SCADA systems have been part of the industrial and utility landscape for many decades. For pipeline SCADA systems, the wide area coverage and operation of processes in remote locations provide a number of unique cybersecurity issues.
By Kevin L. Finnan, System Consultant, Yokogawa Corporation of America.
Supervisory control and data acquisition (SCADA) systems have been part of the industrial and utility landscape for many decades. While analogous to a distributed control system (DCS), a SCADA system performs monitoring and automation of a process that spans a broad geographical area. Whereas a refinery or petrochemical process plant would use a DCS, typical SCADA applications include oil & gas production, pipelines, electrical transmission & distribution and water/wastewater utilities.
For pipeline SCADA systems in particular, the wide area coverage and operation of processes in remote locations provide a number of unique cybersecurity issues.
For example, refer to Figure 1, a hypothetical remote pipeline pumping station. All the field instruments and actuators connect to a remote terminal unit (RTU), which serves as a data consolidation and translation point. The RTU works with a backhaul communications network such as 900 MHz radio or satellite. An RTU must maintain compatibility with the broad range of media necessary to handle the required bandwidth and distance.
The field devices could use assorted communication methods to connect to the RTU, but the RTU serves as a gateway, converting it all to one protocol, such as Modbus, so it can transmit everything in one data stream. Additionally, the RTU can perform local control functions. Otherwise, a programmable logic controller (PLC) or other small controller may be used, but it too will report its activity through the RTU.
The RTU frequently serves as the focus for cyber-attack methods. Hackers often find older RTUs poorly defended with unsecured communication, so they become the path of least resistance into the network.
One of the most famous hacks relating to this cyber-attack method was in western Ukraine. In December 2015, attackers started shutting down an electrical grid by gaining access to poorly defended devices at substations. Tripping just one caused a high level of disruption.
SCADA 2.0, IIoT Development
As old as the SCADA concept is, it has not lost any of its importance. In fact, SCADA system applications have been growing. Formerly “siloed” systems that applied exclusively to pipeline operations, SCADA systems, today, connect throughout the entire enterprise.
On the one hand, modern SCADA systems include numerous, defence-in-depth cybersecurity measures but, on the other, their broadly expanded applicability throughout end user organisations has increased vulnerabilities.
With a higher degree of protocol standardisation and greater connectivity to corporate information technology (IT) networks, the potential for a cyber-attack has increased. The trends toward business systems using and processing SCADA data create new avenues and reasons for system exploitation. Sharing data is often the lifeblood for many companies, but new threats can emerge in the process.
Developing technologies also are changing the current situation as the IIoT merges with SCADA to become “SCADA 2.0”. This still has some time before development is complete, but there are many possibilities, including its design and how it could affect security considerations.
The substantially expanded connectivity in SCADA 2.0 enables additional threat vectors. For example, a compressor station could use multiple communications networks. While controllers use the SCADA network for pipeline operations, the compressor manufacturer could deploy a separate network for predictive maintenance. In the future, asset management information, which, today, typically travels through a DCS or SCADA network, could also find itself on another network. The end user must be sure to isolate the SCADA system and key assets such as compressors from threats via the other networks.
Signs Of Threats To Come
Cyber criminals looking to profit from their exploits have been stealing financial data, personal information, and credit card numbers for a long time. Major retailers and financial service companies have fallen prey largely for this reason. Fortunately, industrial companies typically do not have as much in the way of such marketable data. However, a scary alternative is ransomware, which has targeted hospitals and now spread to many other users in the recent “WannaCry” ransomware attacks.
Although this sort of situation could seem unrealistic, end users in the industrial world must consider such scenarios in their vulnerability assessments and cybersecurity strategies.
Defensive Strategies For SCADA Systems
Cyber defence strategies for SCADA systems should be similar to those in other industrial networks. There are no unique approaches to this situation, but keep in mind, the size and complexity of the SCADA system provides many opportunities for determined hackers. They will scan for weaknesses, and a large, spread-out pipeline or similar SCADA system provides many attack vectors hidden away. The following are some defensive suggestions:
- Maintain physical security at remote sites: RTUs and other network-connected hardware should be in locked enclosures. Unused serial ports and USB connectors should be plugged with epoxy.
- Update old systems: Any company still running equipment using Windows 95, or even more recent but still obsolete versions, is asking for trouble. Platforms running “un-updated” software can be just as bad. WannaCry only worked on outdated and un-updated Windows platforms.
- Use network identification: Intrusion detection systems are very useful tools, but many companies fear they can disrupt networks. They can be designed for low-impact and with a passive response to make them easier to use on operating networks.
- Train personnel: Workers are still the weakest link in cyber defences. Social engineering, phishing, and spear phishing remain effective hacking tools. Don’t open unknown attachments, don’t plug in unknown thumb drives, etc.
- Maintain network traffic logs: It’s hard to know if something strange is happening if you can’t identify right from wrong. Logs help establish baselines, so they can help determine where intruders have been and what damage they made or attempted.
- Use available cybersecurity resources: The International Society of Automation (isa.org) and the National Institute of Standards and Technology (www.nist.gov ISA/IEC 62443) offers many helpful resources and provide best practices for network administrators and defenders, as do NIST 800-14 and 800-16.
It will be easier to implement further cybersecurity measures with new technologies, but many companies find themselves still working with yesterday’s equipment and software. These installations will become increasingly vulnerable if cyber defences are not kept up-to-date. The job is challenging, but it can be done. Defences don’t have to be air-tight to be effective. Hackers need to be resisted only to the extent necessary to make them look for an easier target.