One aspect not discussed in our recent post on security issues and the Internet of Things (IoT) is the increasing trend of connecting operational technology systems to the internet. This leads us to the vitally important issue of operational technology security.
Operational Technology (OT) refers to hardware and software that monitors and controls physical devices, processes and events in the enterprise. OT is a recent term coined to distinguish these systems from traditional IT systems. OT includes industrial control systems such as SCADA systems.
Supervisory control and data acquisition (SCADA) systems are designed to remotely monitor and control industrial processes such as manufacturing, oil and gas, and utilities. They are often used for critical national infrastructure such as power generation and distribution, water supply and rail. SCADA systems are generally large scale and involve multiple geographic sites.
Operational technology security
Security has always been an issue for SCADA systems. Often much reliance has been placed on physical security, the difficulty of interacting with obscure SCADA protocols, and their isolation from other networks. SCADA systems were typically designed for reliability, not security.
In 2010 the Stuxnet malware, which specifically targeted Siemens SCADA systems, showed that physical isolation (“air gapping”) is not an insurmountable barrier. Stuxnet damaged Iran’s centrifuges used in their uranium enrichment program, and is suspected to be state-sponsored by the USA and Israel.
In recent years, SCADA systems have moved from proprietary network protocols to more open standards such as TCP/IP and standard software architectures. There has also been a drive to increased integration, where the number of sophisticated devices connected to monitoring networks is rising rapidly. For example, in the electricity industry the smart grid involves connecting telemetered devices known as smart meters, introducing new security vulnerabilities.
SCADA systems are also increasingly being connected to the Internet. This is primarily for convenience of access, but this trend has ominous security implications.
Project SHINE is a project that was founded in 2008 and ran until 2014 to determine how many industrial control systems are directly exposed to the Internet. It used the SHODAN search tool which specifically searches for SCADA systems. By the conclusion of the project, over 1,000,000 control systems were discovered, and thousands more were being connected to the Internet daily. Many of these systems were accessible via a default web interface with administrative privileges!
There is clearly a significant and growing threat from cyber-attacks against these control systems, with potentially disastrous results. Awareness is growing, illustrated by Obama’s Executive Order: Improving Critical Infrastructure Cybersecurity. But attacks are rapidly increasing. According to Dell’s 2015 report, attacks on SCADA systems doubled from 2013 to 2014, reaching 675,186 attacks just in January 2014!
In December 2015 a sophisticated cyber-attack against Ukrainian power distribution companies caused outages for over 200,000 customers. This was a malicious, highly organised attack that deliberately wiped systems and corrupted devices in an attempt to make restoration as difficult as possible.
It seems only a matter of time before a serious breach causes widespread damage or even casualties. How can cyber-attacks on SCADA systems be mitigated?
Careful systems design is the starting point for good security. If designs are reviewed by security experts before being implemented, many security issues can be avoided or minimised. Of course, some SCADA systems have been running for many years and can’t be redesigned, but even in these cases it is worthwhile documenting the existing design thoroughly and having it reviewed.
An important point is to keep SCADA software and systems up to date, even when they are not connected to the Internet. One day, the system may be connected, and if the latest security patches are not installed, it will be vulnerable. This has to be a high priority task, as often SCADA systems are left alone (sometimes for years) provided they are reliably performing their tasks.
Of course, the most basic step in prevention is isolation from any untrusted networks, especially the Internet. In general any form of remote access should be as limited as possible. Sometimes this is not possible because of business requirements, but the decision to permit access should take into account the increased security risks.
Rigorous firewall restrictions are critical. The only permitted connections should be from approved IP addresses, and only encrypted connections should be allowed. This prevents passwords being passed to the system in clear text.
Two-factor authentication should be used so that stolen passwords are of little value without the accompanying second authentication method. This might involve a device that generates a token or texting a code to a cell phone. Two-factor authentication may have prevented the Ukrainian cyber-attacks.
Finally, regular independent security audits should be performed, testing both technology and social engineering aspects for vulnerabilities.
These basic security precautions will go a long way towards ensuring that critical control infrastructure is not compromised.
An important source of advice is ICS-CERT, the Industrial Control Systems Cyber Emergency Response Team. They provide detailed recommended practices documents for control systems. Key documents include Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies and Seven Steps to Effectively Defend Industrial Control Systems.
Thanks are due to Grant Woolston, Control Systems Manager at SPARQ Solutions for his contributions to this post.