SECURITY LEADERSHIP



Running head: SCADA Systems: Vulnerable to Attacks?

SCADA Systems: Vulnerable to Attacks?

Erika Voss

MSA 520 – Administration of Information Security

Abstract

SCADA Systems typically did not threaten our environments in a work setting because it dealt with heating and cooling of operations that no one thought would be of concern.  In the years of starting with simple systems, companies started to look for saving money and automating systems as technology expanded into better environments to operate a plant.  SCADA became an environment that had wireless capabilities that with the right amount of time would and did come under attack.  People were stunned by this and couldn’t figure at first how hackers were getting in their environment.  In 2011, an attack on a government agency reported the vulnerability and what was once the central point hub for them, was now “hacked.”

SCADA Systems: Vulnerable to Attacks?

When you look at what SCADA Systems are you have to stop and think about the actual component of what it is meant to do and what their actual functionality is as well. SCADA stands for Systems Control And Data Acquisition. What this means in a layman term is that it is a computer system that is for industrial control. A good example would be the heating/air-conditioning unit in a large plant that has a computer chip that makes it “run.”

SCADA Systems are subject vulnerabilities, threats, and are becoming increasingly under attacks that in 2003, SANS Institute developed a workshop summit for SCADA Systems specifically. (SANS 2003) The goal of the summit is to help people identify the attacks and threats and try to come up with ways to protect the data from the system, as well as mitigate efforts together that could be shared across multiple security platforms to keep the security and also the integrity of the computer system in attack.

When you look at what some of the most common vulnerabilities are to SCADA Systems, you have to take into account that it is no different than a typical computer system and how you attempt to block and protect the data, is no different than how you would keep the attackers out of the system. Below are some examples from (Patel, 2008) the sckans library on what are and have been identified as some of the most common vulnerabilities against SCADA Systems.

Vulnerabilities

• Standard operating systems (Windows/Unix) leave the device open to well-known security vulnerabilities. Most PCS systems are not patched, or cannot be patched as it will violate the vendor’s service contract. Additionally, these systems are rarely hardened from a security perspective as it is feared the additional controls will impact the SCADA application, which can lead to serious exposures and risks.

• PCS networks lack overall segmentation. If firewalls are used, they are typically not well configured and only provide protection between the corporate network and the control center. Once the perimeter of the PCS network is breached, then the network is wide open. This also exposes the systems to standard worms, viruses and other malware.

• PCS systems lack antivirus protection. Many system vendors will not support antivirus applications. Plus, these systems are usually not accessing the Internet, making it difficult to download the daily virus updates that make antivirus technology legitimate.

• Most IP-based communications within the PCS network rely on unencrypted communications. This exposes the communications to eavesdropping and session hijacking.

• Most PCS systems have limited-to-no logging enabled. Logging is not enabled due to the focus on system reliability. However, if a security incident were to occur, it would most likely go completely unnoticed. Many organizations still rely heavily on physical security measures. Even with the amount of attention being paid to IT security, it is still rare to find security policies implemented in the organization. Many organizations have done little or no security awareness training with users, who collectively are one of the weakest links in a security program.

Based on the information identified above it is not exactly easy anymore to stop the types of vulnerabilities for the computer systems such as SCADA, but again when you are designing your security program and what types of vulnerabilities, or more commonly called, “low-hanging fruit” to go after in your networking environment, you will see that protecting the SCADA system is just as critical and important to protect as any other computer system that could be attacked.

Threats

Threats to SCADA systems fall into two main categories: directed threats like industrial sabotage and coordinated terrorist attacks, and indirect threats like operational errors and viruses. The impacts of both types of threat remain serious. Potential outcomes include:

• Serious disruption to national critical infrastructure

• Loss of system availability

• Process interruption

• Equipment damage

• Asset miss-configuration

• Loss of data and confidentiality

• Personal injury

• Penalties resulting from regulatory violations

• Loss of customer and public trust

The above reference article strategically categorized as to what the types of threats that would wreak havoc on your computer system environment if it had a SCADA System that came under attack (IBM 2010). Often times we do not realize that computer systems do not have to be large in size and/or small in environments, but it is what you have such as data, is what you must be crucial in properly protecting.

For example, we learned in our class that is good to have permissions set up in your environment for who will actually be able to reach the data, but what we also learned about is the Confidentiality, Integrity, an Availability (CIA) triad and why it’s an essential component to any security program, policies, procedures and guidelines as well. Without having some sort of security policies in place, for even setting up your Firewalls for network traffic monitoring, you also want to have it built in as well that if you do have a sniffer that is placed on the network to see “who” is actually looking at what type of environment you have, it is detected also. Below is an example of how SCADA Systems are authenticated for types of traffic to reach the SCADA and how it becomes encrypted then decrypted. (Knapp 2011)

Figure 1: SCADA Authentication Sample

What is good to know about this type of example above is you can see how information is brought into the SCADA environment, why you do want to protect the information and then where does it carry throughout your environment before it either reads the message and accepts the information and/or user coming in, or if it cannot read the message it denies the packet and does not allow the user to gain access.

One of the best things I’ve enjoyed about SCADA Systems is the following comment by PC World. (Bradley 2011) In the article it references one of the biggest attacks on environments that is not only still studied today, but also still is being prevented from attacks in our nations as there is never one worm that received as much publicity as the “Stuxnet.”

“Our critical infrastructure is an attractive target for enemy nations, terrorist groups, or even run-of-the-mill cyber criminals, and many security experts believe that it is not remotely protected against cyber-attacks. The SCADA systems that manage and control much of the critical infrastructure for the United States were not designed with security in mind, and are not engineered for an Internet-connected world.

SCADA systems are uniquely enticing because a successful attack could cripple a nation. The Stuxnet worm that targeted nuclear power capabilities in Iran contained a rootkit that could hijack the control and behavior of PLC (programmable logic controller) devices used for plant operations.

SCADA systems are a prime target, and a weak link in protecting the critical infrastructure. In a Wall Street Journal article Richard Clarke, former White House advisor on cyber security, warns that there is evidence that China has been actively probing and hacking the United States power grid. Clarke points out, "The only point to penetrating the grid's controls is to counter American military superiority by threatening to damage the underpinning of the U.S. economy. Chinese military strategists have written about how in this way a nation like China could gain an equal footing with the militarily superior United States."

Dr. Avishai, CTO of AlgoSec, recently discussed some of the challenges facing SCADA systems. Avishai notes, "In the old days, we worked with an ‘isolated network' assumption. The network operated with very simple communication protocols and over serial lines."

Avishai explains that SCADA networks were not designed with security in mind and cannot differentiate between legitimate requests and malicious responses. SCADA systems were traditionally on isolated networks that would require an attacker to first gain physical access to the target facility.

"Hacking SCADA systems no longer requires physical access, just a network connection, a way to route packets to the logic controller and a way to bypass the traffic filters, which are all activities that hackers understand," proclaims Avishai.

Randy Abrams, director of technical education at ESET, agrees that SCADA systems have their weaknesses, but feels that the humans behind the networks, and social engineering attacks are the real weak point.

There are two very significant human factors that come into play according to Abrams. The first follows the points made by Dr. Avishai--the false assumption that SCADA systems are somehow protected because they're not connected to the Internet. The false belief in security by obscurity leaves these systems exposed to risk.

"The other human factor is social engineering," says Abrams. "We have seen countless spear-phishing attacks that have resulted in compromise of military and private industry systems. The recent disclosure of a spear-phishing attack against high ranking US and south Korean officials, as well as journalists and dissidents that resulted in people divulging the passwords to their Gmail accounts demonstrates how incredibly little people understand about the nature of phishing attacks and social engineering in general."

The critical infrastructure is called that for a reason--it is the infrastructure that is essential for our society and economy to function. Combine the security flaws inherent in the SCADA systems themselves, with the with weaknesses in human nature and vulnerability to social engineering attacks, and you have a potential recipe for disaster.” (Bradley, 2011 PC World)

The Stuxnet virus is one of the more notorious one that changed the way we not only do business, but also how and why it is important that we fix the business efforts in the ways that we protect and mitigate people from attacking our data, environments, and networks as a whole.

Going forward, our SCADA Systems are always going to be under attacks, as like any computer system, when there is a will and the time to attack, there is someone out there who is smarter, faster, younger and quicker who wants to see if they can just “hack” into a system and see what they not only can find but what sort of damage they can do to the network without getting caught. SCADA Systems are and will continue to be vulnerable to attacks until we can find a way to naturally leave it protected and less vulnerable as we identified earlier in the paper. What is crucial to understand is that SCADA systems can no longer be just a computer system that is left out in the open network as some type of environment that no one wants to protect or thinks they should protect. By protecting our SCADA Systems, we are protecting just another door and/or another access entry point into our network.

If you compare the SCADA Systems attacks to that of mobile and/or smartphones these days, the SCADA environment is not as “hot” as a topic as it is to protect the smartphones. More and more research is going into why we need to now protect our phones environment, which just goes to prove the theory that if there is an environment and/or a network that gives us access to something that we do not want people to have, then there is another ways and means for someone to attack that computer system.

It’s important that when thinking and also preparing to write your security program that you understand your environment and why it’s important to have it protected. It’s good that when you write into your security program you have a very clear methodology for categorizing the risk and how you will mitigate against the risk for the SCADA Systems. Below is an example of how I would categorize the risk, assign the assessment and value to SCADA environments and then get the outcome as to is it critical to the company I worked for and/or is not.

The purpose of a risk assessment is to qualify threats, evaluate the overall risk to SCADA Systems, determine the mitigating controls and then establish the list of tasks that need to be completed to reduce the overall risks / threats to SCADA Systems to an acceptable level.

The final output of the risk assessment will be:

o Qualified Risks

o Risk Ranking

o Identification of areas of vulnerability

o Action priority is determined based on the risk levels

Once risks needing mitigation are identified, management should:

o Recommend controls to mitigate risks as needed

o Qualify resources required for implementing the selected planned controls

o Identify team(s) and persons who will be responsible for implementing the new or enhanced security controls

o Define start date and projected end date for implementing the new or enhanced controls

o Qualify maintenance requirement for the new or enhanced controls after implementation

Relative Weight is an overall ranking of the risk taking many factors into consideration. It is not a prioritization of work to be done as some risks are very high, but there may be no mitigating controls that can be implemented to prevent them (i.e. Denial of Service – We can put tools and monitoring equipment in place, but we cannot predict it happening, we cannot prevent it and it will always have some kind of impact). The following risk levels are meant to identify the level or risk as applied to the threat. It is up to the owner to determine if there are mitigating controls that can be put in place to mitigate the risk further. In all cases, if no action can be taken to mitigate a threat or risk this should be documented and acknowledged by management.

|Risk Level |Risk Description and Necessary Actions |

|Top |If an observation or risk is evaluated as a top risk, this represents a high potential that the risk can |

| |occur. If corrective measures can be put in place to reduce this risk they should be implemented in a timely |

| |fashion. An existing system may continue to operate, but a corrective action plan must be put in place as |

| |soon as possible. |

|Middle |If an observation is rated as a middle risk, this means the risk may be realized, but that mitigating controls|

| |will limit the overall exposure or impact to our Agency. If further corrective actions can be put in place to|

| |reduce the exposure a plan should be developed to incorporate these actions within a reasonable period of |

| |time. |

|Bottom |If an observation is described as a bottom risk, this means the risk has a low potential, but mitigating |

| |controls are strong, exposure to the company is low and the probability of the risk being realized is minimal.|

| |The owner should determine whether further corrective actions are still required or decide to accept the risk.|

|Negligible/Non-Significant | |

| | ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download