To assist in determining optimal mitigation strategies, the SCADA system vulnerabilities are grouped in the categories of
- Data,
- Security Administration,
- Architecture,
- Network, and
- Platforms
SCADA System Vulnerabilities
Any given control system will usually exhibit a subset of these vulnerabilities, but may also have some unique additional problems.
Data
Sensitivity levels for control system data are usually not established. An essential characteristic of secure information systems is the identification and classification of data into categories of similar sensitivity.
Absence of these fundamental distinctions makes it impractical and fruitless to identify where security precautions are appropriate (for example, which communication links to secure, databases requiring protection, etc).
Security Administration
Security administration is notoriously lax in the case of control systems, usually the result of poor legacy environment. The need to manage and administer security is usually overlooked, resulting in informal practices and inefficient management.
As experience has proved, any system, which does not have well founded management and administrative policies, will eventually show vulnerabilities. This is the case with control systems as well.
Architecture
Architecturally, many control systems include centralized data storage and control. This results in the creation of a single-point-of failure. Occasionally, physical damage to infrastructure assets may be possible through permissible operation of control equipment. An effective control hierarchy would preclude this possibility.
In addition to the above, many implementations of control systems have integrated in-house emergency services such as fire alarms etc, into the control system itself. In view of the pathetic condition of the security of these systems, thoughtless addition of these services into the system adds to the complexity and further increases the vulnerability.
Networks
Vulnerabilities in control system networks depend on the type of system. Legacy implementations rely on proprietary protocols and low-bandwidth data channels. While there are fewer opportunities for disruptive behavior compared to newer networks, which closely resemble modern TCP/IP systems, problems are inherent because of the technology’s age.
Security is lamentable. This is due to the fact that these systems were designed in a time when error checking and integrity validation had not gained their present importance.
In addition to this, accounting and logging are usually non-existent, making it impossible to find the basis and reason for vulnerabilities.
Configuration passwords are often simple and may be limited in effectiveness by the device itself. Wireless links are not secured. Networking equipment in these systems, particularly when physical access is presumed, is acutely vulnerable to attack.
Systems with contemporary technologies like Ethernet, routers, and firewalls have vulnerabilities that are more publicized than the vulnerabilities in the older networks.
Little or no network restriction is implemented within the perimeter of the network, allowing ‘telnet hopping’ from innocuous network devices to sensitive utility equipment.
vulnerability of control systems
Two other factors contribute significantly to the vulnerability of control systems:
First
The blind trust in the capability of PCS links to faithfully transmit data. The geographically sparse PCS network generally forces links of considerable span. These needs are filled by either cabled or wireless connections, which may be exclusively used by the PCS or shared.
Shared links are more economically sensible, but many times the PCS systems at either end of the link are not adequately shielded from other entities using it.
Furthermore, unsecured information on wireless and shared links is susceptible to eavesdropping or manipulation, and even long or unprotected unshared cable links may be vulnerable to a significant degree.
E.g. if the master station and RTU have no security mechanism between them, an attacker could direct a malicious signal via the master station to the RTU and vice versa.
Recently a California based security firm, involved in vulnerability assessment of critical infrastructure systems, proved just this sort of vulnerability by accessing a remote substation of a large southwester United States utility company. They did this using a directional antenna and a wireless laptop from a vehicle parked in the vicinity of the substation.
Second
The connections between the PCS and external networks. An external network is any network that is not part of the PCS. Examples include interfaces to an administrative (non-automation) network or connections to other PCS systems for information transfer or mutual control.
Often, interfaces to external systems assume that the outside network can be trusted, which leaves PCS security dependent on one or more organizations. This includes backdoor network access for strategic partners or IT consultants, which are not secured by adequate firewall measures, command logging or privilege control.
With the world moving towards outsourcing, and strategic partnerships, security implementation suffers due to the absence of a common standard. Designers frequently omit to secure the backdoors left by them for easy tuning of a system, resulting in disaster at a later stage.
Dial-up modem access is unencrypted, with a general lack of authentication practices. The data transfer that takes place over telephone lines, or wireless networks is usually either unencrypted, or encrypted with a weak algorithm, which does not take much effort to crack.
The primary reason for this is a requirement to save time/resources on encryption. However, the result is that the signals can be easily analyzed and if so wished, modified by an attacker.
Author: Arjun Venkatraman