Improving Security of SCADA Networks
Supervisory control and data acquisition (SCADA) networks are prevalent in utilities around the world to provide oversight and control of their systems. SCADA systems are used in utility infrastructures as computer-based monitoring and control systems that centrally collect, display, and store information from remotely-located data collection transducers and sensors to support the control of equipment, devices, and automated functions. Many early SCADA systems used dedicated company lines, telephone lines, or even micro-wave with proprietary communications protocols to transmit data back to a central station for monitoring. The processes used to control these systems historically were simple, centrally located, and used a variety of transducers, equipment, and protocols.
Today’s sophisticated SCADA systems use a combination of public and private connectivity to monitor and control these facilities. Architectural and product standardization have become more prevalent in recent years, which has improved overall security. However, standardization can allow attackers to exploit well-known vulnerabilities with a product manufacturer’s equipment or protocol. Securing your network involves a coordinated effort through proper design, process, and technical implementations.
Build a Test Lab Best practices for network security architecture are well documented, but there are some unique aspects of SCADA systems that force engineers to deploy more concerted efforts to ensure proper security. Since SCADA involves geographically large systems, with production and monitoring equipment that can be recent or decades old, having a comprehensive test laboratory to mimic the behavior of your SCADA system is critical. A complete test lab provides an environment to simulate a number of routine changes that occur on the network. Adding, removing, or updating hardware and software needs to be reproduced in a controlled environment to ensure these changes will not have an adverse effect on the network. For monitoring systems, it allows new and old systems to work in parallel and gives network engineers the opportunity to compare side-by-side results when using the same input data. The best example of this is when any type of security monitoring product is deployed, each system receives the same inputs (or issues), allowing the engineer to validate that the new system is at least as good as the old one.
Perform Vulnerability Assessments. Technology provides a lot of targets, and in today’s world, large electric power, water, and oil or gas distribution SCADA systems are attractive objectives for those intent on causing widespread disruption of services. For SCADA engineers, implementing regular Vulnerability Assessments from external and internal points of the network can help combat this threat. Some companies perform regular vulnerability assessments (i.e. trying to hack into your own network) with internal resources. This approach is relatively inexpensive and allows internal employees to discover and fix some known security problems. Regular assessments from outside security firms that specialize in vulnerability assessments (i.e. good guys or white hat hackers) can decrease risk even further and bring a new level of experience to the security profile. Security companies will follow strict protocols and non-disclosure agreements with the utility that hired them, and most will vet their employees with appropriate background checks. External assessments will often include annual process reviews and social engineering attacks that these companies are in the best position to analyze, since they are not part of the corporate hierarchy. Using different companies for external vulnerability assessments can help bring to bear different processes, tools and experience.
Capture and Review Your System Data. Security architecture is a complex, multi-layered, constantly evolving system. System monitoring needs to be carefully planned and executed. Many external attacks are precipitated by subtle, non-volatile probes, just to see if access is available. For example, the attacker walks up to the door and turns the knob, just to see if the door is unlocked, but does not enter or take anything — yet. Since these non-malicious explorations do not involve loss of data or system failure, they often go unnoticed until the real attack occurs. Ensure that your monitoring systems collect and capture data 24X7, and that you are reviewing this information regularly. The best monitoring and collection systems are invisible to the attacker. Once the information is collected, the storage area should be sufficiently safeguarded to prevent the deletion of the probing incident. Experienced hackers will not only probe a network for vulnerabilities, they will also delete any evidence that they were there. One way to combat this evidence elimination is to ensure monitoring traffic is sent to storage devices in a uni-directional method, and that the storage device is only accessible from a highly restricted number of internal devices.
SCADA networks have evolved to provide us with unprecedented access to advanced infrastructures with a minimal amount of service interruption. In order to continue to provide expected high levels of uptime, advanced security architectures and monitoring must advance at a similar pace.