SCADA System Security Challenges and Recommendations


Introduction and Background

SCADA system security vulnerabilities are well publicised in the current post-stuxnet era, however, security professionals are failing to understand the challenges involved in protecting SCADA systems due to their nature. This article aims to provide a background to SCADA systems, referencing some of the challenges they face due to the need for constant availability, as well as recommendations to protect SCADA systems going forwards.

Supervisory control and data acquisition (SCADA) networks consist of critical systems and software that are implemented to carry out essential services within national, or even global, critical infrastructure. SCADA systems have been in use for decades and are considered the backbone of any country, controlling critical systems and ensuring that a constant, defined level is maintained. Compromise of these systems could lead to catastrophic consequences, including loss of life.

In short, SCADA systems are utilised to monitor parameters of production and control processes for the critical national infrastructure. In the beginning, these systems were isolated, stand-alone heavy duty machines that were intended to monitor a small amount of data and prevent any changes. When originally designed, SCADA systems were intended to have a maximum life cycle of decades. Due to the lack of any significant threat, it was determined that SCADA systems would not require any kind of updates as threats from cyber attack were unheard of, especially in this type of environment.

As the use of SCADA systems changed, so did the threat to them. As mentioned, SCADA systems originally stood in an isolated environment, accessible only by authenticated staff who had a need to be there. Access to these systems was only achievable in person and they would be located in a heavily secured environment with proportionate physical boundary controls to prevent unauthorised access.

As the requirement of these systems matured, systems that were inherintly insecure were connected up to large corporate networks and, even worse, the Internet. Why would any critical yet unsecure system be connected to the Internet and opened up to the worlds cyber criminals? A diverse set of reasons, varying from remote administration through to a misunderstanding of the dangers. Either way, we are left with a situation where a huge amount of unsecure, critical SCADA systems are connected to the world, and vulnerable.

So, with an understanding of how vulnerable SCADA systems are – how can we improve SCADA system security? What actions can be taken to prevent compromise of these systems? This article aims to tackle SCADA system security challenges and recommendations.

Current landscape and Vulnerabilities

Following the identification of the Stuxnet virus, a sophisticated worm that was able to cripple a nations critical national infrastructure, Governments have started to become aware of how vulnerable these systems are and the consequences that an attack may have. This event, while devastating to the state involved, has raised public perception of the dangers of SCADA systems and forced Governments to take action. Since this, numerous audits have taken place on SCADA system vulnerabilities, resulting in a more proactive approach to securing the critical national infrastructure.

So, with an understanding of the current landscape, we can begin to look at the common vulnerabilities of SCADA systems. These include both technical and non-technical vulnerabilities, some of which are being exploited regularly by cyber criminals.

SCADA System Security Challenge #1: Default Credentials

SCADA system configurations are often implemented by unqualified staff who have the right intentions, however, are employed primarily to maintain the operations of SCADA equipment rather than ensuring its security. With this in mind, SCADA system configurations are often set up out of the box, with little thought to the security of systems. Control devices are installed as required, sometimes at unsecure locations. Additionally, default factory settings are often left on these types of devices, with standard configurations that are vulnerable to attack from open source information.

For example, the use of default credentials on control devices bypasses any authentication requirements. With this in mind, attackers would be able to log in using default credentials published publicly on the Internet. Once authenticated, cyber criminals would be able to actively change the settings of SCADA systems, resulting in dangerous consequences.

SCADA System Security Recommendation #1: Configure devices with best practice guidance

Fortunately, security experts have recognised these vulnerabilities in recent years and published guidance for engineers to follow when configuring systems. These guidelines identify best practice guidance to follow in management of SCADA systems, including configuration guidance, credential management and monitoring guidance.

SCADA System Security Challenge #2: Hard coded passwords for remote administration

SCADA systems contain a number of different components, some of which contain security weaknesses. The first of these are programmable logical controllers (PLCs). PLC’s are devices that directly connect to sensors contained within SCADA networks and provide data to control critical components. In this scenario, default credentials are often hard coded into Ethernet cards utilised by the systems. These cards pass on the commands into devices, allowing administrators to perform remote administration. With this functionality comes additional security risks and default passwords are a gold mine for any cyber criminal or attacker wishing to disrupt systems.

A number of these PLC’s come with default passwords hard coded as standard, such as the S7 series from Siemens. These PLC’s, often utilised by national enegry and gas plants, can be easily manipulated and controlled remotely by an attacker. Once unauthorised access is gained, an attacker can perform a multitude of actions intended to cause damage or lose availability of these systems.

SCADA System Security Recommendation #2: Utilise security guidance

Following the publicity of SCADA vulnerabilities and challenges, nation states have published good practice guidance for SCADA systems, including recommendations of how to protect these systems from both a technical and non-technical perspective. It is highly recommended that organisations controlling SCADA systems utilise this guidance to lock down their systems, change default passwords and educate engineers on the dangers of using default credentials for SCADA components such as PLC’s.

SCADA System Security Challenge #3: Manual processes

Following the Stuxnet virus outbreak and the inevitable press that followed, Governments have been backing SCADA security work heavily. The central focus for these investigations are often technical controls, for example, how can we separate SCADA systems from the corporate LAN and wider Internet? How can we prevent default configurations and default passwords? The answer is, a lot of the vulnerabilities lie in the processes implemented by the organisation.

As with Stuxnet, the virus that broke out on an air gapped system. How did it do this ?Well, an engineer had plugged removable media – a USB stick, into a machine and the worm was able to break from there. The worm was then able to replicate and break through different services and bring a halt to operations entirely. Although this was a sophisticated strain of the virus, the underlying vulnerability remains – and this is what SCADA systems are most vulnerable to, human error.

So, the infamous air gap is not the golden ticket that some cyber security professionals think it may be – and if you are hearing “well, that couldn’t happen because our SCADA network is isolated via an air gap” then alarm bells should be ringing in your head too. The point here is that, networks are never truly air gapped unless every possible input to that network is tightly controlled. Removable media, such as USB sticks, is a prime example of that and one that has been seen throughout history as defeating the so called air gap. An example of this occurred when Russian astronauts carried a virus on USB to the International Space Station. Although the network itself probably had copious amounts of boundary controls such as firewalls, malware scanning and anti-virus, the malicious in this code was simply carried in by a legitimate user and executed right on the target machine. This was confirmed by Kaspersky, who notes that laptops carried into the International Space Station in July 2007 were infected with a virus known as Gammima.AG. The worm then spread throughout the ISS and caused chaos until detected by Kaspersky.

SCADA System Security Recommendation #3: Lock down processes as well as systems, use of DMZ’s

It is always very tempting to focus your security controls entirely on the technical aspect. If your attackers are finding you on the Internet via tools such as Shodan, attempting to carry out attacks remotely and being successful, then by severing that tie with the Internet you are safe, right? Wrong. Your threats are both internal and external and both should be treated with the same amount of respect. Infact, as the figure below shows, attacks from internal sources have been voted as the most concerning prospect for many SCADA system owners in a recent poll published by SANS.

The Top Threat Vectors, as published by SANS Institute Survey

With this in mind, organisations need to be specifically aware of the processes they have in place and how these may be vulnerable for an attacker to exploit. For example, are USB ports locked down on operational systems? If not, who has access to these? Is there a removable media policy, does this require that removable media is virus scanned before any connection to a network connected machine? These are all questions that system owners should be asking themselves to prevent the risk of removable media compromising their SCADA networks.

Additionally, for organisations that require the use of data transfer from business to operational SCADA networks, the use of “demilitarized zones” (DMZs) can allow an organisation to identify and scan removable media at the boundary of the operational network and identify any malicious code appropriately. This will enable secure transfer of data between networks of differing sensitivities.

These 3 are just a short number of examples of the common types of SCADA system vulnerabilities identified today. In order to understand how vulnerable  systems are, organisations must firstly understand their network in great detail and then undertake an appropriate risk managed approach to securing their infrastructure.

SCADA system security

To understand further the type of threats that SCADA systems are prone to, it is necessary to understand the typical architecture of a SCADA network. The figure below shows a typical architecture for  a SCADA network:

The best approach for organisations to take is to locate a high level network diagram such as this that shows the SCADA network from a logical perspective. Now, it is worth understanding how an attacker may target and compromise the system to cause damage. For example, an attacker could realistically target any of the above components to compromise a controlled process – for example, by exploiting a zero-day vulnerability in any of the systems containing common, commercial operating systems, the attack may be able to gain control of a sub system and alter values on one of the operational machines. Additionally, as mentioned above, an attacker may have physical access and plug a USB stick straight into the port of an operational machine, bypassing all boundary controls and allowing malicious code to traverse the network easily.

SCADA system risk assessments and treatment

The most effective method of securing SCADA system vulnerabilities is to identify risks via a consistent risk assessment methodology and apply controls in a proportionate manner. This will enable an organisation to identify the type of threats that may be interested in attacking their systems and apply controls to prevent these threats compromising vulnerabilities that may exist on the system.

The organisation should firstly be aware of the type of threats that may want to attack their system, their capabilities and what they may have at their disposal. Once the organisation is aware of how sophisticated the attackers are, they can apply proportionate controls to prevent an attacker being successful. This process is outlined below.

Many organisations may wish to firstly identify possible attack paths by calculating the overall connection points, end points, partners and individuals with access to systems. This will be an exhaustive list of the types of connections, individuals with connection access, end points utilised to perform actions, physical and logical areas, types of communications and any present controls utilised to defend them. Following this process, organisations will be able to understand the risks that are faced and apply controls appropriately, both technical and non-technical in nature.

See SCADA System Security Recommendations to read more on SCADA reccommendations

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Recommended for you

Leave a Reply

Your email address will not be published. Required fields are marked *