Securing integrated Scada systems against cyber attacks

Paul Boughton

Failure to protect a plant's Scada system from the threat of cyber attack can have big security implications. Paul Hurst discusses the protection options.

Until quite recently, Scada systems were traditionally 'walled off' from other systems operating independently from the network. Prior to the awareness of possible attacks, this seemed to provide all the protection the Scada system required. However, over time they have become integrated into larger company networks as a means of leveraging their valuable data to increase plant efficiency. The result of this is that now their security is often only as strong as the security of the overall network.

The process of protecting Scada networks starts with the creation of a written security policy. Failure to have a policy in place exposes the company to attacks, loss of revenue and legal action. The security policy should also be a living document, not a static policy created once and then shelved. The management team needs to draw very clear and understandable objectives, goals, rules and formal procedures to define the overall position and architecture of the plan. It should also cover the following key components: roles and responsibilities of those affected by the policy; actions, activities and processes that are allowed, and those that are not allowed; consequences of non-compliance.

Prior to completing the written policy a vulnerability assessment must be undertaken to identify both the potential risks associated with the different aspects of the Scada-related IT infrastructure, and the priority of the different aspects of the infrastructure. In addition, the vulnerability assessment also acts as a mechanism to identify holes or flaws in the understanding of how a system is constructed (ie its architecture) and where threats against the system may originate.

To successfully complete a vulnerability assessment, a physical audit of all the computer and networking equipment, associated software and network routings needs to be performed. A clear and accurate network diagram should be used to present a detailed depiction of the infrastructure following the audit.

The results would typically be presented in a hierarchical manner, which, in turn, sets the priority to address security concerns and the level of related funding associated with each area of vulnerability. For example, within a typical Scada environment, key items and the related hierarchy could be as follows:

- Operational availability of operator stations.

- Accuracy of real time data.

- Protection of system configuration data.

- Interconnection to business networks.

- Availability of historical data.

- Availability of casual user stations.

After defining the hierarchy and auditing the different system components, the options with regard to security measures need to be considered. For Scada networks there are some common security mechanisms that apply to all networks that have any form of wide area (WAN) or Internet-based access requirements. These include: network design; regulating physical access; firewalls; intrusion detection; virtual private networks (VPN); IP security (IPSpec) demilitarised zones (DMZs).

- Network Design: It is a fact that simple networks are at less risk than more complex, interconnected networks. Therefore keep the network simple and, more importantly, well documented from the beginning.

A key factor in ensuring a secure network is the number of contact points. These should be limited as far as possible. While firewalls have secured access from the Internet, many existing control systems have modems installed to allow remote users access to the system for debugging. These modems are often connected directly to controllers in the substations. The access point, if required, should be through a single point that is password protected and where user action logging can be achieved.

- Regulating physical access to the Scada network: The benefits of a simply designed network can easily be dissipated if some basic protection strategies are not followed. For example: physical access to your network should be closely monitored. First, do not allow anyone that does not belong to your organisation to connect to your network Ethernet or have physical access to your IT server room. Second, use built-in Microsoft Windows features such as NTFS to require user authentication when perusing network shares. Third, monitor your network regularly for activity that may be suspicious and note the IP addresses when running sniffing software or hardware on the network. Fourth, ensure that there are no foreign IP addresses on the list. If you find one, trace route to the IP address. Once you locate its origin you can take action. If you are unsure physically, then disconnect the segment where the potential intruder may be on the network.

- Firewalls: A firewall is a set of related programs, located at a network gateway server that protects the resources of a private network from outside users. A firewall, working closely with a router program, examines each network packet to determine whether to forward it toward its destination. It also includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network, so that no incoming request can get directly at private network resources.

It is imperative to utilise a secured firewall between a corporate network and the Internet. As the single point of traffic into and out of a corporate network, a firewall can be effectively monitored and secured. It is important to have at least one firewall and router separating the network from external networks not in the company's dominion.

On larger sites the control system needs to be protected from attack within the Scada network. Implementing an additional firewall between the corporate and Scada network can achieve this aim.

- Intrusion detection: One problem with Firewalls and other simple boundary devices currently available is their lack some degree of intelligence when it comes to observing, recognising and identifying attack signatures that may be present in the traffic they monitor and the log files which they collect. This deficiency explains why intrusion detection systems, (IDS) are increasingly important in helping to maintain network security.

In a nutshell, an IDS is a specialised tool that knows how to read and interpret the contents of log files from routers, firewalls, servers and other network devices. Furthermore, an IDS often stores a database of known attack signatures and can compare patterns of activity, traffic or behaviour it identifies in the logs it's monitoring against those signatures, so it can recognise when a close match between a signature and current or recent behavior occurs.

In practice, most commercial environments use some combination of network- and host- and/or application-based IDS systems to observe what's happening on the network while also monitoring key hosts and applications more closely.

- Virtual private network (VPN): One of the main security issues facing more complex networks today is remote access. VPN is a secured way of connecting to remote SCADA networks. With a Virtual Private Network (VPN), all data paths are secret to a certain extent, yet open to a limited group of persons, such as employees of a supplier company. A VPN is a network constructed by using public wires to connect nodes. For example, there are a number of systems that allow the creation of networks using the Internet as the medium for transporting data. These systems use encryption and other security measures to ensure only authorised users access the network and data cannot be intercepted.

- IP Security (IPsec): Deployed widely to implement VPNs is IP Security (IPsec), a set of protocols developed by the Internet Engineering Task Force (IETF) to support the secure exchange of packets at the IP layer. IPsec can be deployed within a network to provide computer-level authentication, as well as data encryption. It an also be used to create a VPN connection between the two remote networks using the highly secured Layer Two Tunnelling Protocol with Internet Protocol security (L2TP/IPSec).

- Demilitarised zones (DMZ): The use of DMZ buffers is becoming increasingly common as a method of segregating business applications from Scada networks. A highly recommended additional security measure demilitarised zones are a buffer between a trusted network (Scada network) and the corporate network or internet, separated through additional firewalls and routers, which provide an extra layer of security against cyber attacks.

Paul Hurst is with Citect UK, Coleshill, West Midlands, UK.