The number of incidents involving attempted unauthorised access to computer systems via the internet as reported by CERT (Computer Emergency Response Team) was 137,539 in 2003. Statistics show an exponential increase in the number of reported incidents in the last five years. Although this can be partly explained by the increase in the number of computer systems in the world that are connected to the internet, it is nevertheless an alarming fact.
Potential threats to SCADA systems come from a variety of sources including commercial rivals, ex- employees, hackers and script kiddies, terrorists and malware such as viruses, trojans and worms. A number of high profile incidents involving control systems, such as the Slammer worm's intrusion into Davis-Besse Ohio nuclear power plant network have unfortunately given SCADA systems bad publicity. Not only has this publicity painted the current security of these systems in a negative light, but it also publicises their very existence. Whereas in the past a SCADA system could be said to operate with a sense of "security by obscurity", it is no longer the case that they can be considered invisible to the outside world.
Prevention, detection and recovery are the key points for dealing with a security incident. These points should be considered individually at the system design phase to assess how they can be incorporated into the system and what impact these measures will have on its operation.
The Prevention is the process of reducing the risk of a security incident. The majority of effective, preventative measures require that they be built into the system design and architecture and not added on later. Prevention should also be part of regular system maintenance activities.
Examples of preventative measures are:
Detection is the ability to recognise a security incident should it occur. This usually involves activating logging and recording features at various levels, and regularly examining them. It is important to maintain a good balance with the amount of data being collected. Too much information will make detection difficult and tedious, resulting in important information being overlooked, or that the task becomes so complex that it is ignored.
Another important element of detection is recognising normal behaviour patterns. For example, a shift change will occur at a specific time of day and system operations will leave a natural trail from its day to day activities. It is the deviations to this regular pattern that are of interest when looking for potential security breaches.
Examples of detection methods are:
Recovery is the ability of restoring a compromised system to its operational status. Note that this may involve more than the affected system alone and include other systems to which it interfaces.
NB: The Y2K experience was for many an exercise in disaster recovery and contingency planning. Similar practices need to be employed when considering disaster recovery techniques.
Points to consider with respect to recovery include:
A useful way of defining methods for prevention, detection and recovery is by dividing the control system into logical zones. Each zone should be considered a separate, defendable entity. The control network not only links the various supervisory and control system modules but is often connected to the outside world via number of paths. By breaking the system down into sections it is easier to identify user rights at application and operating system level, the vulnerable points in the zone and the means required to harden the zone against attack. The zones of vulnerability can be derived by examining the SCADA network infrastructure architectural designs.
A typical SCADA project contains zones for:
Note that the zones represent logical sections. For example, if there are PCs in the control room that are connected to the corporate network (for email and office related activities), these should be considered part of the corporate network zone and not the control zone.
It is clear that the SCADA network is embedded in a larger scheme. Only providing protection in the outermost zones (e.g. between the internet and the corporate network) means that an attacker only needs to break into the outermost level to gain access to the entire network. In theory every interface between the control zone and another zone provides a potential break-in point and path of attack. For example, the corporate network should be treated as if it was as potentially hostile as a foreign network or an internet connection. This means building a separate level of protection for the control zone, in addition to any protection that exists for the corporate network.
Furthermore, a single zone can be considered as being made up of a number of different layers, each of which can be considered separately These layers include:
The key points for securing network infrastructure against cyber threats are prevention, detection and recovery. The following list summarises the main points of this document with regard to securing a SCADA network.
Examples of detection methods are:
Yokogawa System Center Europe B.V. ¬ Lange Amerikaweg 55, 7332 BP Apeldoorn / P.O. Box 20020, 7302 HA
Apeldoorn, The Netherlands ¬ Tel: +31 (0)55 538 9500 ¬ Fax: +31 (0)55 538 9511