Abstract
This paper aims to define SCADA systems and explore their importance in modern industry and infrastructure. It seeks to clarify the reasons behind growing concerns about the security of these systems, analyze their inherent vulnerabilities, and propose recommendations for improving security measures within SCADA systems.
Introduction
Supervisory Control and Data Acquisition systems, also referred to as Process Control Systems (PCS), have been specifically developed for automating diverse systems such as traffic control, power grid management, and waste processing.
Application
Control systems are crucial in manufacturing and industrial processing, serving various purposes such as guiding robotic arm and conveyor belt movements, packaging the final product, managing inventory, and monitoring the distribution network. In chemical companies, control systems are essential for monitoring tank levels and ensuring precise ingredient mixing. Likewise, Las Vegas casinos depend on control systems to synchronize water fountain spray with lights and music.
Control systems are utilized in various industries, including oil and gas drilling and refining, water and electricity distribution by utility companies, as well as the collection of wastewater and sewage. They are extensively present in all sectors of the economy. In particular, “supervisory control and data acquisition” (SCADA) refers to the systems that monitor the distribution of vital public utilities such as water, sewer, electricity, oil, and gas. However, India has not yet fully incorporated SCADA systems into its infrastructure.
SCADA systems are widely employed in industrial production and specialized process control for automation purposes. Indian companies, Ranbaxy Labs1 and Voltas2, utilize SCADA systems for process control. However, there is a growing trend of using these systems in countries like the US, UK, and Australia where they play a crucial role in controlling infrastructural systems such as power, water and waste management, and traffic control. Therefore, the economy and infrastructure of these countries heavily depend on SCADA systems.
Implementation
SCADA systems employ a three-tiered strategy for designing control systems, consisting mainly of control systems. This strategy entails the use of one or more remote terminal units (RTU) connected to various sensors and actuators. These units subsequently transmit data to a master station. Figure 1 provides a visual depiction of this process.
The concept underlying control systems is that any measurable quantity can be managed. Measurement occurs through sensors, while control happens through actuators. Sensors collect data for monitoring and data acquisition, while actuators execute actions based on this data. The primary control system, referred to as SCADA, processes the data and determines suitable actions.
More advanced monitoring and control systems have been made possible by advancements in CPUs and RTU programming capabilities. In the past, applications were programmed at the central master station. However, with ladder-logic programming now being used in modern RTUs, they can be programmed directly at the RTU itself. This type of RTU is called a Programmable Logic Controller (PLC) and is quickly becoming standard in control systems.
The configuration of sensors and actuators on a PLC or RTU determines the quantity and type of inputs and outputs. Different models and manufacturers offer modules designed for input, output, digital, analog, or various combinations. An analog input module typically includes multiple interfaces, with common choices being 8, 16, or 32 inputs. Analog output modules receive digital values from the CPU and convert them into analog representations before transmitting them to the actuators. Output modules usually offer options for 8, 16, or 32 outputs with resolutions commonly set at either 8 or 12 bits.
Digital input modules are commonly utilized for indicating status and alarm signals. Instead of merely indicating “open” or “closed,” a dedicated digital input module is employed for counting voltage or current pulses. However, this capability can also be achieved using standard input modules and ladder-logic programming language functions of the PLC.
There are several questions that need to be answered:
- Is the data returned by the process of a sensitive nature such that loss, modification or compromise of the data, either intentional or unintentional, will cause serious harm to the organization’s mission?
- Are the instructions transmitted to the process of a sensitive nature such that loss, modification or compromise of the instructions, either intentional or unintentional, will cause serious harm to the organization’s mission?
- What type and amount of system data loss, modification or compromise is acceptable?
- Is the data retained or transmitted by the individual components subject to loss, modification or compromise, either intentionally or unintentionally, to a degree that the system will be affected?
- What level of component data loss, modification or compromise is acceptable?
SCADA system hardware components are designed for industrial environments and offer durability. However, these features do not address professionals’ security concerns regarding data protection and restricted component access.
To fully grasp the design of a SCADA system, it is crucial to comprehend both its operational and management aspects within its operating environment. Addressing specific inquiries becomes imperative in this process.
- What environmental factors will affect the process, either negatively or positively?
- What environmental factors will affect the system components, either negatively or positively?
- What is an acceptable level of interference by environmental factors?
- How should these factors be mitigated?
It is possible to exploit a sophisticated system with multiple interfaces for attacks.
When assessing interfaces, it is crucial to determine the required level of security for both system-wide and individual components. This involves considering specific inquiries:
- What interfaces exist for data to flow out of the system?
- What interfaces exist for instructions to flow into the system?
- What level of access is required to the feedback data returned by the process? Who requires access to the data?
- What level of access is required to send instructions to carry out commands against the process?
- Who requires the capability to transmit instructions to the process?
- What protections exist or can be applied to minimize the exposure of vulnerable interfaces by the system?
- What interfaces exist on the components for data or instructions to flow into or out of the component?
- What interfaces exist within the components for data or instructions to flow between components?
- What protections exist or can be applied to minimize the exposure of vulnerable interfaces by the components?
SCADA systems require extra attention to confidentiality and authentication due to their focus on reliability, availability, and data integrity.
In addition to protocols employed, types of interfaces required, hardware configuration, and budget are other issues to consider. Some questions to answer include:
- What degree of reliability is required?
- What degree of availability is required?
- What degree of data integrity is required?
- What degree of confidentiality is required?
- What overhead and latency in transmission is acceptable?
- What is the environment the communications links must traverse?
The analysis of security of these systems places particular importance on the communication requirements.
Although slow, Modbus is widely accepted and has become a de-facto standard. According to a recent survey, 40% of industrial communication applications use Modbus.
Profibus is a German standard that defines three types: Field Message Specification (FMS) for general data acquisition systems, Decentralized Peripherals (DP) for fast communication, and Process Automation (PA) for highly reliable and safe communication.
Foundation Fieldbus is an extension to the 4-20mA standard that utilizes digital technologies.
UCA, also known as the Utility Communications Architecture, is an initiative developed by the Electric Power Research Institute (EPRI) for the electrical industry. It is not merely a protocol definition but a complete collection of standards aiming to enable easy integration into systems, enabling manufacturers to design readily compatible devices. In 1999, IEEE took over the UCA standards process and has since expanded it for the water industry. Additionally, other industries are assessing UCA for its appropriateness.
When evaluating the operational functions of a SCADA system, it is important to consider both the hardware and software being used. In traditional SCADA systems, reliability, stability, and safety are key concerns. However, when considering security, it is also important to ensure that the hardware and software have minimal exploitable flaws. This can be achieved through evaluating their assurance. To assess this, there are several questions that need to be addressed:
- What degree of reliability should the system have with respect to software and hardware?
- What degree of assurance should the system have with respect to software and hardware? What degree of reliability do the components require in order to effectively satisfy the system’s mission?
- What degree of assurance do the components require?
- Has the hardware been tested for reliability, safety, assurance, stability?
- Has the software undergone a formal documented software development process?
- Have the software and hardware formally analyzed or evaluated by a trusted third party?
- What is the configuration management and lifecycle maintenance process for the software, and the firmware update process for the hardware?
- What maintenance is required for the hardware?
When evaluating management functions, it is important to assess both the system users and its components. Additionally, the automated decision-making embedded in the system must be evaluated using the same criteria.
Concerns have arisen due to two current trends in the increase of accessible systems for public use. These trends aim to promote communication and interaction among different systems.
- Definition of standard interfaces and communication protocols in support of cross-vendor compatibility and modularity
- Connection of nodes in a SCADA system to open networks such as the Internet.
Despite the benefits they bring, such phenomena have also led to the systems inheriting the issues commonly found in networked information systems.
The security of information is a growing concern for systems, particularly those deployed in key positions where they are crucial for operations. Leaving these positions unsecured invites attacks from various sources, including pranksters and terrorists. In fact, seized laptops belonging to al Qaeda have uncovered this specific danger.
The data gathered from these computers indicates that al Qaeda has gained substantial understanding of the control systems governing the infrastructure of the United States, raising fears of a potential attack. Richard Clarke, an advisor on Information Security to the President of the United States, recently expressed in a Washington Post article that industry leaders should anticipate and acknowledge their vulnerability to hacking. He also criticized them for prioritizing coffee expenses over information security.
Concerns about the control systems for critical operations in the United States have risen. This is due to a series of eight attack scenarios on the country’s power grid formulated by mock intruders from the Energy Department, all of which were successful. The potential for e-terrorism is particularly worrisome because a combined physical and electronic attack could have a more devastating impact than either type of attack alone. Ron Dick, former head of the FBI’s National Infrastructure Protection Center, shares his anxieties: “The thought of a physical attack on U.S. infrastructure… combined with a cyber-attack that disrupts first responders’ access to 911 systems keeps me awake at night.”
Typically, control systems may have some vulnerabilities, including unique issues. However, they often lack established data sensitivity levels. Secure information systems require the identification and classification of data based on similar sensitivity. Without such distinctions, it becomes impractical and futile to determine suitable security measures, such as securing communication links or protecting databases.
Security administration in control systems is often weak due to the influence of outdated infrastructure. The importance of properly managing and administering security is often neglected, leading to ineffective practices and inefficient management. It has been proven through experience that systems lacking solid management and administrative policies will eventually exhibit vulnerabilities. Control systems are not exempt from this phenomenon.
Architecturally, many control systems have centralized data storage and control, which can create a single-point-of-failure. There is also a risk of physical damage to infrastructure assets due to the permissible operation of control equipment. To prevent these issues, an effective control hierarchy should be implemented. Furthermore, some control systems integrate in-house emergency services such as fire alarms into the system itself. However, considering the poor security of these systems, adding these services thoughtlessly only adds complexity and increases vulnerability.
Control system networks have vulnerabilities that vary depending on the type of system. Legacy implementations use proprietary protocols and low-bandwidth data channels. Although there are fewer chances for disruptive behavior compared to newer networks, which resemble modern TCP/IP systems, problems exist because of the older technology. The security of these systems is poor because they were designed at a time when error checking and integrity validation were not considered important.
Furthermore, there is typically a lack of accounting and logging, making it difficult to identify the source and cause of vulnerabilities. The configuration passwords are often weak and may be ineffective due to limitations in the device. The wireless links are not adequately secured. Additionally, networking equipment in these systems, especially when physical access is assumed, is highly susceptible to attacks. It is worth noting that vulnerabilities in older networks are less publicized compared to the vulnerabilities in modern technologies such as Ethernet, routers, and firewalls.
There is little to no network restriction within the network perimeter, which enables “telnet hopping” from harmless network devices to critical utility equipment. There are two additional factors that greatly contribute to the vulnerability of control systems.
The trust in the ability of PCS links to transmit data faithfully is blind. The geographically sparse PCS network often requires long-distance connections. These connections can be made through either cables or wireless technology, and they can be exclusive to the PCS or shared with other users. Shared links are more cost-effective, but often the PCS systems at both ends of the link are not properly shielded from other entities using it.
Moreover, wireless and shared links without security measures are at risk of being eavesdropped or manipulated. Similarly, even unshared cable links that are long or unprotected may be highly vulnerable. For instance, if there is no security mechanism between the master station and RTU, an attacker can transmit a malicious signal through the master station to the RTU, and vice versa.
Recently, a California-based security firm demonstrated the vulnerability of critical infrastructure systems by accessing a remote substation of a large utility company in the southwestern United States. They accomplished this by using a directional antenna and a wireless laptop from a vehicle parked near the substation6.
The PCS is connected to external networks, which are networks that are not part of the PCS. Examples of these networks include connections to an administrative network that is not automated, or connections to other PCS systems for exchanging information or controlling each other. Often, interfaces to external systems assume that the outside network is trustworthy, which means that the security of the PCS relies on one or more organizations. This includes giving certain partners or IT consultants network access without implementing sufficient measures such as firewalls, command logging, or privilege control. As the world moves towards outsourcing and strategic partnerships, security implementation suffers because there is no common standard. Designers frequently forget to secure the backdoors they create for easy system adjustments, which can lead to disaster in the future.
Dial-up modem access lacks encryption and authentication practices. Data transfer over telephone lines or wireless networks is typically either unencrypted or encrypted with a weak algorithm that is easy to crack. This lack of security is due to a need to save time and resources on encryption. Unfortunately, it allows signals to be easily analyzed and potentially modified by attackers.