Securing SCADA in the cloud

Cloud-based solutions for SCADA applications offer significant benefits in terms of efficiency, scalability, speed and cost certainty. For many industrial operators, however, the benefits are left unexplored due to fears over the risks of cybersecurity.

The benefit of SCADA in the cloud is the potential for much greater flexibility, scalability and certainty. It promises the ability to massively reduce capital expenditure, provide predictable costs, accelerate implementation and quickly accommodate changes when adding or altering assets. As a more efficient model of deployment, it significantly reduces barriers to entry across many industries.

With cloud-based SCADA, organisations don’t have to set up a control centre or backup centre — they can leverage the cloud infrastructure from their service provider. Eight to 10 months for a SCADA project can be reduced to a few weeks. There is no need to buy servers, and organisations can start with fewer assets, being able to add them and delete them when needed. Software versions are always kept current.

Security issues are key to the design

SCADA in the cloud can offer a reliable and a secure solution. On-site resources and expertise can be supplemented by remote support, continual monitoring and automatic updates provided by the service provider. In many ways the design of communications is similar to topics considered in earlier SCADA systems; however, now it is more important to have a solid cybersecure design.

The issue of cybersecurity is, of course, key in such systems, especially at a time of growing threats to industrial control systems. The move to digitisation in industrial control systems has plainly increased the cyber risks. Manually operated equipment has one upside: it can’t be hacked. As control functions are automated, the range of potential targets for an attack increases. Increasing connectivity, with more and more devices and systems networked in the Industrial Internet of Things (IIoT), has brought many benefits, but it has also brought cybersecurity concerns.

It is not just the ‘attack surface’ or number of the vulnerabilities that has grown, but also the potential consequences of a cybersecurity breach. Increased regulatory expectations mean that businesses risk serious reputational damage and costs (in terms of regulatory penalties) even without a successful breach. Those that are successful, meanwhile, have demonstrated that the risks are far from theoretical:

• The Sandworm hackers caused blackouts for more than half a million people in the Ukraine in 2016 — after targeting the US.
• The Shamoon virus crippled tens of thousands of computers at Middle Eastern energy companies in 2012, and resurfaced four years later.
• The WannaCry ransomware spread across the globe last year, and affected more than a third of the UK’s NHS trusts — and not just hospital computer systems, but medical equipment such as MRI scanners and blood testing devices as well.
   

These are just some of the most high-profile examples. More widely, more than half of industrial facilities have experienced some form of cybersecurity incident, according to a Honeywell survey last year, and three-quarters expect an attack on their industrial control system, according to Kaspersky Lab.

A pressing concern

Both the number and range of attacks is growing as the threat evolves. Among the most worrying developments is the specific targeting of safety systems. In December 2017, hackers invaded the safety system of a critical infrastructure facility — described as a “watershed” moment in industrial cybersecurity. However, it actually followed an attack on the safety systems at a Middle Eastern petroleum company.

In addressing these risks, businesses are hampered by a number of factors. The first is general skills shortages as a result of a rapidly retiring workforce, and specifically a lack of cyber skills. Petroplan’s Talent Insight Index 2017 found more than one in five in the oil, gas and energy sectors saying industry lacked the right talent for growth, and more than a third said they needed greater IT skills as the reliance on digitisation and big data grew.

Within businesses, meanwhile, operational silos persist — between sites, between businesses within groups and, perhaps most significantly, between IT and operational technology (OT) staff — despite the technological convergence.

The result is that ownership of and responsibility for these risks is unclear. This is particularly significant since the traditional approaches of IT and OT are very different. Specifically, availability in the operational space is a greater priority, being essential in many cases to safety. Appropriately, security solutions for IT and OT therefore differ substantially. Notwithstanding this, there is, in any case, still a significant lack of clarity over what is appropriate. With little in the way of consistent cybersecurity standards, we don’t yet have agreement on what ‘good’ looks like.

A challenge, not a deal-breaker

There are, in fact, two key dangers in terms of cybersecurity when it comes to SCADA in the cloud.

The first is that they are ignored or inadequately addressed. Unsecured connections through satellite or radio communication provide hackers with an opportunity to target the remote site and hack into the cloud or SCADA system. Every unsecured valve site, for example, becomes a significant source of vulnerability.

The second danger, however, is that the risks are overstated to the extent that businesses are put off from cloud deployment. That would not only mean they miss out on the benefits SCADA in the cloud can bring in terms of efficiency, which would have a potentially bigger cumulative impact on the industry over the long term than any of the cyber attacks we’ve actually seen.

That’s clear when you look at attack vectors — how breaches occur, and malware or hackers actually get in. In some cases, it’s the result of unsecured points of connectivity to the ICS environment, with multiple equipment and system vendors given access. Elsewhere, it’s the result of either external or business network security being compromised. Often, however, it’s employees and contractors bringing in the threat, whether through falling victim to phishing or spear phishing attacks or through their laptops, phones, smart watches, IoT devices or removable media. The last remains a pernicious and pervasive source of vulnerability.

An issue of access

It is worth reminding ourselves that SCADA is used to monitor and sometimes control geographically distributed assets. Many of the SCADA systems being designed today are focused on collecting performance and diagnostics data for analytics to achieve an always up-to-date visualisation of the company’s performance metrics while giving a much smaller group of people the ability to see leading indicators of future problems and take action now to avoid shutdowns later.

The first level of cybersecurity is simply to limit write access (control), through the application’s configuration, to those who need control functionality and only with appropriate authentication. Whether the system is on the customer’s site or within a data centre, this simple role-based criteria should be used to significantly improve cybersecurity. This is strengthened by the use of multifactor authentication where the most common approach is to provide a code to the user’s phone (text or dedicated app) to provide a second level and one-time-use code. This nearly eliminates the use of someone else’s password to gain access. Security is important when looking at SCADA in the cloud, but it is far from being an insurmountable challenge. Most of these concerns are an issue regardless of where the software is running.

The central problem to overcome for securing off-site SCADA solutions is the lack of centralisation. Businesses are left trying to secure multiple access points used by remote employees, contractors, customers and the vendors of control systems and third-party equipment and software (where they are given remote connectivity for the purposes of upgrades, patching, monitoring or support).

The numbers of these access points and the lack of central oversight and control lead to a variety of problems:

• Only partial data is available on assets and events.
• There is no proper hardening.
• There is no proper monitoring, nor governance.
• There is no proper planning and accountability around cybersecurity.
   

Businesses are left to simply trust that each of those making and managing the connection through these access points is doing so in a secure way. That’s an unwise assumption.

This problem is only going to become more pronounced as the number of connected IIoT devices grows.

A proposed solution

SCADA is by definition data acquisition from dispersed assets. It makes sense to centralise your processing and data storage in the centre of the assets (from a communications time standpoint) to minimise delays and communications costs. If you’re monitoring assets within a single facility, you’ll get your best performance at the Ethernet switch shared by most or all of the devices.

If you have many sites with great distances between them, you’ll want to take a closer look at where the network centre is located. In most cases, you’ll find communications are using IP technologies with very fast connections to large data centres. Today’s data centres are the communications hubs of our society and already provide the physical security, IT services and cybersecurity required by today’s internet applications.

Figure 1: Defence-in-depth security.

A centralised approach

The key to SCADA in the cloud is security in the cloud — centralising security through a cloud-based security centre and communication server.

This security centre can handle the authentication of connections, ensuring these are valid before allowing access to the communication server. All communications from these sites pass through a secure tunnel using Transport Layer Security (TLS) encryption, and a single firewall rule can be enforced for all remote connections. This provides a distributed architecture with secure tunnels from operations to remote sites.

Traffic from the plants or sites is all channelled through the secure tunnel, while the communication server is protected by a firewall. If it is necessary to push down a patch or update, however, the secure connection can also be used to give access to technicians remotely.

This centralised approach to security provides operations with the ability to define, automate and monitor security policies across the SCADA environment, providing increased visibility, reliability and compliance. The business can centrally define plant-wide policies, confidently deploy them and automate their execution and monitoring. It ensures security of all remote field assets from a single operations centre.

Any serious application needing real security will start there, but then add additional layers of security, commonly referred to as defence-in-depth methodology (Figure 1). These layers are meant to slow down attacks to give intrusion detection software time to identify the threat and trace it back to its source.

From the edge to the centre

The next step is to secure communications between edge devices to the data centre. This all starts with the edge device. This is usually an RTU, PLC or, in some cases, a computer. Ideally, you start with an edge device certified to ISA Secure Level 2 which generally includes secure boot, authentication and data encryption. Compliance with the standard is overseen by the ISASecure program, run by industry consortium ISA Security Compliance Institute (ISCI). An easy-to-use control software using programming languages like IEC 61131- can be used to sift through all the data and determine what’s important enough to send to ‘HQ’. One simple example is that you may be reading all the diagnostics data for all your local devices but only send data for devices which are outside of normal operational parameters.

Reliability can be enhanced using local data storage, so nothing gets lost if your communications link is lost. This is extremely important when using cellular, radio or satellite communications.

Secure communications can be accomplished with VPN technology and today’s more secure protocols like DNP3, IEC 61850 and OPC UA, which is the latest and appears to offer the most security and functionality of the group. AMQP and MQTT are transport-focused technologies and can be added to these protocols to go from point-to-point communications to a publish-subscription (pub-sub) model, where one stream of data can be made available to multiple users.

Most solutions today will use point-to-point communications to load all the data into a large database where it can be organised and provide highly efficient historical trends or views of data originating from multiple locations. This centralised approach would then have data mirroring and automated backup processes to secure the data — usually across multiple sites with disaster recovery functionality.

Securely disseminating actionable information

Once you get your data into the cloud, you want applications that turn the raw data into something you can use to improve your business. This typically means the flexibility and power to graphically bring your attention to abnormal trends or events.

Security is not only about keeping external threats out of your business, it is about making sure the information can be trusted while empowering the authorised users to improve company performance. The next step therefore is to secure the more valuable information flowing between the data centre and those end users who may be driving between sites, managing operations of multiple sites from a remote operations centre, working from their office or even from home using their phone or tablet to assess the current situation. This is typically done with encrypted tunnels or VPN connectivity.

As mentioned earlier, control or write functionality can be limited to specific users who have been trained to understand what their actions on the keyboard can do at a site thousands of miles away. It’s a great productivity tool to greatly reduce travel to distant sites. It enables collaboration with expert users to fully understand unusual situations. The system protects us from ourselves by requiring user authentication. A user name and password may be enough for low-level, read-only access but multifactor authentication may be required for write control of remote sites or sensitive financial data.

Table 1: Compliance with the NIST Cybersecurity Framework.

Summary

Combined with a top-down security management platform the architecture described above can be used to deliver robust ICS security following the NIST Cybersecurity Framework. This voluntary framework defines industry standards and best practices to help organisations manage cybersecurity risks. Combining centralised control with the security management platform gives businesses the ability to consistently meet these standards across sites (Table 1).

Existing manual security processes such as patching do not scale well; SCADA in the cloud can centralise and automate these, while bringing consistency, visibility and control to cybersecurity across the enterprise.

SCADA in the cloud offers significant benefits, but concerns over security could stop these from being realised. They shouldn’t. With a suitable architecture and security, businesses can enjoy the benefits of cloud deployment while not just maintaining their security, but actually enhancing it.

Top image: ©stock.adobe.com/au/chagpg