SCADA stands for Supervisory Control and Data Acquisition, being the consecrated denomination since the 70s for the remote monitoring and control activities necessary in modern industrial activities.
A subcategory of the general ICS (Industrial Control Systems), SCADA systems gained importance with the growth of pre-IoT automated industrial processes. The concept of large-scale processes in multiple sites (with or without remote commands involved), coordinated via an IT system and determining physical world consequences represents the future of industry in a nutshell, or at least that is what the mainstream opinions suggest.
Any SCADA infrastructure is complex and depends upon embedded sensors (which we have approached in a different cyber-security article). A basic SCADA diagram consists of the terminals level (computer and panel view), a LAN or WAN network level (or the wireless connectivity elements), the PLCs (Programmable Logic Controller) or RTUs (Remote Terminal Units) level that feeds information to the system and collects information from the sensors, and finally the sensors/manual inputs level that translate the physical processes into computer language.
Modern SCADA systems adopted SQL databases, thus covering the rift previously installed between standard IT databases and SCADA technology. Web-based applications were also adopted into SCADA, and many providers compete on this automation software market and try to offer improved capabilities.
SCADA cyber-security issues
Since Supervisory Control and Data Acquisition systems virtually control physical processes via software programs, in areas such as the industrial manufacturing sector, the energy sector, the infrastructure sector (power, transportation, water management and so on), keeping SCADA functionality intact and untampered with represents a critical necessity.
The economy, infrastructure or defense of a country depends on securing SCADA systems against any malicious intrusion. A malicious intruder can cause local or general blackouts or deactivate hardware systems, could trigger nuclear systems malfunctions or turn traffic into chaos.
An article listing SCADA cyber-security incidents from 2015 depicts a worrying image: since December 2014 the number of attacks has risen and the nuclear industry is especially at risk, while the classic security methods no longer cope. Air-gapping critical computer systems is not enough, as the researchers demonstrated this past year – and this method is the most commonly used in SCADA and ICS systems protection (see here more details on air-gapping).
The basic approach in continuously monitoring system security presumes a vigilant attitude towards any elements that come into contact with the main system, from portable media to any file transfer whatsoever. Nevertheless, the most sophisticated cyber-attacks are well prepared and employ engineering in order to bypass usual security measures, therefore they are less likely to be fended off just by keeping a high level of vigilance and following the established security strategy and best workplace practices. It takes a complex set of measures implemented by the cyber-security department or by an external provider to be able to mark a manufacturers’ cyber-security policy as being medium to strong.
Another issue concerning SCADA systems has to do with a classic group of misconceptions: since basic SCADA networks precede the modern Internet, there is an assumption that modern SCADA are also isolated from Internet-connected vulnerabilities; the same un-motivated assumption of security applies to connections between corporate networks and SCADA networks; yet another misconception concerns the knowledge needed in order to breach a SCADA system, which is actually not different from the knowledge required for usual computer programming.
With an increasing number of ICS vulnerabilities being reported and registered since 2011 (the post Stuxnet moment of truth), it is clear that SCADA systems are vulnerable to threats, and that consequences derived from such threats could be catastrophic. Specifically tailored security programs are absolutely necessary and should be a basic requirement in industry partnerships, otherwise all security measures employed by a company could be compromised when its products associate and interact with potentially non-secured products (software, embedded chips, services) coming from a less security aware company.
SCADA systems cyber-security solutions
Solutions for cyber-security improvement include:
- Training your employees, in accordance with their role and position; even the ones with simpler tasks need to be aware of the possibility of representing a weak-entry point from the perspective of a cyber-attacker; the basic cyber-security rules once acquired always constitute an extra workplace skill (keeping the password secrecy, regularly updating any software the person is in charge of, keeping personal files and devices separate from work tech; being vigilant in regard with any pattern disruption in the technological environment or in the personnel behavior, never allowing urgency to modify procedural precautions and so on); a specialized training in ICS security covers all these issues, as well as many other technical aspects, as you can see here.
- Going for a security assessment performed by a specialized provider, in order to find out exactly how vulnerable the concerned system actually is. Such an assessment reviews the system, its defense features, the connectivity elements and their weaknesses, the key staff members, the physical security risks and the recovery ability in case of a cyber-attack. Another provider mentions how the assessment requires the systems to be offline, or having a testable backup available; but even if it takes an extra effort to prepare for the entire operation, it is important to know exactly the overall situation. A complete assessment should cover the main three elements: policy and procedure vulnerabilities, platform vulnerabilities, as well as network vulnerabilities.
An interesting lecture on this topic would be the U.S. National Institute of Standards and Technology (NIST) framework for cyber security, available for download here. You may notice on the same page the DHS’ Critical Infrastructure Cyber Community C³ Voluntary Program, destined to assist and help owners and operators align with the NIST framework. Known as the NIST model for cyber-security, this framework can serve as a guidance tool in approaching the SCADA systems cyber-security issue.
The right motivation in SCADA systems security measures
Raising cyber-security awareness on SCADA systems should clarify the fact that defending one system is important in itself, as well in view of the connectivity to be.
The Internet of Everything can remain secure only if all those involved in manufacturing technology, developing software for that technology, setting up and using it are in turn aware that no entry point should be vulnerable. This is a measure that should go the right way from the first attempt, otherwise repairing the damages and mitigating the risks becomes harder and harder once weaknesses are integrated into the connected environment and unpredictability threatens all systems.
There were demo exploits in 2015 on how planes, trains and automobiles can be hacked – and this is no laughing matter (unlike that Steven Martin movie title this enumeration might have triggered memories of).
Therefore the right motivation, (along with cyber-security compliance, organizational best practices, the status of a trust-able operations partner, avoiding unpleasant incidents and possible future liabilities) would reside in the awareness that IoT connectivity affects and concerns each and every involved entity and person – and so does IoT cyber-security in its every detail, including SCADA systems security.
