For those who are coming from a traditional IT or IT security background, SCADA/ICS systems security can prove prove daunting. Many of the technologies, modes and mindset of the traditional IT are not applicable to SCADA/ICS systems. In this brief article, I'd like to enumerate and elaborate on just a few of the most important differences between traditional IT systems and SCADA/ICS systems.
Protecting the Data v. Protecting the Process
When working to protect the traditional IT systems, we generally are trying to protect the data. These includes such things as intellectual property (IP), credit card numbers, emails and personally identifiable information (PII). We are trying keep the hacker from obtaining this confidential information.
This contrasts sharply with SCADA/ICS systems where our focus is on protecting the process. SCADA/ICS systems are dependent upon continuous processing. In some cases, if one of these plants goes down, it can take weeks or months to restart, costing the owner millions of dollars of down time.
In addition, in such SCADA/ICS systems as electrical generation, electrical transmission, water and waste water plants etc., an outage can cause severe distress. Imagine a water plant that is suddenly off-line or a electrical transmission system down. The distress could be very severe and life threatening, emphasizing the need to protect the process.
Finally, sometimes a single valve or sensor malfunctioning in these plants can cause the entire plant to malfunction. The Texas City oil refinery blew up in 2005 because a single pressure-relief valve malfunctioned, costing 50 lives and billions of dollars to British Petroleum, the plant owner.
It's important to re-emphasize this key difference. In SCADA systems we are protecting the process, while in traditional IT systems we are protecting the data.
In traditional IT systems, we are accustomed to working with the TCP/IP suite of protocols. These include such protocols as TCP, IP, UDP, DNS, DHCP, etc. Most SCADA/ICS systems utilize one of over 100 protocols usually communicating serially and some proprietary. The most popular of these protocols are Modbus, DNP3, PROFINET/PROFIBUS, OPC and a few others.
Furthermore, most SCADA/ICS systems employ Programmable Logic Controllers or PLC's. These PLC's are used for nearly every type of industrial control system, whether manufacturing, petroleum refining, electricity transmission, water treatment etc. Generally, we do not see these PLC's in traditional IT systems. These PLC's are small computer systems utilizing Ladder Logic programming to control sensors, actuators, valves, alarms and other devices. Hacking SCADA/ICS systems often requires a knowledge of the programming of these PLC's.
Although availability (CIA) is a key component of traditional IT security, SCADA/ICS systems take it to another level. As mentioned above, in SCADA/ICS systems we are protecting the process, rather than the data. This means that often the option of patching and rebooting the system may NOT be an option except at discrete intervals such annual or quarterly maintenance shutdowns. This can mean that operating system and applications may remain unpatched with known vulnerabilities for months, if not for years. The SCADA/ICS engineer must often turn toward compensating controls to prevent intrusions, where the traditional IT security engineer would be able to implement a preventative control such as patch.
Access to Components
With some exceptions, in the traditional IT security field, the security engineer has direct physical access to the system components. In SCADA/ICS systems, components of the system may be distributed over hundreds or thousands of miles (i.e. pipelines, electrical grid, etc). This can make implementing security controls challenging and make physical security even more important. Remote field stations can become an entry point for the hacker to the entire SCADA/ICS system.
Security through Obscurity
In the last 20 years, nearly all these SCADA/ICS systems have come on-line with a TCP/IP connection to the outside world. Although the internal communication may still be serial, usually these systems have a connection where engineers and administrators can monitor these systems remotely (there are exceptions, of course. Some dams and other public infrastructure systems have been taken off-line to protect them from attackers).
For years, these systems benefited from security through obscurity. In other words, they were safe because few people knew of their existence and even fewer understood their technologies. As a result, these systems often did not even implement the most basic security measures (this was clearly demonstrated by OTW in 2016 when he entered into a Schneider Electric Building Automation system without any special tools).
With the advent of such tools as Shodan and other reconnaissance tools, these systems can no longer rely on security through obscurity. The industry is only now beginning to implement modest security measures. One of the challenges for the industry, of course, is that many off the shelf security products will not work with their proprietary protocols. In some cases, we have to custom tailor firewalls and IDS's to protect these systems.
In the face the threat of cyber terrorism and cyber war, the protection of these systems is crucial. It goes without saying that in any cyber war, these systems will likely be targeted first( witness Russia's targeting of the Ukrainian electrical system in their conflict). To learn more about SCADA/ICS hacking and security, attend the upcoming SCADA/ICS Hacking and Security course here at Hackers-Arise.