Securing SCADA Systems from Cyber AttacksJuly 01, 2020 by Anish Devasia
Learn about the many ways cyber-attacks threaten SCADA systems, and what can be done to keep manufacturing and utility plants protected.
In the initial days of SCADA, OEMs used proprietary communication protocols for the communication network. Over time, however, systems required parts from multiple OEMs and the communication protocol converged. This shift was instrumental for SCADA systems becoming a quintessential part of industrial operations which led to huge security vulnerability decades after the SCADA systems became the industry norm.
Threats to SCADA Systems
SCADA systems face two kinds of threats: electronic threats and cyber threats. Electronic threats include radio-frequency interference, RF weapons, voltage transients, ground potential differences, and electromagnetic pulses. These threats can be avoided by efficient system design. Prevention of such threats has become a standard in large scale deployment of SCADA systems.
Cyber threats have become easier to undertake with the advent of the internet. A nefarious hacker can affect the critical infrastructure of a country from another continent with very little effort.
Figure 1. The threat of a cyber attack to SCADA systems has become the main concern of keeping systems running safely.
SCADA is an electromechanical system in which software can be used to control hardware — real, physical objects. Though data breaches in normal cyberattacks create a great loss, real physical damage cannot be done through such an attack. But with a cyber attack on SCADA systems, actual physical damage can be done with few lines of code.
All critical infrastructure currently controlled by SCADA systems and the potential for cyber threats poses a huge challenge. Going through some of the past cyber attacks on SCADA systems helps us shed some light on the weak points of SCADA systems.
Cybersecurity Attacks on SCADA Systems
One of the scariest attacks on a SCADA system is the Stuxnet worm attack that took place in 20100 on 15 Iranian nuclear enrichment facilities. The attack took control of PLCs connected to nuclear centrifuges and was able to destroy 984 of them. It’s important to note that these facilities were not connected to the internet. Instead, the worm entered the facility through a compromised USB drive of an employee.
Figure 2. Nuclear power plants have been the victims of cyberattacks on their SCADA systems.
A 2015 power grid attack in Ukraine affected three power distribution companies, shut down 30 substations, and affected 230,000 people for six hours. The attack was carried out to seize control of the SCADA system and destroy all its data. It did so by using a malware distributed through phishing emails to the corporate network.
In late 2017, hackers attacked emergency shutdown systems of Schneider Electric in a multi-stage attack. The attackers were able to reprogram the Triconex SIS (safety instrumented system) controllers remotely and change the predefined payload.
In 2012, a German renewable power utility was hit with Denial of Service attacks. The internet communication systems of the company were compromised for five days, affecting millions of customers.
A disgruntled employee in a sewage treatment facility in Queensland, Australia took control of the facility and pumped untreated water to public spaces.
Common SCADA System Weaknesses
Every SCADA system has hardware, firmware, software, and people involved in its operation. Attacks are targeted at the weak points in these systems. The most common weaknesses with SCADA systems include:
- Lack of proper training: Employees are the most vulnerable part of the whole SCADA system. Social engineering, phishing, and spear-phishing attacks are most common in the examples above. A single click on a link in an email sent from an attacker can compromise the whole system.
- Internet exposure: Initial SCADA systems functioned as stand-alone systems. With the advent of the internet, plants became connected to the internet for various purposes, including receiving maintenance updates from vendors. In most cases, proper security precautions are not taken in such connections.
- Poor SCADA applications: Web and desktop applications are extensively used to modify and monitor various components of SCADA. Many of these applications are not up to scratch with modern application safety requirements. This was particularly evident with the attacks mentioned above that specifically targeted SCADA software from Siemens.
- Weak IT & OT segregation: Organizations with inadequate separation between IT (information technology) and OT (operation technology) is a significant vulnerability. IT is critical to any organization in the current world but using the same routers and communication network for IT applications and SCADA is a basic security requirement. Yet many installations lack this segregation.
- Weak protocols: As mentioned earlier, security was not in mind while developing communication protocols for SCADA systems. Interoperability was given importance. The same protocols are used for almost every SCADA system and this makes it easier for potential hackers.
- Lack of maintenance: OEMs and vendors create products with default configurations which can be changed at each installation by the operators. Some operators do not change these default settings due to a lack of awareness or a false sense of safety. This is a potential risk to the security of the system. Vendors also do not invest the required resources in updating equipment and software to the latest standards.
Ways to Protect SCADA Systems from Cyber Threats
The most effective solution to cyber threats is to physically disconnect from the internet and external devices. This is not a viable solution today, as access to the internet is critical to day-to-day operations for most organizations. But it needs to be considered in the critical infrastructure of a country, like in power plants. Some vulnerabilities can be avoided even with the internet connections intact.
- Security training for employees: As seen in the examples above, most attacks are initiated by employees reacting to the communication sent by hackers. Employees need to be trained on aspects of social engineering attempts by hackers and phishing emails. They also need to be trained to have secure passwords as password spraying attacks are very common.
- Strong segregation of IT and OT infrastructure: Separate routers and communication infrastructure needs to be utilized for IT and OT communication. Strong segregation limits the access of any potential attack to the IT systems and the OT will be protected from attacks over the internet.
- Access controls: Personnel is a primary weakness for any system. Every user of SCADA does not need the same level of access to all of the system’s components. Adding user controls helps reduce potential attacks from rogue employees.
- Fiber optic cables: Eavesdropping attacks are quite common in cyber warfare. If the network is breached, fiber optic cable provides a higher level of security. When a fiber optics cable breaks, the signal loss is significantly high enough that the attacker will not get sufficient data.
- Strict firewalls: Having firewalls is a basic internet security option even for everyday internet users. An industrial firewall has to be strong and regularly updated to avoid any new threats that have surfaced.
- Unidirectional Security Gateways (USG): Firewalls themselves are not the most secure option, as every software has vulnerabilities that can be exploited. USGs provide an extra layer of security by using limited capability hardware only capable of sending information in one direction. Cyber attacks need two-way communication to pull off an attack and USGs prevent that communication from happening.
- Network security procedures: Regular audits and penetration tests should be conducted to ensure the security capability of the network. This helps security to be a mindset for the organization rather than an afterthought.
- Redundancy: There should be redundancies in place to manually take over the operations in the event of an attack. These redundancies should not be with any software, making it resilient to cyberattacks.