In recent times highly publicised cyber attacks such as the Stuxnet worm have driven home the serious risks involved in connecting Industrial Control Systems (ICS) to computer networks [1]. In the past there was often little reason to have systems responsible for monitoring and controlling industrial equipment and critical infrastructure connected to wider corporate or public networks [2], [3]. Today, however, the privatisation of previously regulated services, such as power and water, and market forces have put pressure on businesses to streamline industrial processes, requiring access to real-time production information [4].
The most secure scenario for any system is a physical air gap between industrial networks and outside networks [1], however in the business-driven world the resulting loss of real-time data is often damaging to productivity, and consequently economically infeasible. This document serves as a review of current literature to assist companies facing the predicament of securing ICS vulnerabilities commensurate to the severity of threats faced, without inhibiting business.
Equipment
In the power generation industry, the heart of an industrial control system is its Supervisory Control and Data Acquisition (SCADA) system. This system enables technicians and engineers to control and monitor processes by collating field data from sensors and instruments across several facilities [5]. Instrumentation, Programmable Logic Controllers (PLC’s), and Remote Terminal Units (RTU’s) located in plants and substations are often connected via LAN, WAN or internet to allow centralised management of electricity production and transmission [4]. Isolated locations containing meters, sensors, and other small hardware devices are often connected via packet-based radio, or other wireless networks such as cellular, Wi-Fi, or satellite based technologies [4].
Threats
A threat to any computer system can be defined as the potential for an action to “alter, disrupt, deceive, degrade and destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks.”[2]. A threat may be realised by exploiting a system vulnerability through an attack:
This attack can be either;
- Targeted –Intentional targeted attacks on industrial facilities have the potential to be most damaging, however occur least frequently [2]. It is the internal knowledge of systems that makes this threat so dangerous as attackers, most often disgruntled employees, know exactly what to hit to cause maximum damage.
- Untargeted – these include random “public” attacks as a result of worms or viruses (such as Zotob, Sobig, and Slammer) [2], and opportunistic attacks such as those carried out by ‘script-kiddies’ [6] or initiated through war-dialling or port-scanning [4].
Security measures are established to protect one or more of the following key characteristics of a system: Availability, Confidentiality, and Integrity [4], [7], [3]. Unlike conventional IT systems, industrial systems often place a higher priority on the availability and integrity of data, with less concern given to confidentiality [7], [3]. From extensive literature review conducted the most current and pressing threats to a SCADA driven power generation ICS are discussed below;
Knowledgeable Insider
The assumption here is that the knowledgeable insider, such as a disgruntled or former employee, has an intimate knowledge of the SCADA network and hardware. Accounting for 33% of all SCADA attacks (2012 survey), this attacker often bypasses all perimeter controls, such as firewalls and traffic analysis, as they have the unique capacity to initiate the attack from within the physical network [6]. The most prominent form of attack is described below:
Man-in-the-Middle/Communications Hijacking – This type of attack involves the intentional injection of commands or signals into the communication network. An operator might then cause the undesirable event to occur despite believing they are following normal procedures [2], [3], [6]. An insider “may cause the greatest damages if he succeeds in tampering, inserting, or suppression of control messages to the substation primary equipment.” [4].
Remote Intrusion
An attack of this nature can be defined as a targeted criminal attack resulting in unauthorised access to main controls or packet access to hardware under SCADA control [4]. Recent data suggests that this major threat stems from “attempts to link SCADA systems to the Internet without any type of protection … [due to the misconception] … that a SCADA system is still considered an isolated and standalone network” [8]. Current literature describes the two most common remote intrusion threats as:
Intrusion via WAN/Corporate Network - Possibility of an intrusion event resulting from linking an Internet connected management system to an industrial control system [9]. The cause for concern is that many of these connections have been set up without a full understanding and audit of corresponding security risks [10]. Today this connection is most commonly deployed over TCP/IP based protocols such as FTP, as opposed to custom protocols, which previously offered some degree of “security through obscurity” [4], [10]. Recent survey data (June, 2011) reported that the majority of businesses assumed their SCADA systems were not connected to their corporate network, despite an audit revealing the opposite to be true [8], [10]. Intrusions through corporate networks carry a lower potential for damage, with most attacks occurring as a result of public worms/viruses, comprising 28% of all security incidences [11].
Intrusion via Remote Access Facilities – Possibility of system intrusion via utilities deployed for remote access and support. The prominence of this threat is due to an approximated 65% of industrial facilities allow remote access to their control systems [11]. Compromised utilities can include dial-in modems used by third-party technicians or vendor staff for support purposes [4], [9]. Figures collated from 2001 to 2011 depict that approximately 35% security incidences were initiated through remote access facilities [11].
Vulnerabilities
This section details industrial control system vulnerabilities that may be exploited to action one of the most common threats discussed above. System vulnerability may arise due to a logical design flaw, implementation flaw, or a fundamental system weakness such as weak passwords or cryptography [4]. Many attack vectors identified in current literature stem from poor general IT controls, including unpatched software, lack of anti-virus/firewalls, and limited staff training.
Knowledgeable Insider Vulnerabilities
Regarding general IT controls, recent surveys have revealed that many SCADA systems use system-wide logins such as ‘administrator’ or ‘console’ rather than individual technician logins [6], permitting an insider a degree of deniability. An insider may perform a communications attack by exploiting one of the identified technical vulnerabilities:
- ModBUS, a devicelevel SCADA protocol, has no inbuilt authentication and lacks integrity checking. The combination of the two weaknesses leaves communication highly susceptible to man-in-the-middle attacks [6].
- TCPbased protocols between HMI and RTU communicate in cleartext, allowing an insider (having direct LAN access) to intercept and retrieve passwords or modify machine instructions [7]
These vulnerabilities are most often exploited through an Address Resolution Protocol attack [4], [7]. A man-in-the-middle or spoofing attack may be conducted by flooding the target and host machines with “route through me” ARP messages, causing traffic to be redirected through the attacker’s machine.
Remote Intrusion Vulnerabilities
An attacker may carry out an attack on an ICS through the WAN or corporate network by exploiting one of the following system vulnerabilities:
- Power generation substations are connected to the SCADA control centre via a WAN gateway. Communication is conducted using an insecure protocol called ICCP. The lack of authentication or encryption allows an attacker to insert delayed, replayed, or rogue ICCP commands into the network [4], [6], [10].
- The transition from obscure network protocols such as OPC [4] to standardised protocols combined with interconnectivity between corporate and control networks has allowed attackers targeting front end business systems access to critical infrastructure. A worm or virus exploiting a generic weakness or exposed business system now has full access to the industrial systems.
An attacker may also attack via compromised remote access facilities such as specific network ports or PSTN connections. Because remote access technology is used by maintenance and engineering staff, “Dial-up often uses remote control software that gives the remote user powerful (administrative or root) access to the target system” [2]. SCADA systems are also vulnerable to port-scanning, [2] notes that in conventional IT systems, a device may lock itself out from external connections by a rapidly probing host, however in an ICS this behaviour would cause a physical disruption. Dial-in connections are often used in the power generation industry to control remote transformers and substations. Any PSTN-based dial-in connection is extremely susceptible to ‘war-dialling’. After successfully obtaining the phone number, an attacker could perform a DoS attack on a substation through continuous dialling, blocking all control messages to the device [4]. Dial-in equipment is also used to raise/lower circuit breaker settings in substations; an attacker exploiting this system can cause significant real world physical damage [2].
Recommended Mitigation Controls
Many of the discussed vulnerabilities are due to weaknesses in general IT controls. The first step to securing the SCADA system is to tighten access controls by employing a tougher password policy, individualising user logins, and limiting the number of login attempts per user [6]. Network and phone line connections should be audited to build an up-to-date network map and allow the definition of a security perimeter [3]. In addressing the more specific vulnerabilities the following priority recommendations are made:
To reduce the threat of communications hijacking, [4] suggests disabling network management protocols that allow hardware to dynamically learn their routing network, such as DHCP, DNS, and ARP, and instead manually assigning IP’s and defining routes. SCADA protocols should be wrapped in cryptographic protocols [5] – this must be performed either in hardware or at the data-link layer to limit introduced latency for time critical devices [10], communication between systems without hard deadlines could be wrapped with SSL/TLS at the application layer [5]. Redundant communication, sequence numbers, and regular heart-beat messages may protect against suppressed or delayed control messages [4]. Article [6] suggests all ModBUS communication should be replaced with the more secure DNP3 protocol.
The threat of remote intrusion over WAN or corporate network can be reduced by many general IT controls, as well as employing a defence-in-depth strategy through the deployment of firewalls between corporate and industrial control system networks [4], [10]. All ICCP WAN-based communication can be conducted over the more secure DNP3 protocol [6]. Inter-facility communication should be conducted over tunnelled VPN, protected by IPSec/SSL [10]. Intrusion via dial-in facilities is far more difficult to address. Call-back and identification schemes may offer some protection by determining whether the number is authorised, however this is vulnerable to phone number spoofing [4]. Article [10] recommends ensuring default passwords have been replaced with secure passwords, disconnecting modems where possible, and monitoring use in real-time.
Conclusion
The securing of industrial control systems is a dynamic process. The constant evolution of new threats and vulnerabilities requires the periodic reassessment of access controls and protocol vulnerability. Above all one must recognise that no system is ever truly secure.
References
[1] S. Cunningham, "Cyber Security for Industrial Control Systems", Power Engineering, [online], 115, (11), pp. 142-142,144,146, 2011. Available: http://search.proquest.com.ezproxy.library.uq.edu.au/docview/910071964
[2] R. Tsang, “Cyberthreats, Vulnerabilities and Attacks on SCADA Networks”, thesis, [online], School of Public Policy, University of California, Berkley, United States of America, 2009. Available: http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
[3] V. M. Igure, S. A. Laughter, R. D. Williams, “Security issues in SCADA networks”, Computers & Security, [online], 25, (7), pp. 498-506, 2006. Available: http://www.sciencedirect.com.ezproxy.library.uq.edu.au/science/article/pii/S0167404806000514
[4] D. Dzung, M. Naedele, T.P. Von Hoff, M. Crevatin, "Security for Industrial Communication Systems," Proceedings of the IEEE , [online], 93, (6), pp.1152-1177, 2005. Available: http://ieeexplore.ieee.org.ezproxy.library.uq.edu.au/xpls/abs_all.jsp?arnumber=1435744&tag=1
[5] S. C. Patel, P. Sanyal, “Securing SCADA systems", Information Management & Computer Security, [online], 16, (4), pp. 398–414, 2008. Available: http://www.emeraldinsight.com.ezproxy.library.uq.edu.au/journals.htm?articleid=1747891&show=abstract
[6] A. Nicholson, S. Webber, S. Dyer, T. Patel, H. Janicke, “SCADA security in the light of Cyber-Warfare”, Computers & Security, [online], 31, (4), pp. 418-436, 2012. Available: http://dx.doi.org.ezproxy.library.uq.edu.au/10.1016/j.cose.2012.02.009
[7] DHS CSSP, “Common Cybersecurity Vulnerabilities in Industrial Control Systems”, [online], May 2011. Available: http://www.us-cert.gov/control_systems/pdf/DHS_Common_Cybersecurity_Vulnerabilities_ICS_2010.pdf
[8] C. Alcaraz, J. Lopez, J. Zhou, R. Roman, “Secure SCADA framework for the protection of energy control systems”, Concurrency and Computation: Practice and Experience, [online], 23, (12), pp. 1431–1442, 2011. Available: http://onlinelibrary.wiley.com.ezproxy.library.uq.edu.au/doi/10.1002/cpe.1679/abstract
[9] D. H. Ryu, H. J. Kim, K. Um, “Reducing security vulnerabilities for critical infrastructure”, Journal of Loss Prevention in the Process Industries, [online], 22, (6), pp. 1020-1024, 2009. Available: http://www.sciencedirect.com.ezproxy.library.uq.edu.au/science/article/pii/S0950423009001247
[10] K. Stouffer, J. Falco, K. Scarfone, “Guide to Industrial Control Systems (ICS) Security, [online], NIST SP 800-82, Final Public Draft Sept. 29, 2008. Available: http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
[11] R. Marshall, "Is your control system vulnerable to an attack?", Chemical Engineering, [online], 119, (5), pp. 5-5, 2012. Available: http://search.proquest.com.ezproxy.library.uq.edu.au/docview/1019986748