security measures that are typically applied in these technologies have not been adapted to the SCADA environment, so the available security options may not be enough to make the environment safe.
Attacks in a SCADA environment can result from negligence or human error, industrial espionage, inadequate production practices, poor security awareness, or component connectivity.
The main goal is to protect control networks against unauthorized access from both inside and outside the enterprise. Some of the common vulnerabilities of SCADA systems include:
- Permissions, privileges, and access control: Improper user permissions or access privileges. Users should be granted access strictly on an as-needed basis.
- Credential and account management: Weak passwords or inadequate policies that do not require regular password changes or do not limit the number of entry attempts allowing malicious users to perform brute force attacks.
- Security configuration and maintenance of system components: Managing inadequate or non-existent patches and updates.
- Poor network design: Lack of network segmentation, quarantine zones, or functional DMZs (demilitarized zones), inadequate protection elements such as firewalls.
- Audit and monitoring of events: Lack of network use analysis, inadequate monitoring of vulnerable areas.
Attacks on SCADA Systems
Recent years saw a noticeable increase in cyberattacks on critical industrial infrastructures most of which have been realized by exploiting vulnerabilities in industrial protocols. Unfortunately, the potential vulnerabilities that can be exploited by unauthorized users or malware were not recognized until late, and this unpreparedness has led to a rise in cyberattacks against SCADA systems on a global scale:
- Siberian gas pipeline explosion (1982): This incident was one of the first attacks on an industrial control system. The hackers infected the SCADA system that controlled the Siberian gas pipeline with a Trojan. This resulted in an explosion equivalent to 3 kilotons of TNT.
- Bellingham gasoline pipeline explosion (1999): The SCADA system used by a US company was unable to correctly execute its control and monitoring functions as a result of performing database development while the system was being used to operate the pipeline. The damage caused a toxic gas leak, a gasoline spill, and an explosion, killing 3 people, contaminating a river, and creating heavy smoke that extended to an altitude of 10 km.
- Night Dragon (2009): During that year, five global oil and energy companies were hit by a series of attacks that used a combination of social engineering, Trojans, and exploits. The main goals of the attacks dubbed Night Dragon were espionage and acquiring sensitive information to sell it later by exploiting known Windows vulnerabilities.
- Stuxnet (2010): Targeting the Natanz nuclear plant in Iran, Stuxnet is believed to be the first malware to attack the critical infrastructure of a foreign state. It was a very sophisticated program that combined features of a computer worm (which replicates by itself), a virus (which requires human action), and a Trojan (which allows attackers to gain remote access to the infected system). It was also extremely difficult to detect because of zero-day exploits. This malware targeted specific SCADA configurations of devices connected to a Siemens S7-300 PLC. It is presumed that someone within the controlled perimeter infected the system with a USB drive. It hit the Zippe-type centrifuges of the Iranian uranium enrichment facility. By changing the rotation speed of the facility’s motors that operated in a certain range, it caused sudden acceleration and deceleration, damaging the machinery and increasing the failure rate.
- Duqu (2011): This malware is very similar to Stuxnet in its internal structure, functionality, and mode of operation. However, Duqu spreads using a Microsoft Word document sent by email that contains several exploits for zero-day vulnerabilities in Windows. Its main goal was to steal information from the SCADA systems of a number of Middle East companies. One of Duqu’s features is the ability to steal credentials and digital keys (certificates) to install more complex modules so that the malware can remain undetected and continue to spread via the network and removable media such as USB flash drives.
- Flame (2010): Very advanced information-gathering malware targeting oil and gas companies in the Middle East and Europe. Flame spreads via USB flash drives. Its capabilities include activation of webcams and microphones, geolocation of photographs, and self-propagation via the local network and USB.
- BlackEnergy and CrashOverride (2015): Highly sophisticated malware targeting electrical grids in Eastern Europe and North America. Rigged Microsoft Office documents, usually Excel spreadsheets with macros, in email attachments are used to spread them. They are similar in that they both cause a denial of service attack in the infected power facility by attacking specific protocols of the SCADA infrastructure and also have the ability to erase the evidence of their activity to avoid being detected.
- Triton or Hatmat (2017): Targeting Eastern European companies, this malware also used USB drives as the main route of infection. The main goal was to change the behavior of certain protection devices to interrupt the production process or cause more severe damage to the physical infrastructure in case of failure.
SCADA systems play a crucial role in Industry 4.0, where automation and connectivity have become an essential part, and their security is fundamental for the entire process. This security can be achieved by:
- Physically separating the company’s IT network from the OT network that supports SCADA operations and control processes.
- Creating a DMZ (Demilitarized Zone) to isolate the SCADA system in protected segments separate from the rest of the network, without direct connections or potential backdoors for other threats.
- Monitoring both input and output connections from/to the network where the SCADA systems operate.
- Using firewalls designed for industrial environments with deep packet inspection (DPI) to divide traffic and configure access rules by specifying common industrial protocols.
- Using a combination of intrusion detection/prevention systems (IDS/IPS) and antivirus with heuristic scanning for malware and zero-day attacks.
- Encrypting transmitted data by using VPNs (virtual private networks) to make sure the information cannot be intercepted or tampered with.
- Installing the latest security patches for business applications or operating systems.
- Protecting the operating systems used by deleting default accounts and closing services and ports when they are not in use, eliminating software, firmware, and hardware backdoors in the system, as well as services using subliminal channels.
- Properly configuring user permissions and authentication, using strong passwords in combination with smart access cards or biometric sensors.
- Implementing tools for identity and access management (IAM) and data loss prevention (DLP).
- Restricting access to the SCADA system technical information, configuration, and maintenance.
- Using failover and fallback mechanisms.
- Using tools to assess the impact of a loss or disconnection of one or several system components.
- Effective and unambiguous disaster recovery planning.
- Using reliable backup and restore methods.
- Implementing security incident response procedures (review, lessons learned) and applying adequate preventive measures to avoid future incidents.
Industry 4.0 heralded a paradigm shift, and an essential prerequisite for its success is to ensure security of the entire production process, including SCADA systems.