Security Experts:

The Weapon of Choice For SCADA Protection

If Jason Bourne was a real-world government operative today, he would focus less time on the covert world of espionage and violent assassination plots, and would focus more on cybersecurity. The critical infrastructure networks that operate our electrical grids, power our water treatment plants, and enable communications are being targeted by hackers and nation states, and the impact of such attacks have the ability to wreak significant havoc.

In fact, according to a recent report by the U.S. Department of Homeland Security, Industrial Control Systems (ICS) attacks on critical infrastructure have continued to increase. Industrial Control Systems (ICS) are used in manufacturing processes for industries such as electrical, water, oil, gas, chemical, and automotive. They encompass supervisory and control data acquisition systems like SCADA, Distributed Control Systems (DCS) and Programmable Logic Controllers (PLCs). SCADA and ICS are used quite interchangeably when referencing production control systems used within critical infrastructure.The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) received and responded to 198 cyber incidents from October 1, 2011 to September 30, 2012.

SCADA SystemsSCADA and ICS Vulnerabilities

The protection of SCADA systems has largely been lacking because of some misconceptions. The first misconception is the assumption that SCADA systems and the communication protocols used by those systems are not well known; therefore few attackers understand how to write malware targeting them. A second is that SCADA systems are immune to network attacks because they are isolated and not connected to the Internet. The third is the assumption that SCADA attacks do not yield as great a benefit to attackers.

All these assumptions are of course no longer true. Malware targeting SCADA systems from Stuxnet and Flame to Duqu have already shown the vast amounts of knowledge that attackers have on these proprietary control systems and are now available to other attackers to leverage. As an example, Stuxnet, revealed to be part of “Olympic Games” which was a covert US program targeting the Natanz nuclear enrichment facility in Iran, was designed to destroy centrifuges via surreptitious modulation of motor speed. The malware was sophisticated enough to include precondition to actions such as the identification of specific vendor systems (Siemens SCADA control system S7-300).

The new threat landscape has shown an attack can occur from internal networks, not necessarily from the Internet directly. SCADA systems that are connected to the Internet are easily identifiable by SHODAN and ERIPP (Every Routable IP Project – Port80/TCP only) tools that allow attackers to target the vulnerable ones. As part of his thesis, Eireann Leverett, a student at Cambridge University, identified 10,000 SCADA systems with known vulnerabilities and 17% that required authentication using the SHODAN search engine.

Compounding the risk factor is the fact that SCADA systems are not easily patched. For uptime reasons or operational reasons, SCADA systems may be impractical to upgrade or are running on very outdated versions of the operating system. In addition, there is no concept of Patch Tuesday for SCADA by vendors. Security functions come at the cost of performance and many SCADA vendors do not prioritize security in their implementations due to performance reasons and low industry margins. Project Basecamp, individual researchers and security startups have also identified various SCADA vendor vulnerabilities (reference Digital Bond etc).

Weapon of Choice For SCADA Protection

So what would Jason Bourne do in this scenario? His first task would likely be to identify the points of attack to SCADA systems. Threats to SCADA systems such as malicious code (with viruses, Trojan horses, and worms), unauthorized disclosure of critical data, unauthorized modification, and manipulation of critical data and denial of service (DoS) are not very different from threats to traditional enterprise networks. Similar to traditional enterprise network attack routes, the attack routes to SCADA systems are via Internet connections, business network connections, compromised virtual private networks (VPNs), back-door connections, unsecured wireless connections, or open computer ports such as TCP or UDP ports that are unprotected or left open unnecessarily.

Therefore, it would seem that the best practice of network segmentation would serve the purpose of isolating and air-gapping SCADA networks to reduce the scope of attack. But then, why have air gaps been defeated by attackers as described in this CIO Journal article? Network segmentation is an effective method to reduce the scope of attack and reduce risks, but only if it is deployed with the right security appliance. Just as traditional enterprise networks have recognized the benefits of effective segmentation by applications, users and content using next-generation firewalls, the same advantages can extend to SCADA networks.

Here are the ways to leverage a next-generation firewall to protect a SCADA network:

• Networks can be built with a “SCADA” security zone that is isolated and segmented from the rest of the network with a next-generation firewall.

• Access into the SCADA zone can be authenticated by user, not IP address. The ability to tie security policies to user identity provides not only appropriate access to the zone but also a reporting, auditing and logging trail. Non-authorized users are denied. Complementary always-on SSL VPN connectivity can be deployed for users to securely access the SCADA zone.

• Access to specific SCADA applications such as Modbus, DNP3 and ICCP can be safely enabled based on the actual application, not by ports. This eliminates the risks of having to manage multiple open ports that threats may traverse. Management or backdoor applications like RDP and Telnet can be strictly controlled and allowed only for specific users.

• A complete vulnerability protection framework can be deployed to inspect all of the traffic traversing the SCADA zone for exploits, malware, botnet and targeted threats. In particular, protection for SCADA-specific vulnerabilities can be enabled. The ability for next-generation firewalls to understand all traffic across all ports all the time means that evasive, port-hopping threats, encrypted threats can still be identified.

Additional security best practices that should be implemented to complement the next-generation firewall deployments in SCADA networks include organizational processes, such as the establishment of on-going risk-management procedures, routine self-assessments, periodic security audits and reviews.

The ability to have greater visibility, more effective protection and integrated logging and reporting on the next-generation firewalls will make the protection of SCADA networks a much more operationally efficient endeavor. It’s a weapon of choice even Jason Bourne would appreciate.

Related Reading: Searching for Silver Bullets In SCADA and ICS Environments

Danelle Au is head of product marketing at Adallom, a SaaS security company. Danelle has more than 15 years of experience bringing new and innovative security technologies to market, and is a frequent speaker at conferences. Prior to Adallom, Danelle was responsible for solutions marketing at Palo Alto Networks, driving growth in critical IT initiatives like virtualization, network segmentation and mobility. She was also co-­founder of a high-­speed networking chipset startup. She is co-­author of an IP Communications Book, "Cisco IP Communications Express: Operation, Implementation and Design Guide for the Small and Branch Office” and holds 2 U.S. Patents.