SCADA security has become a burning issue in the light of recent cyber attacks.
SCADA and other industrial control systems were considered relatively safe environments until recently. They were installed in air-gapped networks without direct internet access. Nevertheless, the first attack on the SCADA network was carried out in 1982 on Siberian Pipelines. Today, the devices running SCADA systems are connected to other IT systems and can be just as vulnerable as any other internet-connected device.
However, there is a vast difference between devices that run a SCADA system and devices with “regular” systems. SCADA controls critical infrastructure – either in manufacturing companies or at the national level: power plants, supply chains, production of essential goods, etc. Even a brief failure of such a system can have critical consequences for the entire community or even society. Therefore, it is crucial that the cyber security of SCADA systems is as controlled and managed as possible.
Why is SCADA vulnerable?
Notwithstanding the above, industrial control systems are probably the most secured information systems. They are implemented as a separate network protected by a firewall and other safety devices. Why can they still be the target of an attack?
You can imagine an industrial control system network is just like any network that connects to the internet. Much like your company’s IT network is connected to your supplier’s IT network. But the SCADA network is a dead end, which is its advantage.
Risk factors in the SCADA network are system components (PCL, RTU, MTU), which often run on older operating systems, where no upgrades and security updates are available. If the attackers bypass the firewall or other security devices on the perimeter, they can access the system’s core and abuse it. They can shut down the system, change how it works, steal data, etc.
Cloud has made things different …
The core of modern industrial control systems is IoT which brings SCADA to the cloud. Such deployments raise cyber security issues at installation. They pose security policy issues, information leakage, and make tracking potential attackers much more difficult. Furthermore, installing from the cloud can potentially leave more backdoors open behind than installing “on-premise”. These are all challenges that managers or security officers need to discuss and address accordingly before deciding on a cloud solution.
It is the backdoors challenge that is very problematic when combining the traditional and cloud SCADA systems. Why? As mentioned above, SCADA runs on old systems that no longer allow for security patches. This is not even a problem as long as this system is closed in its “territory” and isolated from the internet world. However, the moment we connect it to cloud technology, it becomes highly vulnerable and exposed to the same attack vectors as the perimeter of the organization’s information system.
Considering all the above, the appropriate addressing of SCADA security should and probably is high on the priority scale of each operator.
Security management of SCADA systems
As Yadav and Paul state in the article Architecture and security of SCADA systems *, SCADA appears in many vital industries, such as agriculture, chemical industry, transport, civil engineering, healthcare, the research sector, and, of course, the energy sector. The latter includes everything from hydroelectric power plants and nuclear power plants to distribution. Any interruptions in these industries affect the life of an entire country or even a region, so they need to be carefully planned.
The system’s security integrity and smooth operation are crucial for several reasons, such as preventing the company’s financial losses and environmental disasters and protecting our lives.
The security of the SCADA system should be managed at two levels: in the production environment and the test environment. In the production environment, we constantly check where an attack could occur and the consequent interruption of operation (monitoring of vulnerabilities); in what way the attack could be carried out (what are possible attack vectors), and at the same time with IPS/IDS solutions that protect the system.
We perform actual system testing in a parallel test environment. A digital twin can prove an efficient solution for managing security in a production environment. Digital twins of SCADA systems already exist to monitor and improve the performance of equally configured environments. Architecturally identical systems are connected to the digital twins, which send performance reports to the twins. Based on the collected data, the digital twin can predict complications or deviations from the regular operation and pass the information to the systems where the problem has not yet been encountered. This provides excellent support to operators who can prepare the configuration in advance and avoid disruptions.
Testing with SCADA testbeds
The “twin system” can also be used for penetration testing. Many organizations with SCADA systems already use test or development environments in which they pre-test changes to be implemented in the production environment. Penetration tests are also usually performed in a test environment to prevent service outages.
Testing SCADA systems requires specific expertise and knowledge of system architecture. All possible attack vectors must be identified according to the safety devices installed and the devices in the control system itself. The penetration test requires preparation according to the specifics of the system, industry standards, directives, and recommendations.
An additional specific of testing industrial control systems is that the tests are usually performed in a demo environment. Production environments must function as smoothly as possible; any disruption, let alone intrusion, can have severe consequences for the supply chain of essential life goods or even be life-threatening. Testing of the production environment is usually carried out as white-box testing, where pentesters review the configuration of the network and associated security devices, identify potentially hazardous areas and security holes.
Actual penetration testing is performed in a test environment that resembles the production environment as much as possible. The penetration test findings can be implemented in the production environment with all required precautions. The risks of such changes must be taken into account. If possible, perform these changes and reconfigurations when the system is stopped.
Improving SCADA security
The goal of the penetration test is not only to determine the condition, but to improve it. A high-quality and professionally prepared report contains recommendations for mitigating vulnerabilities and enhancing the security of the SCADA system. The wish of the ethical hacker is that all the recommendations are taken into account, and the validation pentest is conducted. When all is said and done, the new configuration is ready for transfer to the production environment.
* Yadav, G., and Paul, K. (2021): Architecture and security of SCADA systems. International Journal of Critical Infrastructure Protection 34.