Securing an integrated SCADA system

Perhaps the greatest danger to utility companies is the lack of awareness of the need for greater security. Many public and private companies controlling vital public utilities like gas, power and water never thought they would be the target of cyber attacks and now must implement measures to improve network security. While many utility companies perform regular risk assessments of their SCADA systems, too many do not. They have become dependent on their tightly integrated digital information systems without fully understanding the potential impact of a cyber attack.

SCADA systems were traditionally ‘walled off’ from other systems operating independently from the network. Prior to the awareness of possible attacks, this seemed to provide all the protection the SCADA system needed. They were largely proprietary systems with such limited access and esoteric coding that very few people would have the ability to access them to launch an attack. Over time, however, they became integrated into the larger company network as a means to leverage their valuable data and increase plant efficiency. Therefore, the reality is their security is now often only as strong as the security of the network.

Protecting your SCADA network

The first step towards securing SCADA systems is creating a written security policy, an essential component in protecting the corporate network. Failure to have a policy in place exposes the company to attacks, revenue loss and legal action. A security policy should also be a living document, not a static policy created once and shelved. The management team needs to draw very clear and understandable objectives, goals, rules and formal procedures to define the overall position and architecture of the plan.

Key personnel such as senior management, IT department, human resources and the legal department all should be included in the plan. It should also cover the following key components:

• Roles and responsibilities of those affected by the policy;
• Actions, activities and processes that are allowed and those that are not allowed;
• Consequences of non-compliance.

Threat/risk assessment and vulnerability assessment

A key aspect of preparing a written security policy is to perform a threat/risk assessment (TRA) prior to embarking on the written policy. A TRA is designed to identify both the potential threats to different aspects of the SCADA-related IT infrastructure and the risks that these threats entail. This would typically be presented in a hierarchical manner, which in turn sets the priority to address security concerns and the level of related funding associated with each area of vulnerability.

For example, within a typical SCADA environment, key items and the related hierarchy could be as follows:

• Operational availability of operator stations;
• Accuracy of real-time data;
• Protection of system configuration data;
• Interconnection to business networks;
• Availability of historical data;
• Availability of casual user stations.

A TRA also acts as a mechanism to identify holes or flaws in the understanding of how a system is architected and where threats against the system may originate.

Once the TRA has been completed and the security policy developed, a vulnerability assessment, in the form of a physical audit of all the computer and networking equipment, associated software and network routings needs to be performed. A clear and accurate network diagram should be used to present a detailed depiction of the infrastructure following the audit.

After defining the hierarchy and auditing the different system components, the following areas of vulnerability need to be addressed — as they relate to each component — as part of the assessment process.

Further security measures

Network design — keep it simple

Simple networks are at less risk than more complex, interconnected networks. Keep the network simple and, more importantly, well documented from the beginning.

A key factor in ensuring a secure network is the number of contact points. These should be limited as far as possible. While firewalls have secured access from the internet, many existing control systems have modems installed to allow remote users access to the system for debugging. These modems are often connected directly to controllers in the substations. The access point, if required, should be through a single point that is password protected and where user action logging can be achieved.

Firewalls

A firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from outside users. A firewall, working closely with a router, examines each network packet to determine whether to forward it toward its destination. A firewall also includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network, so that no incoming request can get directly at private network resources.

Most companies utilise a secured firewall between the corporate network and the internet. As the single point of traffic into and out of a corporate network, a firewall can be effectively monitored and secured. Implementing an additional firewall between the corporate and SCADA network is highly recommended.

Virtual private network

One of the main security issues facing more complex networks today is remote access. A virtual private network (VPN) is a secured way of connecting to remote SCADA networks. With a VPN, all data paths are secret to a certain extent, yet open to a limited group of persons, such as employees of a supplier company. A VPN is a network constructed by using public networks such as the internet to connect nodes. These systems use encryption and other security measures to ensure only authorised users access the network and data cannot be intercepted. Typically, a VPN server will be installed either as part of the firewall or as a separate machine to which external users will authenticate before gaining access to the SCADA networks.

IP Security

IP Security (IPsec) is a set of protocols developed by the Internet Engineering Task Force (IETF) to support the secure exchange of packets at the IP layer. IPsec has been deployed widely to implement VPNs.

IPsec can be deployed within a network to provide computer-level authentication, as well as data encryption. It can be used to create a VPN connection between the two remote networks using the highly secured Layer Two Tunnelling Protocol with Internet Protocol security (L2TP/IPSec).

IPsec supports two encryption modes: Transport and Tunnel. The Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPsec-compliant device decrypts each packet. For IPsec to work, the sending and receiving devices must share a public key.

It is important during the selection process of network hardware, such as routers, switches and gateways, to consider the inclusion of support for IPsec security as part of the devices to enable the support of secure VPN connections.

Demilitarised zones

Demilitarised zones (DMZ) are a buffer between a trusted network (SCADA network) and the corporate network or internet, separated through additional firewalls and routers, which provide an extra layer of security against cyber attacks. Utilising DMZ buffers is becoming an increasingly common method to segregate business applications from the SCADA network and is a highly recommended additional security measure.

Network and operating environment security

Authentication and authorisation

Authentication is the software process of identifying a user who is authorised to access the SCADA system. Authorisation is the process of defining access permissions on the SCADA system and allowing users with permissions to access respective areas of the system. Authentication and authorisation are the mechanisms for single point of control for identifying and allowing only authorised users to access the SCADA system, thereby ensuring a high level of control over the system’s security.

To provide effective authentication the system must require each user to enter a unique user name and password. A shared user name implies a lack of responsibility for the protection of the password and the actions completed by that user. In addition, it is highly recommended that password ageing be implemented. Password ageing ensures that operators change their passwords over a controlled time period, such as every week, month or so on.

To provide authorisation, the system must be able to control access to every component of the control system. The system must not provide a ‘back door’ with which to bypass the levels of authentication specified in the application.

Secured data storage and communication

Critical data pertaining to a SCADA system must be securely protected and communicated. It is recommended that critical data like a password be stored using an encryption algorithm. Similarly, remote login processes should use VPNs or encryption to communicate the user name and password over the network. Critical data like user name and password must be protected in a secured data repository and access rights monitored and managed using secured mechanisms like Windows authentication and role-based security.

Intrusion detection

Firewalls and other simple boundary devices currently available lack some degree of intelligence when it comes to observing, recognising and identifying attack signatures that may be present in the traffic they monitor and the log files they collect. This deficiency explains why intrusion detection systems (IDS) are becoming increasingly important in helping to maintain network security.

In a nutshell, an IDS is a specialised tool that knows how to read and interpret the contents of log files from routers, firewalls, servers and other network devices. Furthermore, an IDS often stores a database of known attack signatures and can compare patterns of activity, traffic or behavior it identifies in the logs it is monitoring against those signatures so it can recognise when a close match between a signature and current or recent behavior occurs.

There are various types of IDS monitoring approaches:

• Network-based IDS — A network-based IDS can monitor an entire, large network with only a few well-situated nodes or devices and impose little overhead on a network.
• Host-based IDS — A host-based IDS can analyse activities on the host it monitors at a high level of detail. It can often determine which processes and/or users are involved in malicious activities.
• Application-based IDS — An application-based IDS concentrates on events occurring within some specific application. They often detect attacks through analysis of application log files and can usually identify many types of attack or suspicious activity. In practice, most commercial environments use some combination of network — and host — and/or application-based IDS to observe what’s happening on the network, while also monitoring key hosts and applications more closely.

Regulating physical access to the SCADA network

Physical access to your network should be closely monitored:

1. Use built-in Microsoft Windows features such as NTFS to require user authentication when perusing network shares.
2. Do not allow anyone that does not belong to your organisation to connect to your network ethernet or have physical access to your IT server room.
3. Monitor your network regularly for activity that may be suspicious and note the IP addresses when running sniffing software or hardware on the network. If you find a foreign IP address, trace the route to the IP address. Once you locate where this foreign IP address originates from you can take action.

Special considerations for wireless networks

The two most common ways of gaining unauthorised access to a wireless network are by using an unauthorised wireless client, such as a laptop or PDA, or by creating a clone of a wireless access point. If no measures have been taken to secure the wireless network then either of these methods can provide full access to the wireless network.

Many commercial wireless networks are available; these range in price, complexity and level of security provided. When implementing a wireless network, a couple of standard security measures can be taken to minimise the chance of an attacker gaining access to it.

• Approved clients — The access points in the wireless network contain a configurable list of all MAC addresses of the clients that are authorised to gain access to the wireless network. A client not listed in an access point will not gain access to the wireless network.
• Server set ID (SSID) — This is an identification string that can be configured on all clients and access points in your wireless network. Any client or access point participating on the wireless network must have the same SSID configured. The SSID is, however, transmitted as a readable text string over the network, so it should not be broadcast by the access point.
• Wi-Fi protected access (WPA/WPA2) — All clients and access points should use WPA, or preferably WPA2, encryption for communication. This method uses the RC4 stream cipher with a 128-bit key and a 48-bit initialisation vector, and the Temporal Key Integrity Protocol (TKIP) dynamically changes the keys as the system is used. Previous technologies, such as Wired Equivalent Privacy (WEP), are easily cracked with well known key recovery techniques, and are not recommended.
• VPNs — VPNs (described earlier) can be used over wireless networks for an additional layer of security.

 

*Scott Wooldridge holds an MBA in addition to degrees in electrical engineering and mechanical engineering. He has over 15 years’ experience providing production improvement engineering, IT, project management and consultancy services to a variety of industrial, process, food and mining customers, including Rio Tinto, BHP Billiton, ALCOA, PG&E, Mitsubishi, Caterpillar and GM. Wooldridge now serves as Citect America’s vice-president of sales and previously acted as the vice-president of Citect’s Professional Services organisation, leading a team of engineering and IT personnel providing services throughout North and Latin America.

Citect Pty Ltd
www.citect.com