While most commercial and government organizations have a corporate network to handle administrative, sales, and other back- or front-office data, a growing number of organizations also have implemented one or more supervisory control and data acquisition (SCADA) systems. These systems incorporate software and hardware elements that allow industrial organizations, utility companies, and power generators to monitor and control industrial processes and devices, including sensors, valves, pumps, and motors. Today's SCADA systems also allow organizations to harvest data from these devices, and then to analyze and make adjustments to their operational infrastructure to improve efficiency, make smarter decisions, and quickly address system issues to help mitigate downtime.
A typical SCADA architecture consists of programmable logic controllers (PLCs) or remote terminal units (RTUs), which are small computers used to communicate with manufacturing equipment, human-machine interfaces (HMIs), sensors, and other end devices, and then route the information from those objects to computers equipped with SCADA software. The SCADA software collects, processes, distributes, and displays this data, helping operators and other employees analyze the data and make important decisions.
Because SCADA systems are designed to connect and control a huge amount of industrial equipment, malevolent actors see significant value to infiltrating or controlling these systems and the operational technology (OT) networks through which they send and receive data. Data collected and compiled by X-Force Red, an autonomous team of hackers within IBM Security that was hired to uncover security vulnerabilities, illustrated the number of vulnerabilities exposing industrial control systems has increased 83% from 2011 to 2018. Moreover, over the past decade, there have been a number of real-world examples of attackers targeting SCADA systems:
- In 2010, malware created by the intelligence forces of the U.S. and Israel, known as Stuxnet, was used to destroy centrifuges used in the enrichment of uranium at a facility in Iran, thereby delaying the development of that country's nuclear weapons.
- In 2015, BlackEnergy, a Trojan Horse virus (which sits undetected until the attacker decides to activate it), was adapted by Russian hackers to infiltrate several Ukrainian power companies, with the malware used to gather intelligence about the power companies' systems, and to steal login credentials from employees.
- In 2016, malware known as Crash-Override or Industroyer was deployed by Russian cybercriminals to attack a part of Ukraine's electrical grid. CrashOverride replicated the communication languages, or protocols, that are used by different elements of an electrical grid to talk to one another, which allowed the hackers to strike at an electrical transmission substation in Kiev, resulting in a short blackout of part of that city.
- In the summer of 2017, hackers deployed malware known as Triton, which was named for the Triconex safety controller model that it targeted, against a petrochemical plant in Saudi Arabia. The malware allowed the hackers to take over the plant's safety systems remotely, though a flaw in the code allowed the plant to respond before any damage occurred.
These attacks, along with numerous others, highlight the vulnerability of SCADA systems and industrial networks.
In 2018, the International Society of Automation (ISA) helped to develop a series of industrial cybersecurity standards designated ISA/IEC 62443, which were designed to protect the industrial automation and control systems (IACS) and networks that operate OT machinery and associated devices within critical infrastructure. The ISA/IEC 62443 standards also serve as key components of the U.S. Framework for Improving Critical Infrastructure Cybersecurity (released in April 2018), a how-to guide developed through the National Institute of Standards and Technology (NIST) in support of U.S. cyber defenses.
NIST also released last year Internal Report 8219, "Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection." which notes that NIST is trying to add anomaly and malicious user detection to OT networks, and has documented the use of behavioral anomaly detection (BAD) systems in two demonstration environments, including one that mimicks a process control system that resembles what is being used by chemical manufacturing industries.
Industrial operators would be wise to follow NIST's recommendations, as SCADA systems that have been compromised could be hijacked by hostile actors, with potentially serious outcomes. For example, organizations can have their operations halted until a ransom payment is made, or physical systems or processes can be sabotaged, resulting in significant damage. Perhaps the most dangerous scenario is that bad actors, likely cyber teams from or working on behalf of foreign governments, could plant malware that lies dormant in a power plant, electrical distribution grid, or municipal water supply plant, so it may used as a point of leverage at a future date.
"What we are seeing in the field is that there's an increase, not just of cyberattacks, but what we call cyberattack readiness, or red button capability," says Barak Perelman, CEO of Indegy, a New York City-based industrial cybersecurity firm that improves operational safety and reliability for industrial control networks. Perelman highlights a U.S. Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) account of a Russian cyber campaign to infiltrate critical infrastructure in the U.S., which occurred within the last two years.
Industrial operators should heed NIST's recommendations, as compromised SCADA systems could be hijacked by hostile actors, with potentially serious outcomes.
"'Why didn't I see anything blow up?'" Perelman says. "And the answer is that the Russians are not stupid; what they probably are after is to have a grip around critical segments of the critical infrastructures, and then when they need it most, as part of an act of war, or as part of leveraging negotiations with the U.S. next time, then they will [push the red button]."
With so much at stake, it may be difficult to believe that industrial control systems are so vulnerable to attack. However, most industrial control systems were developed before the use of the Internet had become common-place, so they were intentionally designed to be simple, and to work in a closed system that was "air-gapped," or unconnected to the outside world. Further, many SCADA systems and industrial networks typically were built using devices that were designed and manufactured without even basic security protocols or features.
As industrial companies and utilities have sought to connect their infrastructure to their corporate systems, or to enable greater interoperability or communication capabilities between devices, hackers have taken notice.
"When we take a look at some of the devices that are being used to program logic controllers or other types of data systems that are being controlled with various thin protocols, whether it's Modbus, PnP3, Hard IP, they're very thin protocols," explains Don Arnold, a security engineer with L Squared LLC, a Greenwood Village, CO-based information security consulting firm. Arnold says these devices do not have any security protocols built into them, making them easy targets for criminals. "Therefore, any kind of SCADA or industrial control system that is sending packets inbound and outbound without some sort of a protective security environment is at risk."
The lack of modern security protocols and tools, however, does not address perhaps the biggest security risk to industrial control systems: the propensity of humans to ignore common sense and inadvertently expose the network to malware through their own behavior.
"There have always been other ways to get malware to the network, the most notorious example being when malware is brought in by USB drives," says Phil Neray, vice president of Industrial Cybersecurity and Marketing at Cyber X, a Waltham, MA-based Industrial Internet of Things (IIoT) and Industrial Control System (ICS) cyber-security platform provider. In this scenario, attackers may scatter or distribute USB thumb drives outside the facility, in the hope that an employee of the industrial plant or utility will pick one up and plug the drive into a computer within the facility, allowing malware to be automatically uploaded onto the network. This technique was used in the U.S./Israeli Stuxnet cyber-attack on Iran's nuclear facilities in 2010, and likely in other instances of industrial sabotage.
"Social engineering is starting to become much more popular today, because the technical security has increased," Arnold says. "Attackers are starting to go towards the weakest link, and that's people. The majority of attacks occur from inside the network, whether they are socially engineered, or if somebody [clicks on] an email and they launch something into the network. The end user is still the absolute weakest link in the network."
For industrial or utility companies, there are several protective measures that should be taken to harden or protect SCADA systems from those with malicious intent, but the process should begin with a sober risk assessment.
"The first thing I would do is sit down and say, 'where's the keys to the kingdom and what's the value of the keys to the kingdom'," Arnold says. "What's the most important asset that you have to protect, and then design a security system around that."
Joe Morgan, business development manager for critical infrastructure for Sweden-based Axis Communications, provides a concrete list of steps that should be taken by industrial and utility organizations, including using certificate control on each IP device, and cloaking IP addresses within a network so potential hackers will not have an IP trail to follow in their attempts to take over the control operations or extract data from the network or present a false narrative to invoke an unneeded response, propagating a dangerous chain of events.
Further, Morgan says video surveillance or thermal cameras can be linked to analytics software to help distinguish between cyber threats and other abnormal, but still important, operational situations, such as a blown gasket on a pressure line in a manufacturing plant. The cameras and the analytics engines can be used to verify whether a SCADA alarm is tipping personnel off to an actual issue, or to a false alarm caused by a breach.
Video surveillance may be linked to analytics software to distinguish between cyber threats and other abnormal, but important, operational situations.
The greatest challenge, of course, is that deploying new or augmented security controls is expensive, and many organizations simply will not see the return on investment or value of taking proactive security steps.
"Somebody will get in," says Mike Trojecky, vice president of IoT and Analytics for U.K.-based IT solutions company Logicalis. "It's about identifying when it happens and being able to respond to it and basically remediate as quickly as possible. But the cost to implement the security, in a lot of cases, is greater than the immediate cost to recover from an attack. [Organizations] don't look at the long-term, corporate espionage piece, but instead will think, 'Well it's going to cost me $1 million to do [implement security], but I was attacked and compromised, and it only cost me $250,000."
What is SCADA?, Inductive Automation, September 12, 2018 https://inductiveautomation.com/resources/article/what-is-scada
International Society of Automation ISA/IEC 62443 http://bit.ly/2VCmmgQ
Framework for Improving Critical Infrastructure Cybersecurity, National Institute of Standards and Technology, April 16, 2018
The Virus That Saved The World From Nuclear Iran? STUXNET, The Infographics Show, June 3, 2018 https://www.youtube.com/watch?v=J07N1KXOyfk
©2019 ACM 0001-0782/19/10
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from [email protected] or fax (212) 869-0481.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2019 ACM, Inc.