SCADA systems security issues

SCADA systems are used to monitor and control critical installations in oil and gas refineries, water and power distribution plants, manufacturing plants and other industrial facilities. There has been a lot of discussion about malware and security in industrial automation systems after Stuxnet. Widely viewed as the most complex piece of computer malware ever created, Stuxnet is believed to have been designed to sabotage uranium enrichment centrifuges at the Iran’s Natanz nuclear plant. If nasty malware can do that, other similar malware can do something else nasty as well.

Attacks against SCADA systems can have potentially very serious consequences. I think that we have been quite lucky that we have not seen any big disasters yet. Even though the attacks are rare at the moment, security researchers are confident that their number will increase, especially since the Stuxnet industrial sabotage worm set a successful precedent. And now there are many news on Dugu worm.

News around one month ago told that SCADA hack shut down a US water plant at 8 November 2011. This hacking attack at a US water plant has been credited to an unknown attacker (handle “pr0f” took credit) who according to hacker sources managed to access a SCADA controller and take over systems. Once again caused security experts to question the security of SCADA systems. Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System. “This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote. “You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site pastebin.com. On the other hand Federal officials said there’s no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery. What is the truth in this case it is hard to say.

What is known that many industrial systems are vulnerable. Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers according to Siemens industrial control systems are vulnerable to attack that can cause serious problems. The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned earlier that Siemens’ SIMATIC S7-1200 programmable logic controllers (PLCs) are vulnerable to so-called replay attacks that can interfere with the normal operations. An attacker with access to the PLC or the automation network could intercept the PLC password and make unauthorized changes to the PLC operation. ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated.

White Paper On Industrial Automation Security In Fieldbus And Field Device Level is an interesting white paper (from Vacon, Nixu and F-secure) that focuses on presenting a generic overview about security in industrial automation. Security aspects of traditional fieldbuses, Ethernet-based networks and wireless communication technologies are presented. Challenges regarding data security in the field of industrial automation are discussed. The properties of industrial automation devices are described with a focus on security, tampering possibilities, and risk mitigation methods.

Many protocols used in industrial control systems were intentionally designed to be open and without security features. As long the the networks that run those protocols are kept physically separate from public network you are quite safe. For the most part SCADA systems are not necessarily designed to be connected to the internet, but engineers can put in workarounds for remote access. Anytime you do this you put in a pathway where someone can get in. And there are often case where remote devices are accessed using those non-secure protocols though unsafe networks (public telephone network, cellular network, radio waves, even Internet).

There has been long time the belief that SCADA systems have the benefit of security through the use of specialized protocols and proprietary interfaces (security through obscurity), networks are physically secured and disconnected from the Internet. Today those beliefs all do not hold anymore. There are nowadays you can find many tools on Internet to work with standard SCADA protocols (for example Wireshark can be used to decode several commonly used SCADA protocols).

The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Modern SCADA systems should be designed so that they can be withstand the situation they are accidentally connected to Internet (it will happen sooner or later). In addition to making SCADA system itself secure, you should separate it from Internet (no connection at all or very strictly configured series of firewalls). FACT CHECK: SCADA Systems Are Online Now article tells at nearly everything is connected now. Nearly all SCADA systems are online. The addition of a simple NAT device is far from bulletproof security access control.

Most of SCADA systems in use are are old computer systems. They are usually horribly patched (“if it ain’t broken, don’t fix it”) and often run very old operating system version. Windows is very commonly used operating systems on SCADA applications, because only few SCADA-packages support other than Windows operational systems. It seems that there are many people who are not happy with the security stance being taken within their organizations around SCADA hosts. Even if you have patches up to date and current anti-malware on a host, all you have done is eliminated some of the risk (and maybe created new risks caused by fact that anti-malware software can sometimes disturb normal system operation). Add a firewall and you have reduced some of the risk. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable.

I wish no one had to worry about hackers in any application, but we do. Unfortunately, data security is never a non-issue.

FACT CHECK: SCADA Systems Are Online Now article mentions an interesting story on Boeing 747 (For those who do not know, modern 747′s are big flying Unix hosts with lots of Ethernet). They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 – VLANs. The security researchers managed to break the VLANs and access other systems (including Engine management systems). The issue here is that all that separated the engine control systems and the open network was VLAN and NAT based filters.

215 Comments

  1. Tomi Engdahl says:
    Super Stuxnet’s SCADA slaves: security is atrocious
    153 computers, six SCADA systems, most C&C points to Iran
    http://www.theregister.co.uk/2015/06/11/super_stuxnets_scada_slaves_security_is_atrocious/

    Botnet boffin Peter Kleissner says at least 153 computers are still slaves to Stuxnet.

    Of those, six are tied to supervisory control and data acquisition (SCADA) systems which the malware is designed to exploit to destroy the attached machinery.

    Kleissner told a presentation at an information security conference in Vienna last week that half of all infections stem from Iran, where the super worm was first targeted.

    “The amount of unique identifiers basically equals to unique Stuxnet infections; it is safe to say that in 2013 and 2014 there were at least 153 distinct infected machines with Stuxnet,” Kleissner says in the paper Internet Attacks Against Nuclear Power Plants [PDF].

    “It is inevitable that existing malware infections lower the overall security of the particular machines and the entire networks and therefore make it easier (or possible at all) for anyone else to intrude the system.”

    The infected boxes appear to be isolated puppets no longer being controlled by the United States attackers, but are nonetheless exposed to hijacking by anyone in control of those servers.

    “… any capable intelligence service (or individual with the knowledge and skills) could seize control and potentially cause considerable damage leveraging the remaining infection,” Kleissner says.

    Reply
  2. Tomi Engdahl says:
    Config file wipe blunder caused deadly Airbus A400M crash – claim
    Probe insiders indicate engine shutdown due to missing data
    http://www.theregister.co.uk/2015/06/10/airbus_a400m_probe_torque_data/

    A dodgy software installation that deleted vital files caused last month’s Airbus 400M transport plane crash in which four people died, it is claimed.

    On May 9, a test flight of the A400M, intended to replace the aging Hercules as a mainstay of NATO’s air mobility fleet, crashed in Spain, killing four of the six crew. According to Reuters today, a faulty software installation on the aircraft’s systems deleted configuration information, and caused three of the four turboprop engines to shut down after takeoff.

    People familiar with the investigation said the torque calibration parameters for the engines were wiped during the installation. This data is needed to measure and interpret information coming back from the A400M’s engines, and is crucial for the Electronic Control Units (ECU) that control the aircraft’s power systems.

    Without that sensor data, the ECU automatically shut down the engines, or at least put them into the lowest power settings. According to safety documentation, the pilots would only get a warning from the ECUs when the aircraft is 400 feet (120 metres) off the ground.

    “Nobody imagined a problem like this could happen to three engines,” a person familiar with the 12-year-old project said.

    The crashed A400M was being tested before delivery to the Turkish Air Force.

    On May 20, Airbus warned A400M customers to conduct “specific checks of the Electronic Control Units (ECU) on each of the aircraft’s engines.”

    Reply
  3. Tomi Engdahl says:
    7 benefits of integrating human-machine interfaces, historians
    http://www.controleng.com/single-article/7-benefits-of-integrating-human-machine-interfaces-historians/b0af693d17b5432443846018d1ca61b5.html

    Cover story: Human-machine interfaces (HMIs) and historians differ but need to be tightly integrated to provide company operations with optimal value. Big data has little value without analysis and access in real time. Seven application examples explain HMI-historian integration benefits, including troubleshooting, analysis, and regulatory compliance.

    Human-machine interfaces (HMIs) and historians differ in purpose but need to be tightly integrated to provide great value to companies’ operations. HMIs provide effective control and interactions between humans and machines. Historians collect high-speed time-series data to maintain a chronology of events.

    Oriental Motor

    With today’s PC standard technology and capabilities, a typical historian system should be able to store and access more than 10 years of raw data. Aggregated manufacturing big data is good for certain reports, and historians should have the features to get access to this data, but it should not be stored as aggregates. Raw data streams are needed for true analysis. A well-performing historian should be able to easily exceed 1 million updates per second when storing data while retrieving more than 3 million updates per second at the same time. Users become quickly frustrated if they cannot get access to the data they need for analysis within a few seconds.

    Reply
  4. Tomi Engdahl says:
    SCADA systems can be old because “it it works don’t fix it”

    The ancient Amiga been on for 30 years – 19 schools fully dependent on it

    If it works, do not fix it. The ancient Amiga has been responsible for 19 of the American school ventilation and heating for 30 years, says WoodTV.

    The device has to be renewed for a long time, but so far it has not been successful due to lack of money. Responsible for real estate management Tim Hopkins, the spare parts are hard to find.
    Hopkins describes the device “as a unique product.”

    Computer software encoded in due course local high school student. If you have any problems with software, the school asks for help from the same person, who still lives in the community.

    If the device is broken up, all schools systems should be switched on and off manually.

    Source: http://www.tivi.fi/Kaikki_uutiset/2015-06-15/Ikivanha-Amiga-ollut-p%C3%A4%C3%A4ll%C3%A4-jo-30-vuotta—19-koulua-t%C3%A4ysin-riippuvaisia-siit%C3%A4-3323706.html

    1980s computer controls GRPS heat and AC
    http://woodtv.com/2015/06/11/1980s-computer-controls-grps-heat-and-ac/

    A 30-year-old computer that has run day and night for decades is what controls the heat and air conditioning at 19 Grand Rapids Public Schools.

    The Commodore Amiga was new to GRPS in the early 1980s and it has been working tirelessly ever since. GRPS Maintenance Supervisor Tim Hopkins said that the computer was purchased with money from an energy bond in the 1980s. It replaced a computer that was “about the size of a refrigerator.”

    The computer is responsible for turning the heat and the air conditioners on and off for 19 school buildings.

    “The system controls the start/stop of boilers, the start/stop of fans, pumps, [it] monitors space temperatures, and so on,” Hopkins explained.

    Parts for the computer are difficult to find, Hopkins said. It is on its second mouse and third monitor.

    “It’s a very unique product. It operates on a 1200-bit modem,” said Hopkins. “How it runs, the software that it’s running, is unique to Commodore.”

    Hopkins said the system runs on a radio frequency that sends a signal to school buildings, which reply within a matter of seconds with the status of each building. The only problem is that the computer operates on the same frequency as some of the walkie-talkies used by the maintenance department.

    “Because they share the same frequency as our maintenance communications radios and operations maintenance radios — it depends on what we’re doing — yes, they do interfere,” Hopkins said.

    If the computer stopped working tomorrow, a staff person would have to turn each building’s climate control systems on and off by hand.

    A new, more current system would cost between $1.5 and 2 million.

    Reply
  5. Tomi Engdahl says:
    MicroLogix 1400 PLC Teardown
    http://steelcityelectronics.com/2015/02/09/micrologix-1400-plc-teardown/

    Introducing the MicroLogix 1400 PLC (1766L32BXBA) from Allen Bradley.

    Taking a close look at the large PCB reveals that this is where all the grunt work takes place. The hardware for this PLC was probably designed about 5-6 years ago – the date stamps for the ICs suggest their manufacture was in 2010. Onboard is an Altera Cyclone 2 FPGA and this is where I expect the user’s logic is executed. An FPGA would allow the user to include many more hardware based timers, counters and math operations than is possible with a microcontroller or microprocessor.

    Located underneath the FPGA on the other side of the PCB is 16Mbit of Flash memory. This would be where the FPGA’s bit file resides and is loaded from each time the FPGA is reset.

    Additionally there is a Freescale ColdFire MC5275 microprocessor. A quick check of this device’s datasheet reveals that it is a respectable piece of hardware. My thoughts are this is the device that performs the overall operation of the hardware, where your programming PC interfaces to when monitoring, loading new ladder logic or performing ladder logic online edits. Your new PLC code would some how pass through this device before it is executed in the FPGA.

    The IO interface is handled with the following board. The 2x white ICs are opto-isolators manufactured by Toshiba and used for regular digital inputs.

    Reply
  6. Tomi Engdahl says:
    Increasingly large numbers of unprotected automation systems

    29.06.2015 at 14:23

    Finnish Communications Regulatory Authority Kyberturvallisuuskeskus is concerned about the large number of unprotected automation equipment. Mapping the Finnish networks doing during the Kyberturvallisuuskeskus spring 2015 is still found in thousands of different types of unprotected automation equipment. The survey discovered devices and device correspond to those observed in previous similar studies unit quantities.

    The largest group consists of a single real estate related automation equipment on which thousands were observed even in this survey. Automation equipment affect the physical world, which can make security incidents related particularly serious. Unprotected automation device can be a threat to other Internet users, for example, if an attacker to harness easily frangible devices denial of service attacks. The owner may not notice inducing addition to their own vulnerability harm to others.

    Source: https://www.viestintavirasto.fi/kyberturvallisuus/tietoturvanyt/2015/06/ttn201506291423.html

    Reply
  7. Tomi Engdahl says:
    Monitor aging equipment without replacement
    http://www.controleng.com/single-article/monitor-aging-equipment-without-replacement/3c0d497763eaaecd0b40cbaa02886f45.html

    Electrical gateways provide an inside view of a facility’s electrical distribution and control equipment. Older pieces of large equipment, including motor-control centers, switchgear, and panelboards, were not engineered when proactive energy management was a primary concern. See five key benefits to using electrical gateways.

    Modern gateways also use open protocols, enabling communications with devices that communicate via an open protocol like Modbus, regardless of the manufacturer—allowing for seamless integration into energy management, building management, and facility monitoring systems.

    But how do these new features translate into the actionable intelligence needed to drive continuous improvement?

    Five key benefits

    1. Safety: Monitoring systems can limit the exposure of personnel to potentially hazardous electrical environments by providing remote status and operational parameters.

    2. Reliability: Assessment of data from the monitoring system can reveal issues that could adversely affect the operation and productivity of a facility. Historical data from power monitoring systems can help locate and correct both acute and chronic problems, resulting in increased productivity. Alarm notifications also can be proactively set to warn of underperforming equipment and conditions threatening uptime.

    3. Energy efficiency: A better knowledge of how energy is used within a facility allows for identification of an array of prospects to improve efficiency, minimize waste, and reduce energy consumption. The ability to benchmark performance and export in-depth reports allows for verification of energy management program success.

    4. Simplified maintenance: Trended data and reporting capabilities allow users to better forecast when defined equipment parameters may be exceeded, allowing facility management to plan ahead instead of facing an unscheduled shutdown of equipment.

    5. Operational costs: Each benefit discussed above either directly or indirectly influences a business’ bottom line. In most cases, the monetary impact from even one or two benefits can quickly justify the purchase and installation of a power monitoring system. Monitoring systems also can be scaled from one single piece of equipment to an entire facility—allowing for incremental expansion with budget and facility growth.

    Reply
  8. Tomi Engdahl says:
    Teardown: Ruggedness and flexibility keep PLCs strong in industrial
    http://www.edn.com/design/analog/4439882/Teardown–Ruggedness-and-flexibility-keep-PLCs-strong-in-industrial?_mc=NL_EDN_EDT_EDN_weekly_20150709&cid=NL_EDN_EDT_EDN_weekly_20150709&elq=0387bc473ecc4fd9886d085dea87d0b6&elqCampaignId=23847&elqaid=26929&elqat=1&elqTrackId=84189b6995e54a69a95ec64248ad3589

    The modern programmable logic controller (PLC) is at the nexus of two debates that are taking place daily at opposite ends of the control-system spectrum. At one end is the debate over the ideal technology for digital I/O isolation and protection. At the other end, and at a much higher architectural level, is the debate over which is better: PLC-based control or PC/embedded computer-based control.

    Given the increasing importance of factory, industrial, and manufacturing automation, we jumped on the opportunity to tear down a popular PLC, the Allen-Bradley Micro850, and explore some of the choices made in its design to shed light on core I/O isolation options along with some of the elements that go into a well-known PLC design.

    PLCs have a long and storied history, with Allen-Bradley itself coining the term “programmable logic controller” in 1971 when it introduced its version of what was then called the “programmable controller.” Allen-Bradley was since bought by Rockwell Automation. The term PLC quickly took hold,

    For anyone who cut their teeth on ladder logic can testify, PLCs at the time were an elegantly simple solution to an age-old problem: making control systems reconfigurable without having to manually rewire or reconnect the hardware.

    For industrial control and automation, these Windows-based PCs and embedded computers offered higher processing power, greater programming flexibility, more ecosystem support and lower cost.

    Meanwhile, PLCs held on to their core advantages of ruggedness, simplicity, reliability, durability and “trust,” a critical factor when downtime can result in losses ranging from thousands to many millions of dollars. Control engineers and technicians knew they could rely upon PLCs and knew how to troubleshoot or swap them out quickly and easily if anything ever did go wrong.

    While PCs may have been invading the factory floor, PLCs weren’t standing still. PCs seemed to be winning the battle in the late nineties and 2000s, but PLCs were becoming more powerful and adopting more standard operating systems and programming languages and methodologies, such as C, while also becoming more open.

    Reply
  9. Tomi Engdahl says:
    Embedded automation computer with multiple connectivity ports
    http://www.controleng.com/single-article/embedded-automation-computer-with-multiple-connectivity-ports/0f73b519a1468d5901e4b2c8568352c5.html

    Advantech’s UNO-1372G small-size control DIN-rail embedded automation computer features has multiple connectivity, sensor, communication, and data transfer ports and can operate in harsh conditions.

    Advantech’s UNO-1372G DIN-rail embedded automation computer features three GbE ports for fast data transfer, two mPCIe slots to enable connection to 3rd party devices, one mSATA connector, and one SATA for a SSD or HDD, two COM ports, three USB ports, eight digital I/O ports, and HDMI/VGA ports.

    The UNO-1372G has an operating temperature range of -20 C to 60 C

    Options available include fieldbus protocols such as Profibus, Profinet, EtherCAT, and Powerlink

    Communication options include GPS, 3G, LTE, ZigBee, RFID, and Bluetooth.

    Reply
  10. Tomi Engdahl says:
    SCADA cyber security
    http://www.controleng.com/single-article/scada-cyber-security/ee4876b21950bd5c2571191e53f8c1d8.html

    Securing control systems with supervisory control and data acquisition (SCADA): SCADA software, part of many industrial control systems, can use the U.S. National Institute of Standards and Technology (NIST) framework for cyber security.

    To meet cyber security concerns, software and hardware vendors, system integrators, and other stakeholders need to work with end users to achieve a secure supervisory control and data acquisition (SCADA) solution. The U.S. National Institute of Standards and Technology (NIST) offers the Cybersecurity Framework (“the Framework”) for systematically identifying the critical assets of the organization, identifying threats, and securing these critical assets. The Framework opens the door to partnerships that are more effective with cyber security prioritized so that the needs of the end user are fully met.

    Cyber financial attacks such as the 83 million household and small-business records stolen from JPMorgan Chase Bank (Reuters, 2014) contribute to the 78% increase in financial impact of cybercrime in the past four years. In this same period, 40% of cyberattacks have been directed against energy companies (Siegel, Josh; Motorola Solutions, 2014). The U.S. government is focusing on the threat to the nation’s critical infrastructure such as our electric grid, oil and gas pipelines, water and wastewater treatment facilities, and transportation infrastructure like tunnels and bridges.

    Reply
  11. Tomi Engdahl says:
    Cyber security in process plants: Recognizing risks, addressing current threats
    http://www.controleng.com/single-article/cyber-security-in-process-plants-recognizing-risks-addressing-current-threats/74983c90bcae14539d2def26798cf7f3.html

    As attacks on industrial control systems (ICSs) become more frequent and increasingly sophisticated, defensive strategies must evolve to keep up. Fortunately, the tools are getting better. See related video.

    Process industries are no place for uncertainty and risk. Companies in the oil and gas, refining, petrochemical, and power-generation industries, among others, must prevent and mitigate cyber security threats that jeopardize their production operations, including risks to plant infrastructure, assets, personnel, and the environment.

    Industrial firms should need to take certain steps to protect critical facilities. Taking those steps is easier with an understanding of current and future cyber security risks, past incidents in process sectors, and knowledge of ever-changing security challenges.

    In recent years, industrial cyber security threats have grown from the esoteric practice of a few specialists to a problem of general concern. All stakeholders now have a new responsibility in promoting the safety, reliability, and stability of critical industrial infrastructure.

    Taking steps to address ICS cyber security should also improve the control system’s resilience to other adverse incidents, reducing unplanned downtime and facilitating a more rapid return to “business as usual” following an incident.

    For industrial sites, vulnerabilities to cyber threats include:

    Lack of security policies and procedures
    Communications between the Internet to the corporation
    Communications between the business LAN (local area network) and process-control network
    Insufficient or out-of-date cyber security controls, such as anti-malware software
    Obsolete or missing security patches
    Inadequate security configurations
    Incomplete or infrequent backups.

    Reply
  12. Noel Martinez says:
    Very well written article with ample knowledge on scada security. all though scada system is meant to help in making work easier but there is security issues also there.
    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*