With computerised control systems operating everything from power plants, water treatment facilities to transport systems and factories, the potential for disruptive cyber attacks grows bigger by the week writes Kurt Hansen, Regional Managing Director – ANZ, Check Point Software Technologies.
Public infrastructure, along with industrial and manufacturing companies, has come to rely on such dedicated computer management systems for daily operation. Linked to networks of controllers and sensors, the systems are critical for the ongoing proper function of these assets.
Known as SCADA (Supervisory Control and Data Acquisition) and ICS (Industrial Control System) solutions, these systems enable the collection and analysis of data and help automate control of equipment such as pumps, valves and relays.
Any disruption to these systems would have a dramatic impact. Power services could be disrupted, water supplies compromised, and manufacturing facilities brought to a halt. The resulting financial and societal ramifications could be immense.
Already, attacks on such critical infrastructure have been reported around the world. Facilities have been hit with an array of network breaches, data thefts and denial of service attacks. With the number of attacks on the rise, now is the time to take preventative action.
The size of the challenge
Details of the vulnerabilities within many SCADA and ICS systems are, unfortunately, readily available on the Internet. These vulnerabilities vary from basic issues, such as poor password security, to configuration issues and software bugs. Once an attacker can run software with access to a controller, the likelihood of a successful attack is very high.
By altering commands sent to controllers, or by changing sensors readings, attackers can create changes in electrical, chemical, mechanical or other processes. These changes can result in loss of productivity, disruption of services or worse, and could become a genuine risk to public safety.
The problem is made more acute by the fact that many control systems have been in place for long periods of time. Their rugged design and dependability means they can be operational for more than ten years, and in some cases well beyond.
Most SCADA and ICS networks have some level of traditional perimeter defence, such as a firewall, which makes access from outside relatively difficult. For this reason, attackers are constantly looking for alternative ways to penetrate the systems. Potential attack vectors include:
• Using a remote access port used for system maintenance
• Hacking a legitimate communications channel between IT systems and SCADA/ICS systems
• Social Engineering or convincing an internal user to click on a URL link in an email from a workstation connected both to the SCADA/ICS network and to the internet
• Infecting laptops or removable media outside the SCADA/ICS network which later infect internal systems when they’re connected to the network
SCADA/ICS networks and their components, are designed to provide manageability and control with maximum reliability. Originally they were not designed with security in mind. Security was simply the gap of air between the control network and the internet. Often, they do not feature mechanisms to avoid unauthorised access or to cope with the evolving security threats originating from external or internal networks.
While their implementation is often proprietary, SCADA controllers are essentially computers. They use standard computing elements such as operating systems (often embedded Windows or Unix), software applications, accounts and logins. As a result, organisations need to ensure they take a similar approach to their SCACD / ICS security as they do for other parts of their IT infrastructure.
Securing SCADA and ICS systems
Many SCADA and ICS systems have been built and extended over a long period of time. As a result, knowledge of exactly what is in place may be incomplete. For this reason, the first step in any security review is to capture a complete picture of what exists. Once this has been done, a comprehensive approach to security can be undertaken.
The key steps to take to secure critical infrastructure SCADA systems are:
Create an up-to-date map of all components. This must include an inventory of all devices and communication links, diagrams of the physical and logical connections between devices, lists of hardware and software versions, and a list of accounts and users together with their access privileges.
2. Initial analysis
Once mapping has been completed, an initial analysis of security risks should be undertaken. This process assesses the potential severity, probability and business impact of any attack, and how easy it would be for an attacker to launch an attack.
3. Creation of security strategy
Once a comprehensive picture of the infrastructure and potential vulnerabilities has been created, a suitable security strategy must be devised. This multi-faceted policy should address:
• Policies: Strong security begins with a well-defined policy closely aligned to business needs. The policy must address the critical nature of the control systems to the organisation.
• People: Unfortunately, it is often users who make mistakes that result in malware infections and information leakage. Staff members need to be informed and educated on the security policy and their expected behaviour when accessing and using systems.
• Enforcement: Steps should be taken to ensure the new policies are understood, followed and enforced.
Once complete, the security strategy should be implemented across the infrastructure. Importantly, physical network separation should be maintained between the real-time components of the SCADA /ICS network and other networks.
At the same time, security gateways should be installed at all interconnect points, ensuring only relevant and allowed traffic is entering or leaving the network. An anti-bot solution should also be implemented to deal with identification of malware that may infiltrate devices on the network.
Also, all workstations and portable equipment used for management and maintenance must be checked to ensure they are free of malware. It is recommended to assign separate workstations for SCADA
Finally, ongoing strict analysis of all traffic, files and payloads must be performed, in real time, across the infrastructure. In-house or independent specialist intelligence feeds, will increase the dependability of the analysis. This will ensure early identification of any unauthorised access or activity within the critical systems.
By following this strategy, organisations can ensure the SCADA and ICS controlling critical infrastructure remain secure and operational at all times.