Feature Article
Protecting Critical Infrastructure - Understanding the
Threat to SCADA Networks
Oded Gonda, VP of Network Security Products
Check Point
Cyber-attacks on critical infrastructures are on the increase and are
becoming a growing concern for organizations and governments across
the globe. Power generation facilities, metropolitan traffic control systems,
water treatment systems and factories have become targets of attackers, and
have been hit recently with an array
of network breaches, data thefts and
denial-of-service activities. Vulnerabilities in these systems can vary from
basic issues such as systems without passwords or with default-only
passwords, to configuration issues and
software bugs. But once an attacker
is able to run software that has access
to a controller, the likelihood of a successful attack is very high.
Critical Infrastructure
Under Attack
This isn't wild scaremongering.
In 2014 alone The Department of
Homeland Security announced it
would investigate the possibility that
the Havex Trojan had targeted industrial control systems compromising
over 1,000 energy companies across Europe and North America. In 2012,
German power utility 50 Hertz was hit by a cyber-attack that rendered its
internet communications systems offline, in the first confirmed digital assault against a European grid operator.
The well-known Stuxnet attack of 2010 saw an Iranian nuclear centrifuge facility attacked using nothing more than a targeted computer virus.
What's more attacks can be mounted by disgruntled individuals and are not
the sole domain of organised gangs. In 2001 an Australian man was sent
to prison after he was found guilty of hacking into a computerised waste
management system causing millions of liters of raw sewage to spill out
into local parks and rivers.
Attacks such as these on critical infrastructure severely impact service
uptime, data integrity, compliance and even public safety, and require that
organizations implement steps to deal with these security concerns.
This can only be done by understanding the difference between ICS/
SCADA and traditional IT environments, along reusing some of the
know-how and technologies developed over the past 20 years to protect
computer networks.
Understanding SCADA
Critical Infrastructure facilities (electricity, oil, gas, water and waste)
rely heavily on electrical, mechanical, hydraulic and other types of equipment. This equipment is controlled and monitored by dedicated computer
systems known as controllers and sensors. These systems are connected
to management systems, together forming networks that leverage SCADA
(Supervisory Control and Data Acquisition) and ICS (Industrial Control
System) solutions. Both ICS and SCADA enable efficient collection and
analysis of data and help automate control of equipment such as pumps,
valves and relays. The benefits that these systems provide have contributed to their wide adoption. Their ruggedness and stability enable critical
infrastructure-related facilities to use ICS and SCADA solutions for long
periods of time.
SCADA/ICS networks and devices were designed to provide manageability and control with maximum reliability. Often they do not feature
mechanisms to avoid unauthorized access or to cope with the evolving
8
www.RemoteMagazine.com
security threats originating from external or internal networks that have
become so common in the IT world.
While their implementation is often proprietary, SCADA controllers are
essentially small computers. They use standard computer elements such as
operating systems (often embedded Windows or Unix), software applications, accounts and logins, communication protocols, etc. Moreover, some
of the management environments use
standard computing environments such
as Windows and Unix workstations.
As a result, the challenges associated with vulnerabilities and exploits
apply to ICS and SCADA systems,
with the additional challenge of such
systems operating in environments that
can be physically difficult to reach or
that can never be brought offline.
SCADA Vulnerabilities
It is a common belief that ICS
and SCADA networks are physically
separated from corporate IT networks.
This might be accurate physically, in
the sense that some companies operate
distinct LANs or airgap their control and corporate networks from one another. In other cases, companies use the same LANs and WANs, but encrypt
their ICS and SCADA traffic across a shared infrastructure. More frequently
however, networks require some level of interconnectivity in order to obtain
operational input from and/or export data to external 3rd party systems.
SCADA network devices have specific characteristics, which can be very
different than regular IT systems:
*
They are often installed in locations that are difficult to access
physically (e.g. on towers, on an oil rig, on industrial machinery)
and are environmentally more challenged than regular IT systems
(e.g. outdoors, extreme temperatures, vibrations) or require special
input voltages and mounting options
*
They often use propriety operating systems that have not been
subjected to security hardening
*
Their software cannot be updated or patched frequently, due to access limitations, concerns over downtime or the need to re-certify
*
They use proprietary or special protocols
These differences in environment create problems such as lack of
authentication and encryption, and weak password storage that would allow
attackers to gain access to the systems. Whilst most SCADA/ISC networks
have some level of perimeter defence, including network segmentation and
firewall technologies so attackers are always looking for alternative ways
to get inside - for instance, through a gate that is left open, or by triggering
some operations from inside the organization that opens up a communication channel to the outside. Typical tactics include:
*
Using a remote access port used by vendor for maintenance
*
Hacking a legitimate channel between IT systems and ICS/SCADA
systems
*
Convincing an internal user to click on a URL link in an email from
a workstation that is connected both the ICS/SCADA network and
to the Internet
*
Infecting laptops and/or removable media while outside the ICS/
SCADA network, later infecting internal systems when they're
connected to the network for data collection, controller/sensor
software updates.
http://www.RemoteMagazine.com
Table of Contents for the Digital Edition of Remote - Spring 2015