Cybersecurity: Threats in SCADA

01 Mar 2012

In this post I will tell you about SCADA security and the dangers we see today. I will explain what SCADA is, its issues in past and present and known bad practices.

What is SCADA?

SCADA stands for 'supervisory control and data acquisition'. It is a monitoring and control tool for industrial processes. It is used to retrieve information about machine and process status using various sensors. It can also reprogram different parameters (flow control,etc.). Some common applications are:

  • Flow control of water (pumps,valves,etc.)
  • Flow control of oil and gas
  • Railway control (sidetracks)
  • Production and distribution of electricity
  • Traffic control
  • Theme park attractions

Now SCADA monitors these systems and gives information to the operator. The operator can use SCADA to tell the control unit of a machine to change parameters or shut certain systems down. These parameters can be how much water is being pushed through a pipe or how fast centrifuges must run in nuclear power plants. You can already see that you don't want just anybody to handle these controls.

SCADA and security threats

Because SCADA is a proprietary system, it is not that easy to learn how to use it. Not everyone has a PLC at home to self-educate. Therefore SCADA relied (and still relies) on 'security through obscurity'. This means 'I'm not going to secure it, because nobody ever will find out'. Wrong! Security through obscurity is seen as very bad practice, because there will probably come a time that someone figures it out. This person does not have any interest in publishing his findings when he wants to use it for malicious attacks, nor do any of the developers and manufacturers have any interest in publishing security issues as it is bad publicity. This is similar to how the Germans who thought Enigma could not be broken. These systems have been around for a while. At first they were controlled individually by a mainframe, after that companies started using distributed architectures where they put the system in a LAN. The last one is networked, meaning they are accesible over the internet. There are two distinct security issues in modern SCADA systems:
  • Unauthorized access
  • Packet access
The first one can be either humans or malware accessing the system without any authorization to the host control system. This can be physically or through the internet. The second one is a problem that people solved for http years ago. When someone can access the network on which the control systems reside, he can send packets to the control system. SCADA does not provide authentication or confidentiality. So replay attacks can be done, as well as just reprogramming every single parameter. This problem arose many years ago on the internet as well, it was solved with asymmetric encryption like SSL.

There are also many misconceptions about security:

  • It is safe because it is on a different physical network. No it's not; it is a start, but not enough.
  • It is safe because physical access is restricted. That would be fine if users didn't bring in virusses.
  • It is safe because only a few people really know all the bits and bytes. One word: Stuxnet.
  • It is safe because it is disconnected from the internet. Attacks can be done from the LAN.

Stuxnet

Many have heard about Stuxnet. It is a virus discovered in 2010 and was designed specifically to attack SCADA networks. Stuxnet was the virus that showed just how vulnerable SCADA really is. It was not just any virus, it was so advanced, it amazed and baffled the most experienced security specialists in the world. It was called the world's first real cyberweapon. It used several stolen SSL certificates and at least four windows zero day exploits. It targeted a specific Siemens SCADA control system (Siemens control 1/3 of the SCADA market).It reproduced itself and spread through USB-drives.

Researchers took quite a while to reverse engineer Stuxnet. They found out a lot of facilities were infected, but the virus didn't seem to be doing a lot except collecting data. When they looked into this they found it would only attack when certain parameters had been fulfilled. They saw it was a directed attack for a certain geographical area: Iran... Iran had multiple targets, oil production centres as well as the nuclear facility in Natanz. Natanz was not liked by the Western world as it is believed to be a used to produce components for nuclear weapons.

So what was Stuxnet's goal:

  • Serve false, pre-recorded data to an operator (circumvent digital security measures)
  • Compromise the system and change the values of rotation speed of the centrifuges to destroy them or make them explode
Now that's scary, but even scarier is that security researchers found out that the code was generic: it could be easily reused to target other systems, like automobile factories, chemical factories,... It is believed the U.S.A. and Israel are the manufcatures of this virus.

Duqu

This virus is seen as the precursor of Stuxnet. It was built to monitor and watch SCADA systems. Information would be sent to a controller. It can be used for industrial espionage or just to prepare an attack.

Future

Finally some manufactures have woken up and seen the problem, so there are developments in implementing security. Hopefully this means SCADA will become a safer system.

Known incidents with SCADA and other

From a presentation by Filip Maertens:
  • Chevron -- Emergency system was sabotaged by disgruntled employee in over 22 states (USA 1992)
  • Worchester Airport -- External hacker shut down the air and ground traffic communication system for six hours (USA 1997)
  • Gazprom -- Foreign hackers seize control of the main EU gas pipelines using trojan horse attacks (Europe 1998)
  • Vitek Boden releases millions of liters of sewer water into the streets after being laid off, he used a stolen computer and a wireless connection. (Australia 2000)
  • Venezuela Port -- Hackers disable PLC components during national unrest and general workers strike, disabling the country's main port (Venezuela 2002)
  • Davis-Besse Nucleair powerplant, a worm disables a security monitoring system for 5 hours(USA 2003)
  • U.S East Coast blackout -- A worm did not cause the blackout, yet the Blaster worm did significantly infect all systems that were related to the large scale power blackout (USA 2003)
  • Israel Electric Corporation -- cyber attacks originating in Iran penetrate IEC, but fail to shut down the power grid using DoS attacks (Isreal 2003)
  • Daimler Chrysler -- 13 U.S manufacturing plants were shut down due to multiple internet worm infections (Zotob, RBot, IRCBot) (USA 2005)
  • International Energy Company -- Malware infected HMI system disabled the emergency stop of equipment under heavy weather conditions (USA 2005)
  • International Petrochemical Company -- Extremist propaganda was found together with text files containing usernames & passwords of control systems (2006)
  • Stuxnet is found to target Natanz Facility (Iran 2010)
This is just a small list of known attacks. Manufacturers of SCADA and companies using SCADA don't always release information when things go wrong, so this may be the tip of the iceberg.

Conclusion

I don't want to sound like I'm fear mongering, but these threats are real and can have catastrophic results when executed by the wrong people. I've shown the possibilities and possible results of attacks on SCADA. Users and producers of SCADA have done too little to secure this system, I just hope it is not too late.