SCADA systems are ever more open to security threats – Amol Sarwate explains how to mitigate the risks
All around us, critical IT services keep our homes powered, water coming to the taps, and transport systems functioning. The IT systems behind these services in the energy, water and power sectors are industrial control systems, more commonly referred to as SCADA (supervisory control and data acquisition) applications.
These applications have existed for decades. Typically in the past they ran on their own private networks. This made security less of a concern to systems designers – after all, the network diagrams show that things are separate, right?
However, many SCADA systems could be accessed through interconnection points where data could be made available for use in other parts of the business. This meant that potential routes of attack existed, even if they were difficult to exploit in some cases.
Where Are We Now?
Today, the data that these SCADA applications create is becoming more commercially valuable. Companies in the utility and critical infrastructure sectors can use data in new ways to maintain profits and be competitive.
As these systems get linked to the public internet, there are more potential avenues for attack that have to be mitigated. There are four key areas of vulnerabilities for SCADA and industrial control systems:
- Data Acquisition – this covers the individual sensors and devices that are connected to the organization’s systems. This includes things like temperature, light and pressure sensors.
- Data Conversion – this includes the more intelligent devices that are attached to systems and responsible for monitoring and managing their activities.
- Data Communication – this covers the networks and communication protocols that link up sensors, devices and the rest of the network. These are essential for getting data to and from points within the network.
- Data Presentation and Control – this includes the devices that are used to monitor the data that is created and includes the tools that are used to provide data to users.
What Next for SCADA Security?
The main area of focus for SCADA security has to be where the majority of potential issues are found. Around 63% of issues found were in web-based HMI applications using a range of common IT security attacks, from directory traversal and buffer overflow through to cross-site scripting and SQL injection techniques. Many of the issues are due to lack of authentication and updates.
SCADA systems were previously viewed as separate to the organization’s other networks. Why should authentication be required when there is no point of access? However, not only are there now more points of access than ever before, the requirement for auditing and logging of that access will only become more important over time.
Best practices around user authentication therefore have to be applied. This includes locking down any default vendor passwords so that they cannot be used; these credentials can be hardcoded into software or hardware devices as standard, so stopping them from being used is a necessary step.
Secondly, accounts and credentials should be distinct for each user. Too often, if credentials are used at all, everyone that has access to the system will use the same username and password. If a bad actor does manage to get access and use this account, then it is very difficult to spot this attack alongside permitted activity.
Alongside authentication, patching is critical. For many SCADA apps, the thinking has been, “If it isn’t broken, then don’t try to fix it.” Rather than putting necessary and available patches in place, this means that problems with known fixes can still be open for years.
Dealing with this takes a fundamentally different mindset. Patches and updates do require downtime while they are applied; for critical systems involved in utilities or oil and gas, the cost of this can be huge. Similarly for critical utilities like water, there is no downtime window that can be invoked.
However, if companies want to make more of their data then shifts in approach around patching will have to come into force as well. There are best practices that exist around patch deployment and vulnerability management that can be used to reduce the potential window of downtime, while the use of redundant systems should mean that there is no interruption to service.
Connecting SCADA applications to the internet involves adapting a continuous security mindset, where any and all vulnerabilities can be automatically detected as they come up. While SCADA applications and devices will probably change infrequently, this approach should be standard across all the assets that a company has in place. It aims to keep all IT devices and software up to date in order to reduce the chance of successful attack. Extending this thinking around vulnerability management out to SCADA systems helps to ensure that known problems don’t affect the software and infrastructure assets that are in place.
About the Author
As director of vulnerability labs at Qualys, Amol Sarwate heads a worldwide team of security researchers who analyze a threat landscape of exploits, vulnerabilities and attacks. He is a veteran of the security industry who has worked for the last 15 years on firewalls, vulnerability scanners, and embedded security at McAfee, Hitachi, i2 and other organizations