In light of recent attacks on industrial control systems, we wanted to expand on some measures that should be implemented in order to make SCADA Systems and Industrial Control Systems (ICS) controlling critical infrastructure inherently more secure. We expect that the majority of our customers may have already investigated using most or all of these methods in their security configurations, but we’ll discuss them and expand on them as necessary, using current industry guidance recommendations.
Over-Reliance on Air-Gap Systems
We know from experience that it is not possible to simply air-gap most SCADA systems, whether or not the system is being used within critical infrastructure or not. Current ICS/SCADA security guidance recognizes that air-gapping is not necessarily a reliable method of security, unless the plant is, for instance, a substation with no automation being connected to outside of the physical fence perimeter of the plant.
Substation equipment may be 30-50 years old, and relies on automatic resetting of by switches and transformers based on very specific scenarios of the high-voltage and medium voltage grids to which they are connected. However, anything outside of the programmed scenarios creates a need for manual resetting of the equipment—personnel must physically visit the plant or substation in order to reset or restart equipment.
Older water plant facilities and tank farms also may fall into this category, unless the controls have been recently updated, in which case the SCADA Systems could be available wirelessly, or through internet connections carelessly brought into the facility.
True “air-gapped” systems suffer from other areas of intrusion such as social engineering and USB drives or even infected CDs or DVDs; if the control equipment is PC based, and the machines have not been sufficiently secured and locked down. This singular attack vector is enough to create concerns about SCADA and PLC/RTU reprogramming bots that can be introduced and exist within an unprotected system. This was the infiltration vector used by the successful Stuxnet attack, and once infiltrated, MiM attacks were used to spoof the HMIs/Operator Stations about the actual state of the PLCs and equipment.
Going Beyond Default Security Measures
Default configurations of software and operating systems don’t cover the security basics. Current best practices include creating subnets for the industrial control system, and using a “DMZ” to segregate the data historian from the business network, where data is passed to visualization, analyses, and the ERP system. In a single SCADA system solution such as InduSoft Web Studio, the SCADA system should be designed to be the data “gatekeeper”, meaning, it should be the only means of getting data into (e.g., operator input) or out of (process visualization and analyses) using appropriate firewalls and safeguards where necessary.
Security Measures for Physical Devices
USB keys and portable devices, such as laptops plugged in to control systems continue to be one of the biggest threat vectors for malware and attacks. USB ports should be controlled and isolated, and always scanned by anti-malware software or appliances before being allowed outside a DMZ.
Gap Analysis and Advanced Persistent Threats
Security for your control system must be layered. APTs can only be introduced into systems that can harbor them, and they can wait a long time before becoming active. By performing a gap analysis of your Industrial Control System configuration, hidden APTs can be made to show themselves, either by detection methods or making them become visible by exposing themselves through their designed behavior. There are many methods for revealing APTs, and when you are beginning planning to scan for and secure against then, it is best to do the planning with experts who are intimately familiar with the SCADA system you are using and who know how to remove or protect against them without disrupting your control system operation.
Caution when Penetration Testing
Gap analyses and risk assessments of your system, are certainly needed at continuing intervals, especially if your SCADA configuration changes over time. Using the US-CERT CSET Tool can be a big help in getting to the place where an understanding of the security needs of your SCADA System begins to come into focus. Use of this tool can help ask industry or region specific questions about your system based on any number of standards such as NIST, ISA/IEC, ANSI, and ISO, and even your own. In regard to penetration testing, if the need becomes a requirement, judicious amounts of care must be applied and the people hired must know exactly what they are doing. During the NIST conferences that I attended last year, the biggest objections to pen-testing were disruption of the industrial control systems and loss of production when the testing took place. Additionally some companies who experienced pen-testing in their facilities had cited equipment damage in some cases resulting in data loss, damaged servers, and loss of process control. Therefore, penetration testing should be done after a requirement is shown for it, and by knowledgeable security companies with a proven track record of being intimately familiar with your SCADA system.