Keeping SCADA Secure

Wastewater utilities can use various simple, low-cost measures to make a good start toward protecting against cyber-attacks
Keeping SCADA Secure
The convenience of portable thumb drives made it easy to transfer information to and from SCADA systems — opening a gateway to malicious attacks.

Interested in Instrumentation?

Get Instrumentation articles, news and videos right in your inbox! Sign up now.

Instrumentation + Get Alerts

The general public knows the danger of identity theft or fraud — banking, medical or other personal records falling into the wrong hands. Recently, SCADA systems have fallen victim to increased threats.

Fortunately, wastewater agencies can take a number of basic and cost-effective measures to make their SCADA systems more secure. They start with simple awareness of the issues and extend to technology policies and procedures and technology risk analysis. Security measures can be scaled to suit collection and treatment systems of almost any size, age and complexity.

 

Three-legged stool

Information security is based on three tenets: confidentiality, integrity, and availability (CIA). In their book Fundamentals of Information Systems Security, David Kim and Michael G. Solomon define confidentiality as guarding information from everyone except those with rights to it. Integrity deals with data validity and accuracy. Availability means authorized users can access data whenever they request it.

The challenge is to balance these tenets like a “three-legged stool.” For example, if data is too freely available, confidentiality and data integrity may be compromised. On the other hand, if confidentiality is too tight, it will hinder availability and make operators less effective and productive.

SCADA systems evolved with a focus on availability and data integrity. Confidentiality was not an issue, mostly because earlier controls were closed systems, dedicated to running a plant or process from one central control room.

Later, the convenience of portable thumb drives made it easy to transfer information to and from these systems — but little thought was given to what might be innocently introduced or maliciously modified. As the Internet developed and corporate networks emerged, the next step was remote access and the sharing of process information across a wide area network (WAN).

Suddenly, SCADA systems were no longer isolated and were subject to the same threats that face operating systems like Microsoft Windows, Unix, or Linux. Meanwhile, programmable logic controller (PLC) manufacturers, while making their products more network- and user-friendly with easier access, often neglected confidentiality. Thus the three-legged stool of security was unbalanced on multiple fronts.

 

Threats are real

Worldwide, there are multiple accounts of successful SCADA attacks. In January 2003, the Slammer worm infected the safety monitoring systems at the David-Besse nuclear plant in Ohio. In 2003, two hackers gained access to control technology for the U.S. government’s Amundsen-Scott Pole Station in Antarctica, which ran life-support technology for scientists. A SCADA system attack at the Maroochy water system in Australia disrupted wastewater treatment for two months.

Much more recently, in November of 2011, a hacker connected to a South Houston water facility to demonstrate the simplicity of an attack. Although the culprit claimed he did not vandalize any equipment or systems, the fact he could demonstrate connectivity, and possibly control, brings this type of security flaw to the foreground.

These are only a few examples. What can a wastewater utility do to use SCADA technology effectively while maintaining or increasing security? Unfortunately, no single standardized solution will cover all agencies. Depending on the organization’s size, the availability of trained support staff or financial resources may be limiting factors.

However, there are a number of low-cost and relatively simple solutions that any agency can implement to start minimizing risk from outside attacks. Most novice computer users are already familiar with a number of security methods that can be applied to more complex systems.

 

General to specific

The first step is to address a series of fundamental questions, starting at a macro level and then narrowing down. The first focus should be on personnel and policies and may include these questions:

• What is the staff’s level of security awareness?

• What is the staff’s technical level?

• Are technology-based security policies and procedures in place?

• Are these procedures and policies routinely reviewed and exercised?

• Is the agency staff properly trained on a regular basis?

Focus can then shift to the actual assets and specific processes to assist in analyzing security at the component level. These questions may include:

• What assets or processes require protection?

• What level of protection is needed?

• How might an asset or process be compromised?

• What is the impact if protection fails?

Once these are answered, more specific questions can be asked. Is the SCADA system accessible from outside by phone or Internet, or is it part of a larger corporate network? If yes, the next question is whether it needs to be connected or integrated.

If there is no real benefit to having phone, Internet, or corporate network access, the SCADA can be made into a closed system — although this may be impractical, as it inhibits sharing of process data. If there is a need for corporate network access, the technical security effort increases and becomes more holistic.

Is there a proper and secure firewall (hardware and software) in place on the network that is routinely managed? Are strong passwords in place for the SCADA system? And the entire corporate network? Are strong information security procedures and policies in place for the entire corporate network that cover a full range of issues, including the use of thumb drives by employees or vendors? Is there a policy or procedure to handle vendor or employee PC connections to the corporate network?

 

Raising awareness

A first step for improving SCADA security is simply to increase awareness of the latest threats and security issues. Subscribing to a technology-based newsletter delivered via email is effective. One exceptional resource is US-CERT, the operational arm of the National Cyber Security Division at the Department of Homeland Security.

This agency coordinates information sharing, proactively manages cyber-risks and offers free, timely, actionable information to help users secure computer systems. It also provides a way for organizations to communicate and coordinate directly with the U.S. government about cyber-security.

Joining user groups or sharing information with utilities of similar function and size is another way to increase awareness and share knowledge and lessons learned. In addition, security-minded professionals should pay heed to regular operating system and application updates provided by Microsoft.

Many SCADA systems use a human-machine interface (HMI) to view and control processes. Most run on some form of the Windows operating system, making them viable targets for hackers. SCADA computers must be religiously updated on ‘Patch Tuesday’ — a once-a-month Microsoft update delivery day.

 

Addressing the components

After the network infrastructure is addressed, the focus can shift to the system components, specifically PLCs. Most manufacturers request registration of their products. This may seem like a menial task, but most manufacturers reward it by providing automated notifications when new firmware or software updates are available.

These manufacturers’ technical support areas and online forums can offer suggestions or air concerns and issues that a non-registered user may miss. PLC software and firmware also need to be updated regularly. Beyond new equipment, utilities should make efforts to keep all SCADA system components updated.

 

What to protect?

This leads to the critical questions of what assets require protection. Are all of the organization’s assets accurately inventoried? Do you know what equipment is actually running and controlling your processes? Have you identified critical processes and the interdependencies of processes?

The most thorough and accurate way to answer these questions and account for devices used throughout a SCADA system is to do a risk analysis. The mere thought of this can be overwhelming, but in well-run organizations, much of the work may already be done.

Effective organizations will have a business continuity plan (BCP) and a disaster recovery plan (DRP), identifying critical plant infrastructure and what it takes to continue operations or recover after a disaster, including a cyber-attack. An additional SCADA-specific risk analysis can add more details to existing plans, making them even more effective during disasters and helping with risk mitigation.

There are many ways to accomplish a qualitative or quantitative risk analysis. Hiring an expert integrator is effective but can be costly. An alternative is to have internal maintenance staff or plant personnel record pertinent information. A thorough analysis of a SCADA system from a holistic risk perspective takes a joint team involving plant operators, support personnel, and IT staff. The differing viewpoints allow one group to recognize issues others may overlook.

 

Exploring methodologies

A number of industry-standard and no-cost or low-cost methodologies are available to guide an analysis team. They vary in detail and capabilities, but they all provide practical guidance or industry best practices. Four popular choices include:

• Risk Management Guide for Information Technology Systems (NIST SP 800-30 and SP 800-66), available at www.csrc.nist.gov

• CCTA Risk Analysis and Management Method or CRAMM, available at www.cramm.com

• Operationally Critical Threat, Asset, and Vulnerability Evaluation or OCTAVE, available at www.cert.org/octave/osig.html

• ISO/IEC 27005; “Information Security Risk Management,” available at www.iso.org

As one example, the OCTAVE methodology offers flexibility based on the size and type of an operation. It is a qualitative methodology that is easy to understand and can be modified to the unique attributes of different treatment plants and systems.

For the first risk analysis at a plant site, or for an organization not familiar with the process, staff should consider the OCTAVE Allegro method, the simplest variation of this methodology. This scaled-back, template-based approach may work best until a team develops familiarity with the analysis process.

Deficiencies found (like out-of-date PLC firmware) or areas that need improvement (like weak passwords) can be addressed immediately. Other benefits of this method include ease of understanding, customization, ease of duplication, and scalability. Once the first plant analysis is complete, the process can be efficiently replicated at other plants.

 

Being better prepared

When addressing cyber-security issues related to SCADA, the three tenets of data must be balanced: confidentiality, integrity, and availability. By addressing these issues, an organization will become better prepared to respond to all types of disasters, including human error, cyber-terrorism, and natural disasters. The holistic approach, specifically with risk analysis, can make any organization more resilient, sustainable, and efficient.

 

About the author

Blake Visin is information systems director at Renewable Water Resources (ReWa), a special-purpose district that provides wastewater treatment to five counties in South Carolina.



Discussion

Comments on this site are submitted by users and are not endorsed by nor do they reflect the views or opinions of COLE Publishing, Inc. Comments are moderated before being posted.