Executive Summary of the Study on security of Supervisory Control and Data Acquisition (SCADA) systems

March 2012

INFORMATION SECURITY OBSERVATORY

Methodology
INTECO PROYECT ABOUT SCADA SYSTEMS SECURITY

Study
Diagnostic

Practical guide
Training and awareness

Documentary Analysis + Personal interview to experts

Security of Supervisory Control and Data Acquisition (SCADA) systems

Study about Security in SCADA systems

Introduction to supervisory and control systems

Study on security of Supervisory Control and Data Acquisition (SCADA) systems

Applications and advantage of using supervisory and control systems Applicable law and international standards Security risks of supervisory and control systems Security measures and good practices Policy recommendations Recommendations to users and industry

INFORMATION SECURITY OBSERVATORY

Introduction to SCADA systems

SCADA (Supervisory Control And Data Acquisition) Systems

Industrial Process Supervisory and Control This term usually includes ICS, SCADA, DCS y PLC SCADA Systems Components

Systems

Control Center
Positions where the systems is operated, supervised and controlled.

Communications
Communication networks, between the control center and endpoints.

Final locations
Devices that are supervised and controlled remotely. Sensors, valves, cameras, air conditioning

Introduction to SCADA systems

Security comparative between SCADA systems and ICT

ICT Systems

SCADA Systems

Introduction to the SCADA systems

SCADA Systems Maturity
Component
Control centers Communications Locations

Physical safety
H M-L M-L

Logical Security
M M L

Functionality
H H H

H: High M: Medium L: Low

Summary Functionally, the maturity in this devices can be considered very high. From the security point of view, the maturity can be treated as medium or medium-low.

SCADA systems applications

Supervisory and/or management of elements geographically distributed

Saving costs Most efficient functionality Centralized management

Security mechanisms configuration

Task automation Response incident time reduction.

Applications of SCADA systems

Supervisory and management of complex industrial process

Ease of management Real time supervision

Historical storage information

Real time information about process

Monitoring and management of routine services and basic infrastructure

Centralized management and services

Use of SCADA systems

Sector analysis

Typical sectors that have been used SCADA systems

Energy Generation

Energy Transmission and distribution

Petrochemical industry

Water Treatment

Regulatory framework
Generic regulations for SCADA systems does not exist Sectorial and critical infrastructure regulations Act 8/2011: Actions for the Protection of Critical Infrastructure Appropriate strategies and structures used to direct and coordinate activities of Public Administration for protection of Critical Infrastructure are defined. Protection system of Critical Infrastructure regulation. Interior Ministry, other state organizations and private sectors are involved. Legislative actions taken are appropriate as a first step.

10

Risk management in SCADA systems

Remote systems have always been at risk. The main risk used to be a physical intrusion, and as they have evolved the number of threats has been increased. Main cause of risk Security through obscurity Minimization of risk and threats Increase of visibility Lack of security awareness of the staff Interconnection with external networks Use of technologies and solutions of general purpose Weak evolution / deficit of update Default configurations and passwords Insecure network architectures.
11

Risk management in SCADA systems

Increased attack possibilities
Limited evolution of the systems Design does not consider security Exposition system increase Use of technologies of general purpose

Physical communication links Security audits Network system inventory. Integrate security requirements
in design stage.

Inappropriate used Lack of awareness

Staff training Multidisciplinary teams Setting policies for using

equipment

12

Risk management in SCADA systems

Block/Interception/Forgery of communications Isolation Loss of privacy/confidentiality More sophisticated attacks

Applications , operating systems

and equipments hardening

Preferably use links physical

communications

Cipher communications

Internal attack: Sabotage and spy Overconfidence on the internal security Overconfidence in employees Absence of internal security measures

Previous

research recruitment operator

to

staff

Activate auditory logs Definition and application

responsibilities

of rules

Restrict

physical access to the SCADA network and its devices

13

Risk management in SCADA systems

External attack Inappropriate connections with other networks Lack of security interconnected devices of

Restrict logical Access of SCADA

systems between networks

Securing
systems

remote access to the software

Insecure remote access to equipments

Keep

up to date antivirus signatures

Insecure network architecture Insecure network design Inappropriate network configurations

Duplicate essential network

components

Definition
levels

of different security

14

Risk management in SCADA system

Unauthorized access Installation and deployment of software and equipment with default configuration Lack of management password policy

Security of all network systems Development and deployment of

policies and procedures

Restrict external connections and

control internal connections

Malware Lack of policies and procedures to update software Lack of staff awareness Well-known vulnerabilities for outdated systems Absence of security tools (antivirus)

Develop and deploy policies and

procedures

Keep software updated Use of security tools

15

Recommendations
Industry Offer products that integrate security measures Include security requirements in the design stage for each component of the system Prioritize the solution of well-know vulnerabilities using official security patches Facilitate integration purpose products of general Users Demand products that guarantee security requirements Stay informed about incidents, vulnerabilities and security notifications Establish requirements and policies about security SCADA products

16

Recommendations
Legislators Deepening in the legislative framework Ponder the use of establishing sanctioning organisms and mechanism Define security mandatory measures Increased collaboration Public Administration - private sector Sectorial regulation Consider other origins and motivations for attacks Consider the possibility of establishing requirements or demanded certifications for security logical specialists for this kind of systems

17

Conclusions - Strengths

Centralized monitoring and management Process automation Improvement in process efficiency Complexity of maintenance reduction

Long-term cost reduction Applicability of ICT solutions Significant reduction of costs Possibility to acceptance standards

High availability

18

Conclusions - Opportunities

General purpose technology migration Reduce costs and improving current shortcomings High efficiency Regulation and legislation The new legislation means an improve opportunity Changing environment Opportunity to correct historical deficiencies detected

19

Conclusions - Weakness

Inherited vulnerabilities From specific technology and general purpose technology High dependence from manufacturers Lack security awareness Magnitude and complexity of the system Inappropriate organization chart Segregation of logical and physical security means less preparation against threads.

Absence of specialized solutions Limitations from the need for availability Prioritize availability has led to a decrease of security

20

Conclusions - Threats

Malicious Users Terrorist group, hackers, etc. Disclosure on the Internet High exposition = greater attack surface Vulnerability publications Means a weakness to systems affected Basic service interruptions The materialization of a threat in these systems may involve the disruption of an essential service

21

Conclusions - Potentialities
POTENTIALITIES= OPPORTUNITIES STRENGTHS

Development of supervisory and management systems in real time via general purpose technology Using ICT solutions to improve Security Long-term cost reduction Taking advantage of greater efficiency and general purpose technologies

Production processes or services automation Guarantee of monitoring process robustness High availability and more efficiently. Use of general purpose technology to improve regulations compliance

22

Conclusions - Limitations
LIMITATIONS = WEAKNESS THREATS

Vulnerabilities are particularly dangerous Publication of vulnerability details Rise of cyber terrorism

Lack of solutions and high exposition Broad attack surface The attack surface is due to high exposure and the magnitude of SCADA systems Low protection against any kind of threats Due to the differences between physical and logical security Strong availability requirements sometimes result in limitations to security

23

Conclusions - Risks
RISKS = STRENGTHS THREATS

Interest focus to attackers Growing up Internet connections For both availability and confidentiality Service interrupted can lead to high economic impacts Possible negative impact of ICT solutions Applying these solutions to a particular environment must be studied thoroughly.

24

Conclusions - Challenges
CHALLENGES= OPPORTUNITIES WEAKNESSES

General purpose technology migration Should be done without their vulnerabilities Regulations compliance Particularly for small business Correct deployment of SCADA systems Possibility of becoming the target of attacks and threats Adapt to changing environment Poor adaptation can result in a situation of great insecurity

25

Finals considerations

Some organizations are not aware that they have a SCADA system SCADA systems are vulnerable and are exposed to external networks SCADA Systems operating environment is changing An important opportunity to create and apply a right regulation is presented currently Gradual migration and use of general purpose technologies Security should be approached from an integral point of view Before applying improvements a risk analysis should be performed

26

Follow us on:
Web
http://observatorio.inteco.es Facebook Profile http://www.facebook.com/ObservaINTECO Twitter Profile http://www.twitter.com/ObservaINTECO Scribd Profile http://www.scribd.com/ObservaINTECO Youtube Profile http://www.youtube.com/ObservaINTECO Information Security Observatory BLOG http://www.inteco.es/blogs/inteco/Seguridad/BlogSeguridad

Send your questions and comments to:

observatorio@inteco.es

http://www.inteco.es http://observatorio.inteco.es