In recent times, governments throughout the world have identified critical infrastructure as potential targets for terrorism. Whilst physical measures have been taken to secure these infrastructures, one area of concern remaining is the potential attack on the information and process control systems belonging to the critical infrastructure. Many private companies controlling vital public utilities such as power, gas or water, who never considered they would ever be prone to cyber attacks, are now having to implement measures to improve the security of their whole organisation.
The reality is that many companies have become highly dependent on digital information systems that have been tightly integrated into their business. Many scada systems that monitor and control critical infrastructure such as power generation and transmission, water and wastewater and pipelines over a wide area network, run on industry standard computers and networks. As such, these systems run a higher risk of being hacked into by cyber terrorists. Hypothetically, by hacking into a scada network monitoring water gates in a dam and taking control of the scada system, a cyber terrorist could wreak havoc by opening and closing of the gates at will. Whilst scada systems have been around for a few decades, cyber attacks have only become a prominent threat in recent times. As such, many scada systems that have been deployed in the past have little or no security built in. In addition, scada systems are often a part of a company's engineering division and as a result, are seldom covered by their corporate security policy.
Securing scada networks is relatively easy and should be considered as part of the company's overall security policy, requiring security measures and policies to be implemented on multiple levels, including:
* Defining a security policy.
* Securing the scada network and operating environment.
* Securing the scada application.
* Detecting unauthorised intrusions.
* Regulating physical access to the scada network.
Defining a security policy
Security policies are becoming essential in today's corporate network. A security policy is a living document that allows an organisation and its management team to draw very clear and understandable objectives, goals, rules and formal procedures that help to define the overall security position and architecture. As a starting point, an organisation should have a corporate security policy and ensure that its scada network falls under the jurisdiction of this policy. Failure to have a security policy not only exposes the company to cyber attacks but may also lead to legal action. A security policy should cover the following key components:
* Roles and responsibility of those affected by the policy.
* Actions, activities and processes that are allowed and those that are not allowed.
* The consequences of non-compliance.
Key personnel who need to be included in the development of the policy include: senior management, IT department, human resources and legal.
The following areas of vulnerability should be considered:
* Network and operating environment security.
* Application security.
* Intrusion detection scada system security.
* Regulating physical access to the scada network.
Measures to secure the scada network
Corporate networks linked to the Internet or that use wireless technology may be more easily accessible to cyber terrorists and hackers. An organisation can heighten its level of network security by isolating its scada network, thereby restricting channels of external access. In many organisations, isolating the scada network from the Internet or intranet is difficult because of requirements such as monitoring plants from a remote location.
In the latter case, measures can be taken to secure network and operating environment from unauthorised access to the scada systems. These include: firewalls, virtual private networks, demilitarised zones and authentication.
Implement a secured firewall
A secured firewall is imperative between the corporate network and Internet. The single point of traffic into and out of a corporate network, it can be effectively secured and monitored. A corporate network should have at least one firewall and a router separating it from the external network that is not within the company's dominion. When examining the firewall solution, consider if and how the firewall supports any security services that may be needed. Microsoft Internet security and acceleration server (ISA) virtual private network (VPN) can be used to set up the firewall.
On larger sites it is also recommended to protect the control system from attack from within the scada network. This may be implemented by providing an additional firewall between the corporate and scada network. To maximise access and minimise the configuration required to maintain this firewall, a terminal server can be used to act as a gateway. Only traffic from the terminal server can pass into the scada network and a secured terminal server removes the ability for external applications to be used to attack the control system.
Keep the network simple
Simple networks are at less risk than more complex interconnected networks. Keep the network simple - and more importantly - well documented from the beginning.
Minimise network access points
A key factor in ensuring a secure network is the number of contact points. While firewalls have secured access from the Internet, many existing control system have modems installed to allow remote users access to the system for debugging. These modems are often connected directly to controllers in the substations. The access point, if required, should be through a single point that is password protected and where user action logging can be achieved.
Virtual private network
One of the main security issues facing more complex networks today is remote access. With a VPN, all data paths are secret to a certain extent, yet open to a limited group of persons, for example, to employees of a specific company. VPN is a secured way of connecting to remote scada networks. Based on the existing public network infrastructure and incorporating data encryption and tunnelling techniques, it provides a high level of data security.
Deploy Internet Protocol Security (IPsec)
IPsec can be deployed within a network to provide computer-level authentication, as well as data encryption. IPsec can be used to create a VPN connection between the two remote networks using the highly secured Layer Two Tunnelling Protocol with Internet Protocol security (L2TP/IPSec).
Demilitarised zones (DMZs)
DMZs are a buffer between a trusted network (scada network) and the corporate network or Internet, separated through additional firewalls and routers, providing an extra layer of security against cyber attacks.
Application security
In addition to securing the network, securing access to scada system components will provide a further defence layer.
Authentication and authorisation
Authentication is the software process of identifying a user who is authorised to access the scada system. Authorisation is the process of defining access permissions on the scada system and allowing users with permissions to access respective areas of the system. Authentication and authorisation are the mechanisms for a single point of control for identifying and allowing only authorised users to access the scada system, thereby ensuring a high level of control over the system's security.
To provide effective authentication, the system must require each user to enter a unique username and password. A shared user name implies a lack of responsibility for the protection of the password and the actions completed by that user.
Users must be able to be created, edited and deleted within the system while the system is active to ensure that individual passwords can be maintained. In addition, it is highly recommended that password ageing be implemented. Password ageing ensures that operators change their passwords over a controlled time period, such as every week, month or so on.
To provide authorisation the system must be able to control access to every component of the control system. The system must not provide a 'back door' with which to bypass the levels of authentication specified in the application.
Secured data storage and communication
Critical data pertaining to a scada system must be securely persisted and communicated. It is recommended that critical data like a password be stored using an encryption algorithm. Similarly, remote login processes should use VPNs or encryption to communicate the user name and password over the network.
Critical data like user name and password must be persisted in a secured data repository and access rights monitored and managed using secured mechanisms like Windows authentication and role-based security.
Audit trails
It is recommended that audit trails on critical activities like user logins or changes to system access permissions be tracked and monitored at regular intervals. Securing a scada application may make it more challenging for external hackers to gain control of the system, however it will not prevent internal employees with malicious intent. Regularly tracking and monitoring audit trails on critical areas of the scada system will help identify unscrupulous activities and consequently take necessary corrective actions.
Wireless networks
The two most common ways of gaining unauthorised access to a wireless network are by using an unauthorised wireless client, such as a laptop or PDA, or by creating a clone of a wireless access point. If no measures have been taken to secure the wireless network then either of these methods can provide full access to the wireless network.
Many commercial wireless networks are available; these range in price, complexity and level of security provided. When implementing a wireless network, a couple of standard security measures can be taken to minimise the chance of an attacker gaining access to the wireless network:
* Approved clients - the access points in the wireless network contains a configurable list of all MAC addresses of the clients that are authorised to gain access to the wireless network. A client not listed in an access point will not gain access to the wireless network.
* Server Set ID (SSID) - this is an identification string that can be configured on all clients and access points in the wireless network. Any client or access point participating on the wireless network must have the same SSID configured. The SSID is however transmitted as a readable text string over the network so only using SSID is not good enough to secure the wireless network.
* Wired Equivalent Privacy (WEP) - all clients and access points should have a configurable static WEP. This is a 40-, 64- or 128-bit encryption string that is entered in all clients and access points. Without a correct WEP string no access can be gained to the wireless network and the SSID is also encrypted using this string. In most cases, using an SSID and a WEP provides a secure solution.
* VPN (described earlier) was developed to provide secure connections through the Internet to internal corporate networks. A VPN simplistically creates a secure tunnel through open networks such as the Internet or a wireless network. Data transmitted through the tunnel is encrypted on the client and then decrypted and validated in a VPN gateway inside of the wireless access point. Another advantage with using a VPN is that a single solution provides security both for the wireless and wired network and the maintenance cost is lower.
Intrusion detection
Firewalls and other simple boundary devices currently available lack some degree of intelligence when it comes to observing, recognising and identifying attack signatures that may be present in the traffic they monitor and the log files they collect. This deficiency explains why Intrusion Detection Systems, (IDS) are becoming increasingly important in helping to maintain network security.
In a nutshell, an IDS is a specialised tool that knows how to read and interpret the contents of log files from routers, firewalls, servers and other network devices. Furthermore, an IDS often stores a database of known attack signatures and can compare patterns of activity, traffic or behaviour it identifies in the logs it is monitoring against those signatures so it can recognise when a close match between a signature and current or recent behaviour occurs. There are various types of IDS monitoring approaches:
* Network-based IDS characteristics: network-based IDSs can monitor an entire, large network with only a few well-situated nodes or devices and impose little overhead on a network.
* Host-based IDS characteristics: host-based IDS can analyse activities on the host it monitors at a high level of detail. It can often determine which processes and/or users are involved in malicious activities.
* Application-based IDS characteristics: an application-based IDS concentrates on events occurring within some specific application. They often detect attacks through analysis of application log files and can usually identify many types of attack or suspicious activity.
In practice, most commercial environments use some combination of network- and host- and/or application-based IDS systems to observe what is happening on the network while also monitoring key hosts and applications more closely.
Regulating physical access to the scada network
Physical access to the network should be closely monitored
1. Use built-in Microsoft Windows features such as NTFS to require user authentication when perusing network shares.
2. Do not allow anyone that does not belong to the organisation to connect to the network Ethernet - or have physical access to the IT server room.
3. Monitor the network regularly for activity that may be suspicious and note the IP addresses when running sniffing software or hardware on the network.
4. Ensure that there are no foreign IP addresses on the list. If a foreign IP address is found, trace the route to the IP address. Once the location where this foreign IP address originates from is known, action may be taken. If unsure, physically disconnect the segment where the potential intruder may be on the network.
For more information contact Citect, 011 699 6600, [email protected], www.citect.com
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version