SCADA and the Demise of Security by Obscurity
Various manufacturing and industrial systems are run by SCADA systems – Supervisory Control And Data Acquisition. In the past, little attention was paid to these systems. They were often owned by groups outside of IT and located in places few people, including IT workers, really wanted to go if they could avoid it. The owners of these systems did not view them as IT systems, they viewed them as industrial control system and if everything ran on a flat network with Windows XP or WinCE end points and it worked then that was good enough.
It is likely that the first wakeup call was a massive explosion in a Russian gas pipeline in the summer of 1982. Russian operatives were stealing US technology, but the compromise of a certain KGB agent allowed the placement of tampered with chips and systems which ran as intended at first but eventually turned on their new masters. In this case it is alleged that controllers in the pipeline worked as intended at first, but later decided it was time to run high pressure tests throughout the system, resulting what the US Airforce estimated from satellite photos to be a blast in the three kiloton range.
Later, in 2010, in the Iranian uranium enrichment facility in Natanz, operators started to note higher than expected failure rates in their gas centrifuges, devices central to the production of weapons grade uranium. Failure rates accelerated, with a total of 984 failures attributed to Stuxnet – the malware that took cyberwar from cyberspace to meatspace with destruction of physical assets attributed to that sophisticated cyberattack.
With Stuxnet it was clear to even the most hardcore luddite that the days of treating industrial networks as something other than IT networks requiring normal security practices were over. In the past, many assumed that the use of proprietary and/or undocumented protocols was enough to provide security. However, just because the crew at a dog food factory lacks the skillset to reverse engineer (or better yet, social engineer) certain ICS protocols does not mean that this skills shortfall is a universal failure. Indeed, it appears that Siemens, maker of some of the Programmable Logic Controllers (PLCs) used at Natanz may have at the very least provided helpful insights into the architecture of their controller software to the US government. If the manufacturers are in cahoots with malware authors, the guys down at the dogfood factory are going to have their hands full.
Some things to think about when securing your SCADA network:
- Have you done a risk assessment? Couple ways to do this – one is write a big check to an outside security organization and the other is to do it internally with the people you have. You decide which you can afford. Remember, something is better than nothing.
- Are you connected? In other words, is your SCADA system connected to your production IT network? How about the internet? Generally speaking, where at all possible, you don’t want this stuff on the corporate network much less the internet. Defense in depth combined with airgaps will help.
- Are you patched? The guys in the dog food factory may not be thinking about about patches and updates, but you should. Industrial systems stay in production for a long time – decades, so you should plan deployments to update where you can for as long as you can while architecting things such that the security moat you build around your equipment can stay up to date long after the gear it protects no longer has support from the maker of the OS it runs on.
- Passwords and such. Are you running strong passwords? Are you using tokens or some other multifactor authentication? Do you turn off accounts that are no longer in use? What about vendor support accounts?
- Some assets are more equal than others. Have you made a list of what you have and sorted in order of importance? Stuff at the top gets the first and finest attention.
Anyway, the old days where SCADA/ICS networks were something that could be ignored from an IT standpoint are long gone. Now, just like everywhere else defense in depth, intelligent authentication schemes, patching and other hallmarks of traditional security now apply to industrial systems as well. But don’t worry, because if you think you have it bad, just think about the automotive guys – the CAN bus assumes it is a safe, restricted network where everyone can talk to everyone.
Need to secure a SCADA network? Here’s how BreakingPoint can help.