A Growing Threat
SCADA is currently a hot topic in the news. According to IBM Managed Security Services, researchers have observed a significant increase of brute force attacks on supervisory control and data acquisition (SCADA) systems in recent years. “Cyberattacks against the Oil &Gas and utilities sector are on the rise and growing more sophisticated and aggressive by the day. Passive monitoring of all assets in these systems is critical to detecting and addressing vulnerabilities before they can be exploited and lead to disruption of essential public services like electricity, gas, and water,” says Leo Simonovich, Vice President and Global Head, Industrial Cyber and Digital Security at Siemens Energy. Unfortunately, experts agree that traditional security measures are not proving to be terribly effective in this sector. Put succinctly by Joel Langill, industrial control system (ICS) cybersecurity subject matter expert at AECOM during his keynote at the ICSJWG 2016 Fall Meeting in Ft. Lauderdale, FL.: “Antivirus is dead. Malware is able to get through it to attack a system. […] That is not to say, a user does not need it, they just have to understand it does not have the stopping capability it had 10 years ago. The same is true of firewalls. Yes, there are some good ones out there, but they can be averted. The way of thinking is the same as it was in 1996. The way we fight threats in 2016 has to be different than the way we did it in 1996.” Here are some tips to help you to think out of the box about SCADA security, what your SCADA technicians need to know about the changing face of SCADA security, and how you can help them.
Tip 1: Implement Procedures that Make You ‘Secure by Design’
In an article by Phil Marshall, CEO, Hilscher North America, called “Why Cybersecurity Must Be Built In, Not Bolted On: ‘Secure by design’ needs to become the core approach for all industrial companies to avoid cyber chaos in the not too distant future,” the author talks about how systems designers need to rethink the way they build security into applications. For instance, using multiple CPUS enables the designer to logically separate the communications functions (that is the network activity) from the application (e.g., control and monitoring). Why? “For example, a denial-of-service attack could bring down the network communications or keep the stack so busy with answering network requests that the processing of critical IO data gets interrupted.” Instead, mechanisms could be put into place that would allow the application side to detect that something is wrong on the communications side. In a worst-case scenario, the application could be forced into a secure and safe state to avoid causing any harm. A report by the DRDC Centre for Security Science states that, “The security architecture in common use today for enterprise computing environments, has not changed significantly in 20 years. Stuff like Firewalls, Anti-virus, Intrusion Prevention Systems, Data Diodes, Virtual Private Networks, Link Encryption, Identify Management, all refurbish old ideas with new technology […] interconnection means that attacks that leverage social vectors — basically the trust people put into relationships with others — can be successful in overcoming even the most sophisticated firewalls and technical defenses.” What we need, the report goes on, is a disruptive transformation of IT infrastructure with these starting assumptions:
Everyone and everything is potentially hostile Mainstays of antivirus and firewall are increasingly ineffective Decrease in importance of the traditional “perimeter” “Inside out” protection is as important as “outside in” More security policy enforcement points needed Security and trust are no longer binary and there is a need to accept relative “trustability”
For field technicians, this means they can no longer assume traditional security strategies will do the job. For instance, they need to be aware of the implications of using a BYOD.
Tip 2: Change Focus from the IT to the Polity
SCADA attacks often create physical (as opposed to digital), structural damage. For instance, the Stuxnet worm targets SCADA systems and was responsible for causing substantial damage to Iran’s nuclear program, reportedly ruining almost one-fifth of Iran’s nuclear centrifuges. Stuxnet leveraged flaws in Microsoft Windows which were not known to many people at the time and was introduced to the target environment via an infected USB flash drive. The worm has been described as a jointly-built American/Israeli cyber weapon. There was a lot of controversy regarding the cost-benefit value of Stuxnet. However, the point to note is that cybersecurity is not only about networks and systems, but also about global politics and socio-economics. Remember the tip from the friendly neighborhood burglar that did its rounds a few years back but may have been an urban legend: Leave a light on in the bathroom at night, because we can’t be sure you’re not home, and so we’ll probably burgle your neighbor instead. A SANS institute survey in 2013 found that one of the top three threats vectors identified by the respondents was internal. Survey respondents indicated that they were concerned with phishing scams, which made sense given that many of the attacks against these controls relied on some internal person doing something, such as inserting a USB drive, remotely accessing equipment or clicking a link or attachment. Interestingly, while the survey showed that a malicious attack along the lines of Stuxnet was the top threat vector of concern, Stuxnet itself was a failure in security awareness by a staff member who used an infected USB drive. So, security awareness training for SCADA technicians must start with the basics: understanding their actions when browsing the web, clicking on potentially vicious email attachments, using an infected USB drive, or posting sensitive information on social media sites may make the company vulnerable to cyber attackers.
Tip 3: Engineer Cyber Safety
Conway, Technical Director for the ICS and SCADA programs at SANS, suggests that to connect ICS engineers to security awareness training that really hits home, start with what matters most to them — safety. He recommends regular safety meetings and the communication to all staff or safety incidents and the company’s record:
Everyone can be a cybersecurity ambassador – “When your teams understand how poor cybersecurity practices (unapproved removable media, sharing account credentials, working on devices without proper notification and approval, un-approved mobile devices in a process environment, etc?) can affect their work environment and their own safety, they will stop someone when they see it as well.” Knowledge is power – “Actual events, and near misses become full-scale root cause analysis efforts and after action lessons learned guidance communications, which in many cases shape operating procedures. We will be heading in the right direction when we ask the same questions: How many cyber near misses have happened at a facility??” An ounce of prevention – “Safety protections exist in many forms throughout industrial environments and are engineered into the process to provide event detection, operator alarming, fault containment, and rapid process recovery […] Safety is a planned activity that is engineered into the process, Cybersecurity should be no different.”
Tip 4: Develop a Cybersecurity Network
According to ISACA, modern SCADA systems are rapidly changing from traditional proprietary protocols to Internet Protocol (IP)-based systems, and these systems are now inheriting all the vulnerabilities associated with IP. Along with this shift is the need for field technicians to understand how to counter the vulnerabilities associated specifically with modern SCADA systems:
System resilience — Ensuring that SCADA systems are always available requires the system to be designed with a resilience goal in mind. This involves the testing by field staff to ensure these goals are met during normal operations, during incidents, and during systems changes or upgrades. Secure configuration — SCADA systems and the communication protocols are inherently insecure. This involves ensuring that underlying systems are built securely and life systems are configured correctly. Business continuity/disaster recovery planning (BCP/DRP) — This involves training for the systematic and orderly recovery from disasters and business continuity processes. Incident management — Established and documented incident management processes and guidelines must be defined to ensure the orderly handling of incidents. Threat monitoring — SCADA applications and protocols are inherently insecure; lack of awareness and dependency on vendors for applying patches, wide area networks, and the need for segregation for SCADA networks make threat monitoring one of the most important sections in SCADA security controls. Change management — The challenge in change management for SCADA is to ensure that change does not disrupt the functioning of devices, as often the impact can be the threat of loss of life. This involves ensuring that field technicians are aware of the processes involved in making system changes and how this can affect their normal working routine.
Tip 5: Support Ground Staff
Brahman Thiyagalingham, Logica’s Security Practice Manager, gave ComputerWeek five tips for training technicians and improving security:
Implement an industry-standard governance framework, like the ISO/IEC 27001 management system standard, which is recognized as the premier standard for information security management. Because people maintaining and operating SCADA infrastructure have little understanding of new technologies, training in the use of new security tools is paramount. Operators need to enforce enhance collaboration between their SCADA engineers and IT security teams to ensure all potential vulnerabilities are considered and precautions put in place. Protecting SCADA security means operators need to implement a program for continual improvement from the outset. Performing regular security testing of both infrastructure control systems and Remote Telemetry Units (RTUs) of SCADA networks needs to evolve from a technical basis to a more risk-based, process-oriented management basis, enabling continuous improvement.
Tip 6: Initiate Dialogue and Collaborate with other SCADA Players
Joint support between the US and Russia on the challenges of cybersecurity at nuclear facilities indicates that collaboration benefits both parties. Reported by Bulletin of the Atomic Sciences, some examples of the way the US and Russia have collaborated in preventing an act of nuclear terrorism include a number of agreements on nuclear weapons control, lab-to-lab cooperation, the Megatons to Megawatts program, the Warhead Safety and Security Exchange agreement, and the Plutonium Production Reactor Agreement. The Bulletin suggests a collaboration framework for nuclear facilities (and, for that matter, for any mission-critical system) should include:
Establishing a set of minimum standards or recommendations to help assess cyber personnel qualifications at newly built plants Joint research on new developments in the field of computer security and the communication of these developments to staff Creating a communication link between personnel in emergency response teams Technical exercises during scientific workshops for technicians
And let us not forget formal security awareness training.
Tip 7: Become SCADA Certified
Infosec Institute runs a targeted primarily towards Information Technology Professionals, Information Security Professionals, Control Systems Engineers, and SCADA System Operators with a background in computer hardware and operating systems. Passing the course will give you Infosec Institute CSSA (Certified SCADA Security Architect) certification. Amongst other things, the course covers:
SCADA security policy development SCADA security standards and best practices Access Control SCADA protocol security issues Securing field communications User authentication and authorization Detecting cyberattacks on SCADA systems Vulnerability assessment
References
https://www.infosecinstitute.com/courses/scada-security-boot-camp https://www.researchandmarkets.com/research/3c4hnp/scada_market https://www.siemens.com/press/en/pressrelease/?press=/en/pressrelease/2017/powergenerationservices/pr2017110033psen.htm&content[]=PS https://thebulletin.org/cyber-security-nuclear-facilities-us-russian-joint-support-needed11354 https://simple.wikipedia.org/wiki/Stuxnet https://www.automationworld.com/article/topics/industrial-internet-things/why-cybersecurity-must-be-built-not-bolted http://cradpdf.drdc-rddc.gc.ca/PDFS/unc159/p537638_A1b.pdf https://www.controleng.com/single-article/cybersecurity-experts-recommend-a-different-approach/a1486dba6fcd690de27280013e953991.html /cyber-risks-industrial-environments-continue-increase/#gref https://www.nist.gov/sites/default/files/documents/2017/04/26/tri-county_electric_cooperative_part2_032613.pdf https://www.sans.org/reading-room/whitepapers/analyst/results-scada-security-survey-35135 https://securingthehuman.sans.org/blog/2015/01/22/engineering-cyber-safety http://www.computerweekly.com/tip/Ten-tips-to-improve-SCADA-security