SCADA (supervisory control and data acquisition) is a true battleground in the war against cyber attacks. It’s become one of those innocuous acronyms for what is now the most crucial of analytic tools, the ones which keep countries and businesses secure by ensuring our nuclear power plants, our airports and our weapons caches continue to run smoothly.
A SCADA network is a type of industrial control system (ICS), which uses multiple hardware and software elements to perform key functions in the delivery of essential services and commodities in the real world, such as water and power, transportation services, and other utilities. SCADA systems are distinguished from other ICS systems by their size and magnitude; typically, a SCADA system spans multiple sites over very long distances. While SCADA systems have many applications, they are especially popular in the utility industry because they allow workers to control and monitor utility equipment from remote locations.
SCADA systems use a series of codes to relay messages from sensors to central terminals when a fault occurs, and ensure the fault is analyzed immediately.
Many of these SCADA systems were built decades ago when cyber security was not really an issue. They were built to maximize functionality, efficiency, and safety – but not cybersecurity.
There is also widespread myths that SCADA networks do not “need” information security because they already enjoy “security through obscurity.” But here’s the fear factor – they are being hacked with increasing regularity. In essence, whoever hacks a SCADA system literally can have their finger on the button of the nukes.
Many SCADA systems use proprietary interfaces and specialized protocols that aren’t widely known, but obscurity does not equal security. All it takes is one malicious insider – or unsuspecting victim – to hand system credentials and protocols over to a hacker. An attack on a Ukraine power company’s SCADA network last December, which took 30 substations offline and left 230,000 residents without power for hours, had its genesis in a spear-phishing attack targeting system administrators and IT employees at power companies throughout Ukraine.
Other SCADA systems are not connected to the Internet and use private physical network links or satellite connections to transmit data. It is widely believed that this “segregation” provides immunity to breaches, but no twenty-first century network is truly completely segregated and private networks and satellite connections can be breached. Even if a particular system is normally not connected to any network, it will still require software updates and need to perform data transfers using a flash drive or a non-permanent modem connection, both of which can be compromised by hackers using social engineering techniques, such as installing malware on a thumb drive and leaving it for an unsuspecting employee to find.
The Stuxnet virus, which ravaged Iran’s Natanz nuclear facility and was believed to have been developed and unleashed by the governments of the US and Israel, entered the system through an infected thumb drive planted by a malicious insider: an Iranian double agent. And, in March, a federal indictment accused a team of hackers with ties to the Iranian government of using a cable modem to breach the SCADA system at the Bowman Avenue Dam in New York State.
To successfully defend against SCADA attacks, organizations need a complete solution that does not adhere to the outdated belief that just physically isolating systems and buying technology will make a facility safe. Since 90 percent of system breaches, including the Stuxnet attack on Iran and the Ukraine power system breach, are the result of hackers stealing legitimate login credentials, a two-fold approach that combines technological defenses with rigorous internal cyber security training and procedures is necessary. A few suggestions to consider:
- Identify all connections to the SCADA system, including LANs, WANs, satellite links, and modems. Disconnect any devices that do not need to be connected. Likewise, identify and disconnect any unused or unnecessary services, such as automated meter reading and remote billing systems, email services, and remote maintenance. Isolation is not information security, but limiting the number of source points hackers have access to is a good starting point.
- Implement intrusion detection systems and establish 24-hour-a-day incident monitoring and response. Incident response procedures must be in place to ensure that security personnel are available to respond to breaches at any time of the day or night.
- Perform system backups and have a robust disaster recovery plan. The organization must have a disaster recovery plan that can handle any type of emergency, including a cyber terrorist attack, and get systems back online as soon as possible.
- Establish strict, specific cybersecurity rules and protocol for employees. An organization’s employees can be the weak link in an otherwise secure environment, which is why hackers commonly use social engineering techniques as a first entry point into a system.
Because it is necessary to monitor SCADA networks and respond to incidents 24/7, many organizations choose to outsource part or all of their SCADA network security to a managed security services provider, or MSSP. In addition to providing a level of expertise that may not be available in-house, MSSPs have the specialized hardware and software needed to monitor the entire SCADA network, from the RTU/PLC layer down to the HMI, as well as 24-hour staffing to immediately investigate unusual activity and respond to incidents.
The Wall Street Journal reported in March 2015 that if only nine of the country’s approximate 55,000 electrical substations went down – whether from mechanical issues or malicious attack – the nation would experience a coast-to-coast blackout. Providers of utilities and other critical infrastructure services must act now to protect not only themselves and their customers but also the entire country from a terrorist attack. It’s a war that must be fought daily, but one that can be won.
Mike Baker is founder and Principal at Mosaic451, a bespoke cybersecurity service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.
