The U.S. currently faces a growing threat from cyber-attacks against its critical infrastructure (CI) vital to our modern society. Many understand this growing threat but don’t know the origins of a key attack vector. In a recent report on securing industrial control systems (ICS) it was said that “much of the Nation’s CI depends on ICS such as supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS), which rely on programmable logic controllers (PLC) to manage essential and complex operational processes.”[i]
SCADA systems are used to operate large-scale systems around the world, to include the U.S.[ii] The widespread adoption of SCADA grew because of the need to more economically manage large-scale industrial systems to support modern society’s growing demand for products, services, and utilities. The sheer size, complexity, and sensitivity of these large-scale industrial systems requires continuous monitoring, communication, and coordination at remote locations to provide needed utility services.[iii]
Prior to SCADA, industrial systems required numerous personnel to continuously monitor and coordinate activities, often by pre-digital analog devices. Personnel would monitor industrials systems and relay information to the main operator. As industrial complexity grew, sites became larger and as demand grew, sites often became more remote. In response, human-enabled analog systems become more cumbersome, time consuming, and uneconomical, and just in time digital technology grew and is pervasive today across industry.[iv]
The steady evolution of SCADA over many decades was focused on the reduction of cost through fewer workers and more timely, accurate, and data-based decisions. Automation and supervisory control began to take hold as early as the 1950s within the oil, gas, and electric industries. In the 1960s, telemetry that facilitated automated data transmission from remote locations entered the scene. PLCs and microprocessors were introduced to manage industrial plant operations as early as the 1970s. Between 1980 and 2000, SCADA systems began to be networked through proprietary software and hardware with a shift toward open-source solutions in the 2000s.
Today’s SCADA systems are complex and widespread. Even a small SCADA system will process thousands of signals interlaced with numerous parameter descriptors, such as time stamps, values, measurements, event locations, and detailed event logs.[v] Most large industrial systems are entirely reliant on SCADA systems to examine, process, and analyze data in real time to maintain the industrial process, and lacking that, consumer demand and infrastructure stability could not be met in many sectors.[vi]
As SCADA components played a more predominant role, they had to be adapted to work with legacy systems, creating a patchwork thwart with inherent vulnerabilities to outside and unauthorized monitoring and malicious activities. One of the classic SCADA vulnerabilities is the need for periodic software updates, often done via internet connectivity, which creates pathways for outsiders. As SCADA systems were incorporated into more and more industrial systems, ease of managing software updates often exceeded security priorities which created even more vulnerabilities and pathways.[vii]
Unfortunately, this evolution, adoption, and heavy reliance on SCADA today has left U.S. critical infrastructures vulnerable to cyber-related attacks. For example, due to legacy issues, some SCADA components can be overloaded with tasks forcing communications to be dropped entirely, which is a concerning attack vector.[viii] SCADA systems have multiple components that can be compromised via a capable malicious actor. These components include the following: (1) Remote Terminal Units (RTUs) with embedded control capabilities; (2) telemetry systems; (3) PLC; (4) software historians; (5) data acquisition servers; (6) Human-Machine Interfaces (HMI); and (7) a supervisory control system.[ix]
One of the most foundational early tests to illustrate the risk of cyber-attacks on SCADA was conducted in 2007, when the Department of Energy (DOE) and Department of Homeland Security (DHS) carried out the AURORA Project test in cooperation with the Idaho National Engineering Lab (INEL). AURORA’s purpose was to demonstrate how the growing reliance on SCADA systems was increasing U.S. critical infrastructure’s vulnerability to cyber-attacks, in this case a rotating diesel generator running on three-phase power. INEL engineers executed various cyber-attacks remotely through the internet and repeatedly turned it on and off putting it out of phase and within minutes caused the generator to implode from the generated stresses.[x]
In 2009, a televised 60 Minutes episode showcased SCADA vulnerabilities and specifically referenced the AURORA Project. The public rapidly became very aware of how nuclear power plants, electrical grids, refineries, pipelines, water treatment facilities, and data centers could fall prey to potential cyber-attacks. Now, every state-sponsored and non-state sponsored entity alike were looking at SCADA vulnerabilities. The threat to U.S. infrastructure from cyber criminals, terrorist, and malicious actors compounded overnight. At the time, DHS, the White House, and Congress began to visibly address the looming cyber threat to our critical infrastructure sectors. President Barack Obama even stated that the cyber-threat to critical infrastructure was one of the most serious security challenges facing the nation.[xi]
In 2010, a highly publicized cyber-attack on a SCADA system was uncovered. Malware was discovered on several systems across the globe, with an unusually high concentration of impacted systems in Iran. The malware was quickly named Stuxnet and was identified as a highly sophisticated and complex computer worm. Stuxnet garnered much attention from the international community as it became apparent that an unknown actor designed it to attack a particular SCADA brand and model; as such, Stuxnet still represents a key moment in the history of cyber-attacks on industrial systems.[xii] Stuxnet is worth discussing further.
Stuxnet was specifically engineered to attack a specific device and model within a particular industrial system. The apparent target was the PLCs associated with Iran’s Nantanz nuclear power facility’s centrifuges. Stuxnet compromised the integrity of the centrifuges by increasing their speed beyond their specification limits and making that unbeknownst to the operators, until the centrifuges were damaged. The attack allegedly destroyed upwards of 20 percent of Iran’s nuclear centrifuges and set back Iran’s nuclear program, which was believed to be the intent of the attack.[xiii]
Undoubtedly, Stuxnet was well-planned, engineered, and took advantage of a multitude of vulnerabilities rarely seen in a singular attack. As such, Stuxnet was believed to be nation-state backed as it was so innovative, utilized insider knowledge, exploited human weaknesses, and exhibited a wealth of technical skills and expertise across a broad spectrum of industries.[xiv] Stuxnet was even designed to self-replicate and jump from computer-to-computer and perform complex actions without any human provocation or a connection to the internet.[xv]
Additionally, Stuxnet took obfuscation into account. Stuxnet employed a layer of stealth on the PLCs it infected, and it utilized two legitimate security clearances under employed drivers. Stuxnet was even designed to limit its replication, to minimize its spread across SCADA systems to reduce its chances of discovery. Moreover, Stuxnet limited the number and the extent of damage to the centrifuges it was targeting so as not to draw direct and unwanted attention.[xvi]
Mostly notably of all, Stuxent employed four separate and previously unknown exploits commonly referred to as “zero-day” vulnerabilities. These zero-day exploits were designed to act harmoniously in concert with one another. One zero-day exploit was used to gain access to the SCADA systems, another was used to spread the worm, and two additional zero-days exploits were used to elevate privileges within the system it infected. In addition, despite using four zero-day exploits, the architects behind Stuxnet even planned for when these zero-day exploits were patched and prepared for a secondary avenue to maintain and spread Stuxnet.[xvii]
Without a doubt, the Stuxnet event marks a key turning point in cyber-related attacks. And, while the Stuxnet virus is well known for what it did accomplish, one of the most important takeaways from the event is not what Stuxnet did, but what it could have done.[xviii] Certainly, had the architects of Stuxnet had other intentions, Stuxnet could have been far worse and far more malicious. Interestingly, the Stuxnet virus was comprehensibly decompiled and is available to download on the internet to analyze.[xix]
Despite all of the warnings, incidents, reports, and the watershed event of Stuxnet, SCADA vulnerabilities are not diminishing. In 2016, the Ukrainian power grid fell to an attack by malware knows as “Industroyer,” which was specifically designed to degrade large-scale industrial systems. Industroyer demonstrated an in-depth knowledge of industrial communications and power grids and its impacts were felt in Ukraine as the power was interrupted for well over an hour.[xx] An hour of power loss may seem inconsequential, but the power grid attack was really intended to send a clear political signal.
Since Ukraine cyber-attack in 2016, the number of vulnerabilities to SCADA systems has only increased. In 2018, Trend Micro published a report further illustrating how human-machine interface (HMI) vulnerabilities could be exploited in various ways and noted how HMI is present in over a thousand different utility systems worldwide.[xxi] Trend Micro’s 2018 report identified a little under 400 SCADA-related vulnerabilities. This number represents a 200 percent increase from the previous year.[xxii]
Undoubtedly, the challenges to securing industrial assets abound. Many of the exposed systems are legacy systems that were not designed with cyber-threats in mind. Additionally, these legacy systems have difficulty receiving security patches and updates due to memory constraints and limited functionality.[xxiii] Furthermore, complete overhauls are necessary in some infrastructure sectors in order to bring many important sectors up to date with modern security standards.
As mentioned before, one of the biggest vulnerabilities to remote cyber-attacks comes from locations with unprotected internet connectivity. Sadly, there are still significant amounts of industrial assets that are unsecure and connected to the open internet mainly because it was seen as a cost-savings measure to upgrade and maintain these SCADA systems through remote software patching.[xxiv] While the physical cost of critical infrastructure is enormous, the indirect costs associated with the loss of critical infrastructure would be incalculable. One can only imagine the loss of life and economics a city could experience if it were to lose power for an extended period from a cyber-attack on a power plant. With that said, the U.S. currently faces a growing threat from cyber-attacks against its critical infrastructure thus requiring the need to continuously assess SCADA vulnerabilities in order to stay one step ahead to protect our critical infrastructures and modern society.
The authors are responsible for the content of this article. The views expressed do not reflect the official policy or position of the National Intelligence University, the Department of Defense, the U.S. Intelligence Community, or the U.S. Government.
About the Authors:
Christopher M. Bosse possess over seven years of experience in acquisitions, project management, and engineering in support of the U.S. Department of Defense and over ten years of experience in healthcare administration. Mr. Bosse holds a Bachelor of Science in Management from Clemson University, a Master of Business Administration with an emphasis in Management Information Systems from Charleston Southern University, and a Master of Science in Technology Intelligence from the National Intelligence University.
Mitchell E. Simmons Ph.D. MSA MSME, Lieutenant Colonel, United States Air Force (Retired) is the Associate Dean for Academic Affairs & Program Director in the School of Science and Technology Intelligence at the National Intelligence University in Bethesda, Maryland. Dr. Simmons teaches courses in Intelligence Collection, National Security Policy and Intelligence, and Infrastructure Assessment Vulnerability. He has over 25 years of experience in acquisition, engineering, and infrastructure vulnerability within and supporting the Intelligence Community. His expertise includes physical and functional vulnerability of hardened and deeply buried targets and critical infrastructure from traditional and asymmetric threats. Dr. Simmons holds a Bachelor and Master of Science in Mechanical Engineering from Ohio University, a Master of Science in Administration from Central Michigan University, and a Doctorate in Engineering Management from The Union Institute and University.
Bailey, David, and Edwin Wright. Practical SCADA for Industry. Amsterdam: Newnes, 2013.
Caldwell, Darwin G. Robotics and Automation in the Food Industry. Cambridge: Woodhead Publishing, 2013.
Capasso, Antonio, and Giacomo Veneri. Hand-on Industrial Internet of Things. Birmingham: Packt Publishing, 2018.
D’Agostino, Giulio. Conversations in Cyberspace. New York: Business Expert Press, 2019.
Easttom, Chuck. Computer Security Fundamentals, 4th Edition. Pearson IT Certification, 2019.
Gallant, Eric. “The SCADA Worm Threat to Mission Critical Infrastructure.” Mission Critical. n.d. http://digital.bnpmedia.com/publication/?m=8602&i=61108&view=articleBrowser&article_id=638596 (accessed June 5, 2020).
Kumar, Mohit. “Stuxent Source Code Released Online – Dowload Now.” The Hacker News. July 3, 2011. https://thehackernews.com/2011/07/stuxnet-source-code-released-online.html (accessed June 7, 2020).
Monte, Matthew. Network Attacks and Exploitation. Indianapolis: Wiley, 2015.
Osborne, Charlie. “This is How Hackers Can Take Down Our Critical Energy Systems Through the Internet.” ZDNet. October 30, 2018. https://www.zdnet.com/article/this-is-how-hackers-can-take-down-our-core-water-energy-systems/ (accessed June 7, 2020).
[i] Securing Industrial Control Systems: A Unified Initiative FY2019-2023, Cybersecurity and Infrastructure Security Agency, July 2020. Rosslyn, Arlington, VA. https://www.cisa.gov/sites/default/files/publications/Securing_Industrial_Control_Systems_S508C.pdf
[ii] Easttom, Chuck. Computer Security Fundamentals, 4th Edition. Pearson IT Certification, 2019.
[iii] Capasso, Antonio, and Giacomo Veneri. Hand-on Industrial Internet of Things. Birmingham: Packt Publishing, 2018.
[iv] Bailey, David, and Edwin Wright. Practical SCADA for Industry. Amsterdam: Newnes, 2013.
[v] Easttom, Chuck. Computer Security Fundamentals, 4th Edition. Pearson IT Certification, 2019.
[vi] Capasso, Antonio, and Giacomo Veneri. Hand-on Industrial Internet of Things. Birmingham: Packt Publishing, 2018.
[ix] Easttom, Chuck. Computer Security Fundamentals, 4th Edition. Pearson IT Certification, 2019.
[x] Gallant, Eric. “The SCADA Worm Threat to Mission Critical Infrastructure.” Mission Critical. n.d. http://digital.bnpmedia.com/publication/?m=8602&i=61108&view=articleBrowser&article_id=638596 (accessed June 5, 2020).
[xii] Monte, Matthew. Network Attacks and Exploitation. Indianapolis: Wiley, 2015.
[xiii] Gallant, Eric. “The SCADA Worm Threat to Mission Critical Infrastructure.” Mission Critical. n.d. http://digital.bnpmedia.com/publication/?m=8602&i=61108&view=articleBrowser&article_id=638596 (accessed June 5, 2020).
[xiv] Monte, Matthew. Network Attacks and Exploitation. Indianapolis: Wiley, 2015.
[xv] Gallant, Eric. “The SCADA Worm Threat to Mission Critical Infrastructure.” Mission Critical. n.d. http://digital.bnpmedia.com/publication/?m=8602&i=61108&view=articleBrowser&article_id=638596 (accessed June 5, 2020).
[xviii] Easttom, Chuck. Computer Security Fundamentals, 4th Edition. Pearson IT Certification, 2019.
[xix] Kumar, Mohit. “Stuxent Source Code Released Online – Download Now.” The Hacker News. July 3, 2011. https://thehackernews.com/2011/07/stuxnet-source-code-released-online.html (accessed June 7, 2020).
[xx] D’Agostino, Giulio. Conversations in Cyberspace. New York: Business Expert Press, 2019.
[xxi] Osborne, Charlie. “This is How Hackers Can Take down Our Critical Energy Systems through the Internet.” ZDNet. October 30, 2018. https://www.zdnet.com/article/this-is-how-hackers-can-take-down-our-core-water-energy-systems/ (accessed June 07, 2020).