SCADA System Security Still Needs Strengthening

Industrial Control System (ICS)  networks, which include supervisory control and data acquisition (SCADA) systems, administer operations for critical infrastructure and production including manufacturing facilities, refineries, water treatment, hydroelectric  and nuclear power plants. These legacy systems, often built before the internet existed, are increasingly being connected to the Internet, essentially to make them easier to manage remotely. Even SCADA systems that have remained isolated from the Internet and business IT systems are vulnerable to threats that can “leap the air-gap” via process, people and physical (e.g., USB drive) attack vectors.

Industrial Control Systems Face Unique Complications

Control networks and industrial control systems face a unique set of cyber security complications. Just as traditional air gaps are no longer effective, information technology (IT) cyber security solutions in use on the corporate network can’t be deployed interchangeably to protect the control network, as the IT and control network teams have different priorities and requirements. For example, in industrial control system environments that usually run 24/7, configuration changes can only be applied during maintenance outage windows, which often occur only once per year for a limited number of days.  A related deficiency is the lack of forensic readiness: presuming that a failure will happen, its root cause may require prolonged forensic efforts, and may ultimately be lost in a rush to re-establish operations.

While cyber-attacks against ICS installations are rare (making it appear like a waste of company resources to protect against them), if any nation suffers a significant cyber-attack against its critical infrastructure, or a large corporation against one of their multiple plants, recovery will be much more difficult than from physical attacks – where damage may be severe, but contained. In contrast, cyber-attacks are scalable: they can trigger follow-up and copycat attacks. Whereas explosives can only be used once, digital weapons can be copied and re-used, and a single beach head such as a contractor’s or supplier’s remote access can be exploited to compromise multiple targets.

Discovery of the Stuxnet Virus

The discovery of Stuxnet in 2010 and the subsequent revelations about its counterparts Flame and Duqu have brought critical infrastructure security to the forefront of the public’s attention. Unfortunately, cybersecurity continues to be somewhat of a low priority in private ICS environments. For example, many critical infrastructure operators don’t have a dedicated security professional for their systems, and SCADA security makes up less than one percent of their budget for process and ICS equipment and services.
Relying on traditional perimeter cyber security tools, such as simple firewalls anti-virus software, have proven their shortcomings time and time again. For example, the Flame virus, avoided detection from 43 different anti-virus tools and took more than two years to detect.

SCADA Systems Must Respond to Threats in Real Time

Instead, SCADA systems must have tools in place that allow them to identify threats, respond and expedite forensic analysis in real time. To achieve this, continuous monitoring of all log data generated by SCADA components is needed to automatically baseline normal, day-to-day activity across these components and therefore identify any and all anomalous activity immediately.

By adopting an integrated, layered approach that leverages advanced firewalling, intrusion detection and prevention, security information and event management, predictive analysis and network forensics ICS operators can take a proactive stance against threats and vulnerabilities, can comply with industry regulations and cybersecurity best practice, and protect important critical infrastructure.