One of the less well-known aspects of information technology - yet arguably one of the most critical to modern businesses - is the SCADA (Supervisory Control And Data Acquisition) platform; the computer control system at the heart of many industrial automation and control systems.
First developed in the 1960s and coming into their own with the arrival of the first PCs in the 1980s, SCADA-driven systems are typically found in industrial systems such as energy power plants, electricity supply grids, chemical plants and many other industrial systems that require a high degree of computerized control - but also require 100% systems availability.
This is Mission Critical with a capital M and C. Many businesses claim their IT processes are mission critical, but SCADA control systems are often critical to national infrastructures.
If the national electrical grid goes down, for example, it can cost the industry many tens of millions of pounds per hour and, in the case of hospitals, air traffic control systems and the like, can actually place people’s lives in jeopardy.
Protecting SCADA systems - which typically tend to be embedded operating system-driven environments - is a tricky task in these hacker and malware-infested times.
This is because many SCADA systems were developed in the early days of computing, before viruses had hit the headlines and well before the days of the mainstream internet, cyberterrorism and internal employee electronic threats we now face.
In the US, many SCADA-driven systems have been furnished with dial-up remote access / supervisory modem connections, meaning that - with authentication and encryption added to the usual ID / password mix - they are well secured against any form of hacker attack.
Nevertheless, experts are still worried about vulnerabilities in SCADA systems. In its 2009 Cyber Threats and Trends report, Verisign’s iDefense subsidiary singled out SCADA systems as likely targets for attack in the coming year.
This is not surprising, because as any reader of Infosecurity knows, protecting an IP-connected system - especially a Mission Critical one - is no easy task.
It’s a Specialized World
"The IT security system protecting a SCADA-driven system has to be 100% proof against both modern and old security threats" |
Mike Smart, Secure Computing |
The good news is that several vendors - including Byres Security, Check Point, Industrial Defender, Innominate, N-Dimension Solutions and Secure Computing - have developed a range of specialized industrial firewall and VPN solutions for IP-based SCADA networks.
In addition, the ISA Security Compliance Institute (ISCI) is working to formalize SCADA security testing next year, meaning that the industry will soon have a set of common benchmarks by which they can measure their IT protection systems against.
In the interim, the industry has evolved a number of private testing companies such as the Achilles certification program from Wurldtech Security Technologies and ‘Music’ certification from Mu Dynamics.
The eventual gameplan is that a set of standards defined by ISA SP99 WG4 (Working Group 4) will supersede these initial industry consortia efforts, but probably not before the start of the next decade.
Mike Smart, senior product marketing manager with Secure Computing, says that, despite SCADA being a highly specialized area of IT security, it’s a relatively easy task to customize existing high-availability firewall technology to protect the IT resource.
Smart’s company, which is in the process of being acquired by McAfee, has developed three signature file types for SCADA-specific protocols into its secure firewall offering - formerly known as sidewinder.
As a result, says Smart, Secure Computing is now able to offer its firewall technology to the energy, water, oil / gas, and chemical companies, allowing them control over their critical network components.
Even though Secure Computing’s SCADA offerings are based on the firm’s firewall technology, Smart admits it’s a long way from an off-the-shelf product.
“It’s a highly customized technology,” he says, adding that the problem facing IT managers tasked with protecting SCADA-based systems, is that they tend to be based on an embedded operating system, meaning the operating system cannot be patched or updated as with a conventional computer system.
“This makes them vulnerable to a number of well known hacker and malware toolkits, so the IT security system protecting a SCADA-driven system has to be 100% proof against both modern and old security threats,” he says.
It’s very easy, he continues, to be sensationalist about the issue of SCADA security, but it’s more a question of creating an IT security system that ensures ultra-high levels of protection and 100% availability of the system it protects.
It’s against this backdrop that Secure Computing has developed three sets of signatures (flavors) for its firewall technology:
- SCADA:ICCP: The Inter-Control Centre Communications Protocol (ICCP or IEC 60870-6/TASE.2) is now being specified by utility firms to support WAN-based exchanges of data between utility control centres, utilities, power pools, regional control centres, and non-utility Generators.
- SCADA:MODBUS: Modbus is a serial communications protocol for use with SCADA-based programmable logic controllers, which Secure Computing says have become the most common method of connecting industrial electronic devices.
- SCADA:DNP3.0: DNP3.0 (Distributed Network Protocol) is a set of communication protocols used between components in process automation systems. Mainly used in electricity and water supply grids, the technology was developed to allow communications between various types of data acquisition and control equipment.
National Security
Over at network security vendor Check Point, Dorit Dor, the firm’s vice president of products, says that it is important to understand that SCADA is mainly used for automated environments where there are not many people involved.
“The problem then becomes one of securing the occasional times when you want to access that system remotely. The question is - how do you open the system up to remote access without compromising the security,” she says.
Dor argues that protecting SCADA-based systems is an essential aspect of national security. Every company, she says, claims that their email and internet access is essential, but when you talk about protecting a SCADA-based environment, you are usually talking about protecting national infrastructure systems.
Check Point’s approach, she tells Infosecurity, is to look at the issue from two very specific angles.
“The first is, what commands are going to traverse the gateway? Once you know this, you can begin to protect those command streams,” she continues, adding that the second approach is to protect a single device that is remotely accessible across the internet.
“Here you’re talking about using VPNs, encryption and authentication to ensure total and utter security,” she explains.
Just to make life interesting, most of the SCADA-based systems in use in the US involved legacy (i.e. old) IT systems, although around 10% of these systems each year, she says, are being replaced with more modern - and therefore IP-based - connections.
“When I talk to customers about SCADA security, I don’t talk about protecting a single system, I tend to talk about protecting the entire system, which can sometimes be a national network. For that you have to take an industrial security approach with total security and 100% service uptime,” she says.
The Global Perspective
“Many of the SCADA systems installed in industrial systems, including the critical energy distribution systems, were constructed between 15 and 20 years ago, when the threat was more physical than electronic." |
Todd Nicholson, Industrial Defender |
In the US, Industrial Defender is one of the major players in the SCADA protection industry and, says Todd Nicholson, chief marketing officer with the Massachusetts-based cyberrisk specialist, has a number of utility plus government customers around the world.
“Many of the SCADA systems installed in industrial systems, including the critical energy distribution systems, were constructed between 15 and 20 years ago, when the threat was more physical than electronic,” he says. As a result, he explains, many of the control system are `air-gapped’ against the outside world, meaning that they never originally had any form of communications contact with the outside world.
Today, however, many of these older systems are starting to be connected to the internet, leap-frogging beyond a dial-up modem connection and this is where the security risk issue enters the frame, Nicholson explains.
“It’s worth remembering that research has shown that, despite the well-publicized hacker and terrorist threat against IT systems, 70% of attacks tend to be internal to the organization concerned. This is especially true with SCADA-based systems, as malicious employees and rogue laptops can pose just as much a threat to a system as an external hacker,” he explains.
On top if this, says Nicholson, even with a totally secure (from the outside world) IP-connected SCADA system, employees can still make mistakes.
“We’ve come across situations where an intern is updating the anti-virus signatures file on a main IT system and somehow manages to get into the SCADA security side of things. That can really mess things up and lower the security until the problem is discovered,” he says.
Because of these issues, Nicholson argues in favor of carefully customized and installed IT security systems for SCADA-based networks and notes that, even where a non-embedded operating system is involved, securing a SCADA platform can still be a headache.
Industrial Defender’s approach, he says, is to cover three main areas of security with SCADA: defend the electronic security perimeter, protect the network, and protect the host environment.
Interestingly, despite the fact that many SCADA-based systems involve the use of legacy kit, Nicholson says they are still internally networked, typically using 10 Mbps technology.
The problem with this older networked technology, he notes, is that it tends to be a lot more delicate than modern networking systems, which means it can be knocked offline very easily, even due to something as simple as the wrong configuration files being loaded.
“The bottom line is that you simply cannot tinker with such systems as you would with a modern network,” he says.
Before an organization migrates to an IP connection for their SCADA-based system, Nicholson points out that it is important to understand the crucial difference between an enterprise system and a SCADA control system, even if both systems are interconnected.
“The reality is that SCADA-based systems are now being hooked up to the internet, either directly or indirectly, and because of this, organizations need real-time analysis of the IP traffic. They need to be secure and they also need to comply with relevant legislation,” he says.
A Marriage of Technologies
One of the most recent trends in the SCADA security industry is where two vendors pool their resources to develop an offering.
Canada’s Byres Security, a veteran SCADA security player, has linked with MTL Instruments, a UK-based company specialising in intrinsic safety explosion and surge protection technology, to develop an IP-friendly SCADA security system.
Launched in October of 2008, the Tofino Modbus TCP Enforcer Loadable Security Module (LSM) acts as a filter and analysis system for SCADA IP connection systems and, says Dermot Coady, MTL’s marketing director, is relatively unique in the marketplace.
The IP analysis system, say the two firms, is unique in performing deep level packet inspection on IP traffic flowing into and out of an IP-connected SCADA-based platform.
According to Coady, awareness of the need for SCADA IT security systems is quite high in North America, compared to across the Atlantic.
“Most IT managers understand the need to protect an enterprise resource against internet-borne threats, but there seems to be a lack of awareness of the need for IT security among those organizations that use SCADA technology,” he observes. Unlike the Europeans, US organizations have unified responsibility for SCADA-based systems rather than fragmenting it between different departments in an organization.
The good news, Coady told Infosecurity, is that the SCADA industry is starting to develop standards and there is now a movement towards establishing the ISA 99 standard by the International Society of Automation (http://www.isa.org).
The standard seeks to provide a current assessment of security tools and technologies that apply to the manufacturing and control systems environment.
It is, says Coady, about the closest thing the SCADA industry has to a set of corporate guidelines on IT security and covers what needs to protected against in terms of both expected threats and known vulnerabilities.
And, unlike the industry-specific rules on IT security for the energy and other utility markets in the US, it is a global standard.
All of which, he concludes, helps to persuade IT managers involved with SCADA control systems of the need to install high levels of security on their platforms.