Not Our Grandmother’s SCADA Security

By Andrew Ginter, VP Industrial Security, Waterfall Security Solutions

waterfall_logoSupervisory control and data acquisition (SCADA) is a control system architecture that interfaces with plant process or machinery to enable monitoring and issue process commands. This article attempts to explain why there are substantial and consequential differences in the various approaches to the cybersecurity of SCADA systems.

Typically, IT security experts approach cyber security as the means to protect data. For IT networks the priorities for data protection are confidentiality, integrity and availability, or CIA for short. Mistakenly, when approaching cybersecurity for operations, SCADA or control-system networks IT experts tell us to use the same solutions. The priorities might be CIA or AIC or IAC, but it’s all about protecting the data. Monitoring is data. Control is little tiny bits of data flying out to devices. Protect the data, and we’re secure. But will the SCADA system be safe from cyberattacks?

Rule number one in SCADA security says that ‘Nothing is ever secure’.
The IT security experts are right in one sense – control system practitioners at industrial sites generally care only a little bit about who is looking at their gauges through binoculars. Monitoring data is IT data. The consequences of stealing or tampering with industrial monitoring data are similar to the consequences of stealing or changing any other kind of IT data. Stealing monitoring data might result in stolen trade secrets. Tampering with monitoring data can lead to bad business decisions. It is entirely appropriate to protect monitoring data with only IT-class protections, just as other IT data is protected.

Where these experts are entirely mistaken is the protection of control data. We should be very concerned about who is turning the dials and working our switches in our power plant, manufacturing platform, water system, rails signaling system, or any other industrial facility. We should be especially concerned that the dials are turned to safe, correct settings. Control data is enormously more important to us than monitoring data. Bad controls can kill us, or cause an environmental disaster.

However, using the same cybersecurity technologies to protect control data as you might to secure monitoring data and other IT data is entirely inadequate. Any signal that controls physical, industrial processes must be protected much more thoroughly than we protect mere IT data. The consequences of tampering with control data are entirely unacceptable. We cannot after all, restore lost production, damaged equipment, or human lives “from backups” as we do with IT assets.

Perimeter-Centric Protections
IT gurus tell us “the [network] perimeter is dead.” After all, where is the perimeter around our cell phones? Or our tablets? And how much very valuable corporate data is on those cell phones, or tablets?

These gurus may be right that “the perimeter is dead” on IT networks, but the same will never be true on control system networks. Will we ever permit strangers to wander into our plants, walk up to our dials and start turning the dials to random settings? There are and will always be strong physical security perimeters around any important industrial site.

In the same way, will we ever permit strangers to send packets to test the security of our control system equipment? The second law of SCADA security states that all software can be hacked. Permitting attack packets from all over the planet runs the risk of some clever hacker discovering and taking advantage of a platform-level vulnerability in our control system equipment.

There is no benefit to permitting such packets to reach our equipment and put that equipment at risk. To prevent such packets reaching our control system computers, there is always a network perimeter around important control equipment. As a rule then, any important industrial site has both a physical security perimeter and a network perimeter.

The third law of SCADA security states that all attacks are information, and every bit of information can be an attack. This means that the only way a control system can change from an uncompromised to a compromised state is for attack information to cross either a network perimeter or a physical perimeter. As a result, modern control-system-security advice is demanding strict unidirectional gateways as network perimeters, and strict removable media and transient device controls at physical perimeters.

Unidirectional Security Gateways: Hardware-enforced cyber protection
Modern control system security advice, such as the U.S. DHS Seven Steps to Improve Control System Security, or the French ANSSI Cybersecurity for Industrial Control systems documents, either recommend or require unidirectional gateways at the perimeter of important control system networks.

Unidirectional gateways permit monitoring data to flow to IT networks where enterprise users and applications can benefit from access to the data, without permitting any information or any network attack back into the protected control system network. Unlike firewalls, the gateways do not forward network traffic between networks. The gateways make copies of servers, such as relational database or historian database servers, and keep the copies synchronized sub-second. Enterprise applications and users who need access to the latest real-time data can ask the replica servers for the data. These users and applications receive the same answers as they would have received from the live control system servers, without ever sending a message back into the control system to put that system at risk. In this way, users continue to monitor their network and operate the business as usual.

After all, each and every message sent into a control system network from an external network, including the corporate IT network, is a kind of control signal. This is true even of seemingly-benign requests for real-time data. Any computer in a control system that receives a message changes behavior, and executes different code than that computer would have executed, had it not received the message. This is after all the point of sending the computer a message – we need to send computers messages only when we want them to do something for us – something different than they would have done without us sending them the message.

Every message sent from an external network is a kind of control signal, and every bit in such messages can be an attack. Changing even a single bit in a control message can have deadly consequences. If a message is intended to turn on a pump, or open a valve, and a bit in the message is changed so that the message now turns off the pump, or closes the valve, there can be disastrous consequences.

Unidirectional gateways make copies of real-time data sources on IT networks where IT users can ask the copies for data. No message, or query or even a one-bit acknowledgement signal ever needs to return to the protected industrial network to pose a threat to that network.

Protection, not Detection
IT-class protections are not nearly sufficient to protect control system networks. Firewalls forward network traffic between networks, and every message might be an attack. Software security, such as security update programs and anti-virus programs address only known vulnerabilities and exploits for known vulnerabilities. These protections are easily bypassed by determined attackers. Intrusion detection systems take time; if a stranger walked into a control room, pushed the operator out of her chair, picked up the mouse and started moving it, how long would we give that stranger before taking action? 24 days? 24 hours? 24 seconds?

Such an intrusion is universally seen as a completely unacceptable failure of primary, preventive physical security systems. The same is true of cybersecurity breaches. Any breach giving a remote adversary control of computers in our control system network however briefly, is unacceptable.

Modern control system security advice focuses first and foremost on securing the physical and network perimeter. IT-class defenses may be suitable for protecting monitoring data. Much stronger facilities are needed to secure any computer capable of issuing control signals to the physical process.

About the author: Andrew Ginter is the VP Industrial Security at Waterfall Security Solutions, an Adjunct Assistant Professor at Michigan Technological University, and the author of SCADA Security – What’s broken and how to fix it. If you would like to receive a complimentary copy of the book, click here.