Overview
Industrial Control Systems, including SCADA (supervisory control and data acquisition), are relied on by power stations, factories and other parts of critical infrastructure to manage key processes, yet are increasingly being targeted by advanced hackers and exposed to vulnerabilities that originate in the corporate network.
Industrial control systems can, literally, be physically located anywhere in the world, often with harsh environments. Very different from controlled, indoor IT environments.
SCADA systems are specialised computer networks and devices that work in concert to monitor and control key processes involved in the management of machinery, equipment and facilities.
Measurements taken from a variety of sensors (temperature, pressure, flow etc.) are used to make decisions, for example; to open a valve and release water from a tank when it fills up, or to initiate an emergency shutdown of a nuclear power plant. Loss of access to or misuse of these systems could result in severe physical damage, disruption and financial loss to a company. Therefore, security of these SCADA systems should be a high priority.
Traditionally, SCADA networks have been segregated from other corporate networks to minimise exposure to unsecure areas, such as the Internet. Recently however, more organisations are connecting SCADA networks with other potentially unsecure networks in order to cut costs, share operational information, or distribute ordering/billing data. Even when connecting SCADA networks to other networks is prohibited by corporate policy, incorrectly installed systems can unintentionally bridge networks together - putting SCADA networks and the processes they control at risk.
Image: Security compromised SCADA network
Since the beginning of 2015, a total of 77 Advisories regarding Vulnerabilities in SCADA systems have been released by the ICS-CERT. They cover a total of 133 vulnerabilities, of which 122 correspond to unique CVE's.
66% of these vulnerabilities could be remotely executed, and nearly 10% from a neighbouring network (the rest would require direct access).
Solutions, Features & Benefits
> Security Appliances
Appliances with built-in and consolidated security provide defence-in–depth capabilities which “virtually patch” vulnerable systems, minimising disruption to the SCADA network.
> Internet connectivity out at sea can be limited and often satellite-based
Industrial control systems generally span miles, often countries and even the world. As a result, access (both physical and Internet) can be limited and difficult.
Support for integrated wireless access, ideally 3G/4G networks, is recommended.
> Protect Industrial Control Systems from intrusion, malware, intellectual data theft
> Protect both Operational Control and IT systems
> Connectivity and security you need for distributed industrial control systems
> Detect emerging cyber-threats within Industrial Control Systems (ICS)
> Monitor behaviours and alert security operators to any suspicious or abnormal activity
> Preventing unauthorised software
Lock down critical systems by ensuring that all new software is validated and checked against an authorised list or approved by IT before executing.
> Blocking unauthorised portable storage devices
Easily block USB drives, CDs, etc., ban or approve devices by type or serial number so that only pre-authorised devices can execute.
> Auditing all software changes
Ensure compliance and determine accountability with a comprehensive audit trail of all application changes.
> UTM Security products
> Integrated Switching
> Wireless Access (Indoor and Outdoor access points)
> and “Rugged” form factors
> Small form factor, purpose-built security and network devices that meet or exceed industry standards for hazardous deployment
> Remote management / monitoring of integrated security, switching, wireless and more
> Central reporting to demonstrate compliance with industry-specific regulations
> Access Control: segmentation and strong authentication
> Vulnerability Management: physical or virtual patching
> Threat Prevention: IPS, Anti-malware and Web Filtering for analysis of protocol, code and communications
> Sandboxing and other monitoring to detect attacks that slip through.
> VPNs to protect SCADA protocols and data
> Network Anti-virus
The best solution is to use a defence-in-depth strategy by applying application layer security at both the host RTU and at the network level. What is required is a consolidated security system which offers tightly integrated multiple detection mechanisms including:
- Stateful, application aware firewalls
- Anti-virus detection
- Application control
- Web filtering
- VPNs
- Automated updates to antivirus and IPS signature databases
- Known SCADA Exploits already in antivirus and IPS databases
- Network Anomaly and DoS prevention
- Database protection
- Web application protection
> Security solutions validated against FIPS 140-2 and EAL4+ security certifications
> High-Availability and Network Resilience
Availability of the SCADA network and its elements is critical for secure operation.
Solution can be configured in an active-passive or active-active mode to provide resilience in the case of failure. Should a device fail, session failover ensures a safe transition to the backup device.
At the network level, multiple WAN links to be connected, providing ISP level resilience. Multiple VPNs can be configured over these links to ensure secure, resilient ISP level redundancy. Where required, such as at remote or mobile locations, devices can be configured to utilise a 3G modem to enable communication with the control system. This can be combined with other fixed line methods in order to provide backup “out-of-band” access to the SCADA network.
> High Throughput / Low Latency VPN
SCADA systems are inherently insecure and their protocols are commonly easily intercepted in transit. To protect SCADA network traffic, solutions provides high throughput, low latency, VPN connections.
SSL VPN can be utilised to deliver secure remote access to SCADA devices via Telnet (an inherently insecure protocol itself), SSH, RDP, VNC etc., further enhancing security while maintaining manageability of the SCADA network.
> Transparent Mode
Management of SCADA networks is of critical importance due to the sensitivity of the systems they control. Changes and network downtime are to be avoided at all cost. In order to minimise deployment risk while still providing security. This can be done without any change to the existing layer 3 network structures.
> Intrusion Prevention
Act as both intrusion detection and active prevention systems, in other words they are able to intercept malicious traffic before it impacts the network. Intrusions are detected using the following methods:
Network anomaly and DoS mitigation – Detects unusual activity such as traffic that violates protocol standards or exceeds thresholds. This includes oversized ICMP packets, out of order TCP packets (FIN without SYN), and SYN floods or other packet storms which indicate a denial of service attack, such as the one that affected the Browns Ferry Nuclear Power plant.
Signature detection – provides worm IPS signatures to protect against network propagation (such as that responsible for the Davis-Besse nuclear power plant shut down and Stuxnet propagation and C&C activity), Windows, Linux and UNIX signatures to protect against vulnerabilities in unpatched operating systems, and application signatures to protect against application vulnerabilities such as MS SQL, IIS, Apache, Exchange etc.
SCADA IPS signatures developed both in-house by threat research teams and in collaboration with industry. These signatures protect against vulnerabilities in MODBUS, ICCP, DNP v3 and other proprietary SCADA protocols. Additionally, the system protects against host OS and application vulnerabilities and can detect dial home activity of many botnets.
> Application Control
Application Control detects and restricts application use on the network based on behavioural analysis and classification.
There are over 1600 different applications in the database including P2P, remote access, bots, etc. Applications can be denied by default and allowed on a case-by-case basis, useful for locking down highly critical networks.
A specific application class for SCADA allows protocols such as DNP v3 to be allowed or blocked but additionally for DNP v3 reads/writes to be allowed or denied as required. Using the default deny policy, all applications that do not match the SCADA description can be blocked by default whilst allowing the SCADA traffic to pass unimpeded, regardless of which port is being used.
> VLAN Support
While not a best practice for high-security networks such as those carrying SCADA traffic, VLANs are often employed to keep SCADA and corporate traffic separate using the same physical network to reduce cost while enhancing security. Solutions devices support 802.1Q VLAN traffic tagging.
> Multiple Networks / DMZs and Virtual Firewalls (Segmentation)
Create multiple networks, enabling segregation of SCADA and corporate data traffic at the physical interface or VLAN level.
This is critically important where business systems from the corporate network interact with SCADA system components, breaching the network security “air gap”. If direct connectivity is unavoidable, it should at least be secured from attack.
Another important benefit of multiple network segments and DMZs is at remote sites where an engineer may require Internet access for email or other communication. Should an engineer logon from an infected laptop which attempts to scan, infect or breach the SCADA network, this will be prevented and logged. Corporate security policies can also be applied to restrict access to downloadable content by category or to block downloading of malicious content.
Virtual Domains - To further increase security, networks can be segregated using Virtual Domains. VDOMs logically partition a physical firewall, ensuring that traffic cannot traverse between networks.
> Identity Based Policies
A key requirement of standards provided by organisations such as ISA99, CPNI and NIST is to segregate networks and only allow authorised users to access SCADA systems. Providing a totally separate network for these users may not be feasible so users need to be identified and given access based on their user credentials. With Identity-based policies, credentials such as AD login can be harnessed to provide user or role based access control to the required resources.
> Database Security
Quickly asses the security level of your database and once steps have been taken to rectify any security issues, will inform you if your database systems deviate from this secure state.
At the core of all SCADA systems will be a management system with a backend database, sometimes referred to as the historian. Often database administration will not be a core function of the person managing the SCADA infrastructure and as such, it may end up deployed in an insecure fashion. Default administrator passwords, vulnerable supplied applications and poor configuration can all lead to insecurities in the database and ultimately the whole system.
In addition to this vulnerability detection capability, the solution also allows you to monitor the database for unusual activity within the database; e.g. access from unusual locations, unusual times, changes of data types, querying of large volumes of data and to alert appropriately.
> Web Application Security
Web-based HMIs (Human Machine Interface, the SCADA GUI) are becoming more and more popular due to the lower cost, and flexibility of development, cross platform nature and familiarity and ubiquity of the browser. The benefit of web based applications means they can be easily accessed remotely; however this can also be the downfall of a SCADA system.
Web application firewall protects web-based applications and internet-facing data. Automated protection and layered security protects web applications from sophisticated attacks such as SQL Injection, Cross Site Scripting attacks, buffer overflow exploits and data loss.
> SCADA Security: Penetration Testing Service
Reduce exposure to threats
Test your security controls
Identify vulnerabilities and configuration issues in SCADA systems without disrupting day–to–day operations.
Industrial control systems (ICS), distributed control systems (DCS), supervisory control and data acquisition systems (SCADA) have all been around for decades, but thanks to Stuxnet, DuQu and other major incidents, these systems have recently began receiving serious security consideration.
Contact us today to discuss your requirements in more detail.
P: +44(0)7714 209927
S: +44(0)1273 329753
|
info@securenetconsulting.co.uk
|