In late 2014, ICS-CERT issued a warning about a Trojan malware called BlackEnergy that has been affecting systems since 2011. While this particular virus attacked General Electric’s Cimplicity HMI, Siemens’ SIMATIC WinCC and BroadWin’s WebAccess, it served as a reminder that systems that utilize internet connectivity remain open to vulnerability. As the Internet of Things gains traction, the avenues for attacking control systems will only increase.
So what are these attackers after? In the case of Stuxnet, the goal was to damage infrastructure. In this recent wave of attacks, the goal seems to be the exfiltration of process data.
So in a technology field that’s increasingly trending toward greater connectivity and communication in the cloud, what can be done to protect systems that connect to the internet to send and retrieve data?
No checklist of SCADA/HMI security measures will render a system invulnerable, but taking action to protect sensitive data can make your system a far smaller target than an open, unencrypted system.
In addition to the built-in features provided by the HMI software, the end user must enforce processes to increase the level of security of the system. Good practices include:
- Anti-virus protection: Use anti-virus software in each computer, but test it to avoid incompatibility with the control system.
- Design and test contingent plans (disaster recovery plans): Backup an image of each computer, so it can be restored to a safe state, if the system is infected. Use hardkey as the licensing method.
- Separate business and Control Networks. Using the secure viewer and firewall features of InduSoft Web Studio, the SCADA system ahead of the external firewall will become the gateway for real-time data and visualization that is needed on the business network. It’s possible to use VPNs and IPsec to secure communications between control system assets, and device authentication is also recommended.
- “Clean” the stations: Remove unnecessary software and hardware components (including additional Ethernet ports) and keep the OS and anti-virus updated (after testing compatibility in an isolated station).
- Keep up to date on patches and ICS-CERT advisories.
- Consider using the CSET tool from ICS-CERT to help you evaluate your system for vulnerabilities and close security gaps using particular standards (e.g., ISA, NIST, API, ISO, etc.) that apply to your installation or that makes sense. Download the tool here: https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
Here are some features included in InduSoft Web Studio that will help you start managing your SCADA/HMI security:
- Support for encryption (Security Socket Layer – SSL) for communication over TCP/IP with the Thin Client stations.
- Support for Server Certificate (Security Policy) on its native OPC UA Client module.
- Built-in security system with multiple group levels. Device driver blocks keyboard commands on a very low level and allows you to lock the operator on the HMI/SCADA interface, blocking commands such as Alt+Tab, Windows key, Ctrl+Alt+Delete, Alt+F4, so the operator cannot shutdown the application or switch to the desktop or any other unauthorized application.
- The Secure Viewer Thin Client offers a Thin Client solution, with support for all features of the native security system of InduSoft Web Studio.
- Ability to filter the access to the Server based on IP Address ranges of the clients (useful for systems designed for LAN only).
- Web Tunneling Gateway interface, supporting remote access to the runtime station through firewalls, via HTTP or HTTPS protocols.
- Continuous support for the latest patches and versions of Microsoft operating systems
- Support for Windows CE operating system (truly embedded operating system from Microsoft, especially suitable for local HMIs)
- Compatibility with the major anti-virus packages in the market.
- Built-in Firewall protection.
For more in-depth study on SCADA and HMI security, please take a chance to read the Cybersecurity e-books co-authored by InduSoft and the University of New Mexico Ruidoso Cyber Security Center of Excellence.
InduSoft Application Design and SCADA Deployment Recommendations for Industrial Control System Security – This eBook provides guidance when building and implementing HMI and SCADA systems, and describes best practices to secure them against cyber-attacks and known vulnerabilities.
Framework for SCADA Cybersecurity – This eBook will provide Critical Infrastructure customers and academic students an understanding of the NIST Cybersecurity Critical Infrastructure Framework and how to apply the framework to new and existing SCADA applications and implementations.