As utilities become more interconnected, and increasingly reliant on remote communications capabilities including automated metering, their elderly supervisory control and data acquisition (SCADA) systems become even more attractive to hackers as entry points for mischief, theft, and even warfare. In a June 2011 report, the National Institute of Standards and Technology said, “Widely available, low-cost Internet Protocol (IP) devices are now replacing proprietary solutions, which increases the possibility of cyber security vulnerabilities and incidents.”
SCADA networks are not designed to be part of utility information technology (IT) systems, although the two are increasingly intertwined, particularly as utilities turn to the Internet for distribution automation functions (Figure 1). Notes a recent report by Pike Research for McAfee Inc., “SCADA networks are just different. Compared to enterprise IT networks, they have different security objectives, most of the endpoint actors are machines rather than people, their incidents can have immediate physical consequences, and they are more likely to be targeted by hostile actions such as terrorists.”
1. Typical SCADA topology. Source: Pike Research
An article in the June issue of our sister publication POWER makes a crucial point about the growing interconnection of industrial control and IT systems: “Unfortunately, the distinctions between IT systems and ICSs are not recognized by regulators and politicians, and the consequences of this are grave. The smart grid initiative is already providing real case histories of what happens when those without an understanding of the operational domain try to set the rules for systems they do not understand.”
SCADA systems have often been targets for past attacks, according to the National Institute of Standards and Technology. In its June 2011 report, NIST highlighted three real cases where disruptions to SCADA systems caused widespread problems:
In March 1997, a teenager using a dial-up modem got into the telephone switch network and took out phone service at the local airport control center, airport security and fire protection, and the runway lights.
In the Spring of 2000, a man rejected for a job at an Australian sewer plant hacked into the sewage plant’s computer system. Said the NIST report, “He altered electronic data for particular sewerage pumping stations and caused malfunctions in their operations, ultimately releasing about 264,000 gallons of raw sewage into nearby rivers and parks.”
An unnamed natural gas company hired an IT firm to test its corporate computer information system. “The consulting organization carelessly ventured into a part of the network that was directly connected to the SCADA system. The penetration test locked up the SCADA system and the utility was not able to send gas through its pipelines for four hours. The outcome was the loss of service to its customer base for those four hours.”
In June, a front-page article in the Washington Post described the Shodan web site, which houses a search engine that can locate and map any computer with an IP address, including SCADA devices. Developed by young computer programmer and entrepreneur John Matherly, the web site says it can find “webcams, routers, power plants, iPhones, wind turbines, refrigerators, voIP phones.” Shodan says it will “find devices based on city, country, latitude/longitude, hostname, operating system and IP.” The site displays press accounts touting Shodan as “the Google for hackers” and that it “pinpoints shoddy industrial controls.”
The newspaper article said, “Control computers were built to run behind the safety of brick walls. But such security is rapidly eroded by links to the Internet. Recently, an unknown hacker broke into a water plant south of Houston using a default password he found in a user manual. A Shodan user found and accessed the cyclotron at the Lawrence Berkeley National Laboratory. Yet another user found thousands of unsecured Cisco routers, the computer systems that direct data on the networks.”
The Post writer concluded, “The rise of Shodan illuminates the rapid convergence of the real world and cyberspace, and the degree to which machines that millions of people depend on every day are becoming vulnerable to intrusion and digital sabotage. It also shows that the online world is more interconnected and complex than anyone fully understands, leaving us more exposed than we previously imagined.”
Researchers studying industrial control systems are uncovering an increasing number of holes, vulnerabilities and back doors into the systems. Italian researcher Luigi Ariemma has recently uncovered dozens of SCADA vulnerabilities. Commenting on Ariemma’s work in CNET, news digital consultant Dale Peterson said newer systems are more robust, but “there is a ton of legacy stuff out there with this problem and a large number of vendors still have not seen the light.”
What to do to protect the SCADA systems vital to the working of electric systems? The Pike Research report offers of list of actions SCADA owners can take to protect themselves and their systems:
“First, do no harm.” Follow the medical advice, the report advises. Avoid the common practice in enterprise network security of scanning the entire network every day for vulnerabilities Some ping every device as often as once per second to assure that it is still on line. “These same activities can prove extremely disruptive to control network functions such as monitoring and managing an energy transmission grid.” Instead, passive approaches that don’t overload the system are better.
Limit SCADA traffic to “expected message types.” The analysts advise, “Any traffic that does not belong on the control network— i.e., it cannot be associated to a device on the network—should be logged for further investigation but otherwise ignored.”
Isolate SCADA networks from enterprise networks. This keeps SCADA networks quarantined from the public Internet—“the source of many cyber-attacks”—and lowers the risks of outside attack. Consider “demilitarized zones” and one-way connections, such as data diodes, originally deployed in nuclear plants.
Maintain the traditional SCADA management culture of resistance to change. “There is no reason for SCADA managers to relax their conservative approach. Rather, stronger change management is required to better ensure that SCADA network changes or new devices and software can be safely and reliably deployed.”
Don’t restrict monitoring to IT data. “Effective monitoring and security of control networks requires visibility not just to infrastructure components, but also to the control components that are being managed…. This suggests that general-purpose security products from the enterprise world will need some added intelligence to function effectively in control networks.”
Don’t allow large data volumes fall behind the pace of new events on the network. “In control networks,” says Pike Research, “speed is of essence. Control networks truly execute in real time, and seconds lost in collecting and correlating data can be the difference between a near miss and a disaster.” This means that correlation tools must be able to identify non-IT events, including human-machine interface issues, and must be very fast.
Keep it simple. “Cyber security product costs can be like icebergs,” says the report, with the “vast bulk of the operating costs, like the vast bulk of an iceberg, are hidden below the surface.” One major cost is staffing and the greater the complexity, the more staff required. A “total cost of ownership” approach is best.
It’s quality of data that counts, not quantity. It’s important to minimize false positives in threat detection, as in medicine. And prevention is better than detection. The report emphasizes that “the right event correlations can detect the possibility of an incident before it occurs. Knowing that credentials for a control console have been used when that person does not appear to be in the control room can trigger immediate response.”
What’s in the future for the security of SCADA systems? Newer equipment has more robust security built in, and many users of industrial control technology are moving away from dedicated hardware and software, particularly for distribution automation and smart grid applications. A recent article on the Gigacom web site said that “SCADA is under assault,” as “utilities have turned their attention to distribution automation…solutions that sit outside the substation.” But the same article added that SCADA “will continue to be used in the utility industry from a long time, especially as legacy systems used in power substations provide useful communications and control power equipment.” And the move toward wireless IP-based control systems will add another layer of cybersecurity complexity.
—Kennedy Maize is MANAGING POWER’s executive editor