With cyber-attacks fast becoming the weapon of choice to compromise critical infrastructures, the need for a proactive approach to cyber security in SCADA systems has become imperative.
Security is a much larger issue than often realized, as many cyber-attacks on SCADA system still going un-reported. There are several reasons why many cyber-attacks are swept under the carpet, including to protect brand reputation or to avoid highlighting vulnerabilities that could attract further attacks. However, due to lack of reporting many businesses still underestimate the threat of cyber-attacks and the scale of damage that can ensue.
Understanding the threat
Cyber-attacks typically have one of the three key objectives: Money, Data or Destruction and sometimes a combination of the three. Unsurprisingly, countries with more advanced Internet infrastructure that have incorporated more online digital processes into their business operations experience more attempted cyber-attacks. This is because as systems become more digitally complex, the more likely they are to have unknown vulnerabilities, resulting in more possible points of entry for an attacker.
It is estimated that the cost of malicious cyber activity worldwide ranges from $300 billion to $1 trillion and is costing companies more money each year due to the increased digitization of businesses. These costs can be categorized as direct costs - investigation into the hack, lost revenue, implementation of enhanced security protocols - and indirect costs such as loss of productivity, regulatory fines and damage to the company’s reputation.
Attacks on mission critical power control systems can have catastrophic impact, resulting in blackouts across entire countries. To mitigate risk, businesses must first understand their vulnerabilities. The key techniques used by hackers to gain access to critical systems can be categorized into three groups: People, Operations, and Technology.
The most vulnerable asset in an organization is the human being, as management ultimately has no control over the actions of individual employees. Therefore, lack of training or carelessness from an employee can have the potential to leave your SCADA system vulnerable to infiltration.
Many attackers gain initial access to target systems by performing simple social engineering attacks against unsuspecting victims to collect confidential information such as user passwords or to gain remote system access. This type of attack is extremely common as it is much easier to trick an individual into providing a password than to crack a password.
Operational attacks typically involve exploiting password vulnerabilities or impersonating authorized personnel. This technique is closely linked to social engineering due to the human element involved with designing operational policies and procedures. If vulnerabilities in operations such as password management, data storage or system firewalls become known, cyber criminals can exploit these as a way of gaining unauthorized access to your system.
This type of attack focuses on exploiting weaknesses in network architecture such as WiFi, ethernet or USB attacks. This includes attacks on web interfaces and infected USB devices. Properly secured SCADA system employs a defense in depth strategy, a layered approach with multiple system barriers that confront an attacker at various levels of the network. Therefore, if a hacker gains access to internal systems through social engineering or operational vulnerabilities, the SCADA system will remain protected behind a separate firewall system.
Protecting your SCADA system
Visibility is key to securing SCADA Networks as without a clear understanding of the system assets, it is impossible to assess risks and apply effective defences. A typical SCADA solution will consist of a multitude of controllers such as PLCs and RTUs manufactured by a mix of vendors. Consequently, components may have different maintenance requirements and compatibilities, making it difficult to develop a consistent network management strategy. By mapping out all network assets, user accounts and connection points, a comprehensive view of the SCADA system can be achieved, identifying all potential access points which can then be closely monitored and maintained individually.
SCADA networks without monitoring and detection systems are more vulnerable to cyber-attacks. SCADA security monitoring can detect and mitigate any potential attacks as quickly as possible, limiting the scale of damage. Network security protocols are also required to ensure the security and integrity of network data, these protocols require constant attention and tweaks to maintain system security in the ever-changing technology landscape.
Businesses must provide comprehensive training on cyber security threats and how to identify them to ensure that all employees are wise to the social engineering techniques that may be employed by a cyber attacker.
In addition, clear reporting procedures must be communicated to ensure attempted social engineering attacks are quickly reported to the relevant department and communicated to all employees. This increased awareness will reduce the risk of future unauthorized system infiltration.
User Access Management
Over the years, critical control systems have evolved in terms of both the number of functions they can perform and in the level of multiuser access. To manage security within these complex control systems strict user access levels and account settings must be enforced.
Users should be granted the lowest authority level required to carry out their role. A key mistake is to give all users enhanced access, leaving the system more vulnerable to internal attack from a disgruntled employee. Individual user accounts must also be continuously monitored, including changing account access levels when an employee changes roles and deactivating employee accounts immediately to revoke access.
In addition to educating employees on social engineering tactics, password management policies should also be implemented to improve system security. The first action to be taken when a new device has been initialised is to change the default password, as passwords set by the vendor are not typically very secure and could be potentially compromised through an attack on the vendor's system.
Increasing the combination of alphabetic, numeric and special characters used in your password in turn increases the length of time it takes to crack your password.
As a guideline, passwords should consist of a minimum of 10 characters and contain at least one of the following characters: numerical, lowercase, uppercase and special. Password expiry periods should also be set so they do not exceed the time it may take for a hacker to crack the password; this ensures that any attempts to compromise a password using sophisticated software fail.
As the technology industry continues to develop at an exponential rate, software and hardware solutions are becoming outdated more quickly than ever. Therefore, it is critical that businesses have policies in place for periodical system reviews and update their systems as required. Not only does this improve the functionality of SCADA systems, but it also advances SCADA security.
Security patches must be applied as and when required as this is one of the first things a hacker will check when attempting to infiltrate any control system. If security patches are not up to date, there is a greater risk of the system having an unsecured point of entry which an attacker will use to exploit the system.
Deployment of new software should be governed by strict guidelines. The number of users with authorization to deploy software should be limited to trusted employees to reduce the risk of any malicious software being installed. Additionally, only validated software should be deployed on the system, this can be regulated by checking software validation codes are authentic or using cyber certificates to verify software.