Segmentation and Entrypoints
This is where most security concerns with specific critical infrastructure sectors appear. The varying locations, needs and scales of each sectors’ devices can influence the entrypoints that an attacker has available to use. A water treatment plant may be able to localize all or most of its entrypoints to the premises of the plant, but a water distribution network may have to take meter readings at hundreds or thousands of separate locations inside a city, creating many potential entrypoints. Power distribution, telecommunications systems, emergency services and traffic control systems will all generally have the same concern, being widely distributed networks.
A key risk with a remote site is the format of information it is capable of transmitting to other devices in the network. If a remote site is a simple meter that returns information about temperature or another such metric, and is not capable of transmitting commands, then an escalation attack is unlikely. However, an attacker may still feed the remote site false information in the hopes of inducing damages. The presence of common connector ports or communication methods on a remote device, such as a USB port or radio antenna, will increase the risk of easy access by an attacker (Eilertsen).
Early SCADA systems or pre-SCADA systems, such as Industrial Control Systems (ICS), were not designed with the possibility of cyberattacks in mind. They tended to run on ‘flat networks’, where every device in the system was capable of communicating with every other device, whether through direct connection or through intermediaries (Mackenzie). The presence of these legacy systems is, by itself, a severe security risk. They also eminently demonstrate the need for segmentation in networks. If a certain device in the SCADA system is known to be vulnerable to attacks, it should be allowed to communicate only through a firewall and only to the sections of operation it is relevant to.
Effective segmentation also prevents the potential of one device being taken offline by an attack leading to the end of operations. In a properly segmented network, backup devices may be put in place to reroute transmissions.
Security Policies
Along with the physical security risks for system premises and devices, IT policies for employees and updates represent a concern for SCADA systems just as they do for any other kind of sensitive data and operations. Employees who rely on the default password or a simple password for their devices or accounts are a severe security risk. There is also a pressing hardware concern for SCADA systems in that their manufacturers have tended to value efficiency over security and so used hardcoded passwords to authenticate themselves to each other. Some of these passcodes have been public knowledge through messageboards for years (Zetter) and are actually integral to how the systems connect, disabling operation when the hardcoded password is changed. Unless the entire system is reconfigured to operate on unique and complex passwords, a damaging attack is simple, requiring only an entrypoint. This vulnerability may have been integral to the transmission of the Stuxnet worm, which attacked SCADA systems appearing to be related to the Iranian nuclear program and was able to cross air-gapped networks (Espiner). If Stuxnet contained the default passwords of SCADA devices in its programming, it could use a SCADA network to propagate itself without ever needing to receive commands from the originating attacker.
If a SCADA system does not partition user privileges according to their responsibilities, it would be easy for a disgruntled employee or an attacker to bring the whole system down. Any security hierarchy that does not implement the principle of least privilege - giving user accounts access to only their relevant concerns - will have an increased risk of attack (Hibbert).
Another major concern is how bring-your-own-device policies can allow attackers an entrypoint to attacking SCADA systems that might otherwise not be available if HMI apps were allowed only on company-maintained devices. An employee who uses the same smartphone or computer for private browsing that they use to interact with SCADA systems may inadvertently introduce malware to their device that can then feed information into the SCADA system without their knowledge (PR Newswire).
Zero-Day Vulnerabilities
As with all other pieces of hardware and software, it is impossible to determine that the product is free of vulnerabilities at the point of delivery. SCADA systems appear to have an increased susceptibility to zero-day vulnerabilities because of the wide range of devices and software used and the lack of ability to test them all, whether alone or in conjunction with each other. If a specialized device for a certain function in SCADA is made by only one manufacturer, then there is little incentive for them to devote time and resources to finding and fixing vulnerabilities. Some manufacturers have been noticed to spend upwards of five months on releasing an update or new device model after being informed of a significant vulnerability (Trend Micro).
A survey of vulnerabilities found and patched in HMI applications discovered the following trends in possible attack points:
-
HMI vulnerabilities typically fall under four categories:
-
Memory corruption
-
“represent 20% of the vulnerabilities identified. The weaknesses in this category represent classic code security issues such as stack- and heap-based buffer overflows and out-of-bounds read/write vulnerabilities.” (Trend Micro )
-
-
Credential Management
-
“represent 19% of the vulnerabilities identified. The vulnerabilities in the category represent cases such as using hard-coded passwords, storing passwords in a recoverable format (e.g., clear text), and insufficiently protecting credentials.” (Trend Micro )
-
-
Lack of authentication/authorization and insecure defaults
-
“represents 23% of the SCADA vulnerabilities. It includes many insecure defaults, clear-text transmission of sensitive information, missing encryption, and unsafe ActiveX controls marked safe for scripting.” (Trend Micro)
-
-
Code injection
-
“represent 9% of the vulnerabilities identified. While common injection types—SQL, command, OS, code—still occur, there are domain-specific injections that also pose a risk to SCADA solutions.” (Trend Micro)
-
-
A second survey looked at the proliferation of these vulnerabilities in many HMI apps and found that code tampering flaws were present in 94% of the selected applications (Abel). Other vulnerabilities were found within a range of one-third to one-half of all selected applications. HMI apps are available on GooglePlay and iTunes App Store but neither company is responsible for ensuring their security.
Works Cited
Eilertsen, Bjornar, et al. “The USB port: the universal SCADA breach.” Exploration & Production, 1 Mar. 2013, www.epmag.com/usb-port-universal-scada-breach-690681.
Abel, Robert. “Researchers find 147 vulnerabilities in 34 SCADA mobile applications.” SC Media US, 11 Jan. 2018, www.scmagazine.com/the-top-security-weaknesses-were-code-tampering-flaws-which-were-found-in-94-percent-of-apps/article/736656/.
Espiner, Tom. “Siemens warns Stuxnet targets of Scada password risk.” ZDNet, 20 July 2010, www.zdnet.com/article/siemens-warns-stuxnet-targets-of-scada-password-risk/.
Hibbert, Brad. “Securing ICS and SCADA Systems with Privilege and Vulnerability Management.” BeyondTrust, 8 May 2017, www.beyondtrust.com/blog/securing-ics-scada-systems-privilege-vulnerability-management/.
“IOActive and Embedi Uncover Major Security Vulnerabilities in ICS Mobile Applications.” PR Newswire, 11 Jan. 2018, www.prnewswire.com/news-releases/ioactive-and-embedi-uncover-major-security-vulnerabilities-in-ics-mobile-applications-300581193.html.
Mackenzie, Heather. “SCADA Security Basics: Why Industrial Networks are Different than IT Networks.” Tofino Security, 31 Oct. 2012, www.tofinosecurity.com/blog/scada-security-basics-why-industrial-networks-are-different-it-networks.
“The State of SCADA HMI Vulnerabilities.” Trend Micro, 23 May 2017, www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/the-state-of-scada-hmi-vulnerabilities.
Zetter, Kim. “SCADA System's Hard-Coded Password Circulated Online for Years.” Wired, Conde Nast, 19 July 2010, www.wired.com/2010/07/siemens-scada/.