Anything connected to the Internet today is a potential victim to malicious attacks. Regardless of how easy it is to attack SCADA systems, one thing is clear: The impact of a successful attack can be catastrophic. The continuous growth of cyber security threats and attacks including the increasing sophistication of malware is impacting the security of critical infrastructure, industrial control systems, and Supervisory Control and Data Acquisition (SCADA) control systems.
The reliable operation of modern infrastructures depends on computerised systems and SCADA systems. Since the emergence of Internet and World Wide Web technologies, these systems were integrated with business systems and became more exposed to cyber threats. There is a growing concern about the security and safety of the SCADA control systems.
SCADA systems are exposed to the same cyberspace threats as any business system because they share the common vulnerabilities with the traditional Information Technology (IT) systems. Also, most SCADA systems are not protected with appropriate security safeguards. The operating personnel are lacking the security training and awareness. Threats against SCADA systems are ranked high in the list of government concerns, since terrorists have threatened to attack several SCADA systems of critical infrastructure and successfully launched near-disastrous attacks.
In addition to the SCADA communication moving more and more to the TCP/IP network, the following additional factors increase risks:
- The historical lack of concern about security issues within SCADA networks.
- The perception that SCADA networks are secure because they are physically or logically isolated.
- The security-by-obscurity approach in the design of SCADA systems.
- The introduction of cyber warfare for which SCADA is a perfect playground.
Besides security concerns, the computer systems including SCADA control systems raise the issue of safety causing harm and catastrophic damage when they fail to support applications as intended. In January 2003, the Slammer worm infected the safety monitoring systems at the Davis-Besse nuclear plant in US. In 2003, two hackers gained access to control technology for the US’s Amundsen-Scott South Pole Station which ran life-support technology for scientists. This attack disabled the safety monitoring system for nearly five hours.
The infamous breach of SCADA for Maroochy water system in Australia plagued the wastewater system for two months. This caused a leak of hundreds of thousands of gallons of putrid sludge into parks, rivers, and private properties as a result of which marine life died, the creek water turned black and the stench was unbearable for residents.
In addition, recent attacks are becoming more sophisticated and the notion of what kind of vulnerabilities actually matter is constantly changing. For example, recently Stuxnet worm infected nearly 30,000 Windows PCs. According to Computerworld, Stuxnet is considered by many security researchers to be the most sophisticated malware ever, was first spotted in mid-June by VirusBlokAda, a little-known security firm based in Belarus.
The threats are often poorly understood and ignored, and the vast majority of organizations lag in realizing secure infrastructures. In complexly interactive systems whose elements are tightly coupled, great accidents are inevitable. Vulnerabilities and attacks could be at different levels – software controlling or controlled device, application, storage, data access, LAN, enterprise, Internet, communications.
A number of things can be done today to protect control systems. The first involves governance. Senior management, including the chief executive and chief operating officers, must support the company’s security program. A person or group responsible and held accountable for security must be identified, and the organization’s control system staff made aware of the team’s mission. The security program must undergo periodic review as well.
Policies involving IT systems and control systems should be consistent with each other. Almost all organizations have awareness and training programs for their employees on computer security that cover, for example, passwords or identifying inappropriate Web sites. Such components should, of course, be part of security programs for control systems, but they also should include components unique to each system, as well as reflect industry standards and guidelines.
Vulnerability assessments must be performed regularly. Each such test is “simply a snapshot in time”. Whenever the system is modified, upgraded, tested, or reconfigured, the previous vulnerability assessment is no longer relevant, because the system is no longer the same system.
Cyber security is a living issue, because there is no single technology—be it a firewall, intrusion detection system, or other technology—that will adequately protect control systems.
Shoaib Yousuf, Information Security Strategist.