SCADA Security (an Oxymoron)

Propeller Hat Warning! This article will discuss some problems with Supervisory Control and Data Acquisition (SCADA) systems, and their design/protocols.

• SCADA, which controls remote terminal units connected to distribution/transmission line and at substations, is based on old protocols and lacks basic security requiring solutions to be designed around existing infrastructure.

• Lack of proper network segmentation is common and makes it easy for hackers to “pivot” to more sensitive areas inside a network.

• Default configurations are known and open to attack, default firmware is often outdated and full of security and reliability issues.

• SCADA software and hardware has little to no security, leading to unencrypted plain text information that can be captured and/or manipulated and re-broadcasted (packet injection).

• Those working at facilities with SCADA have had little security training or are in an environment with little thought towards security.

When I worked at an electric cooperative, I remember asking our leadership team a few questions around cyber security. I asked “What would happen if the cooperative’s processes were compromised?” ”What would happen if cybercriminals took control of dispatching?” Then I asked the scariest question “How much harm could be done with SCADA before we ever even knew?” The answer I received is the same that most electric utilities answer. “Not much, we will just roll trucks.” The truth is that rolling trucks may get you back online if your SCADA system is being turned off… but what if your SCADA system appears to be on and is telling you it’s fine? Or even worse, what if dispatching thinks they have safely opened (turned off) a recloser, but it is actually still closed (still on)?! That is when virtual safety has crossed the lines into physical safety and the risk to human life becomes real.

Problems with a Secure SCADA
SCADA allows you to effectively monitor and control your electrical systems along with your Remote Terminal Units (RTUs). It gives engineers the ability to make decisions in real-time and store data for long term decision making. Without effective operational technology, you simply aren’t going to have a good feel of what is actually taking place within your distribution/transmission.

These systems quickly become vital for planning and operation of your electric systems. So critically important, that they are a prime target for cyberattacks. 

Even the newest products seem to be based on old technology requiring serial cables and dip switches. This is an unfortunate reality. We saw the shortcoming in the security of these devices during the Ukrainian power grid attacks in 2015 and the Stuxnet virus on the Iranian uranium enrichment facility in 2010. 

Fortunately, there is something that can be done. Most attacks on these systems are due to basic security practices being ignored. Most (virtually all) SCADA systems lack any modern security. They are based on older serial technology with little to no security design thought. Add some failure of basic security practices and you have a disaster in the making. These basic failures in security practices include:

1. Exposure to the Internet
SCADA operators didn’t use to concern themselves with security. Before internet times, SCADA was confined only to the small network it served. Now, SCADA is often deployed using “serial to ethernet” adapters, or through some other means, giving them the ability to be managed as far as an internet connection can reach. This expands the operations of a utility, but many organizations are using outdated or insecure connections in their attempts to modernize SCADA, often without even realizing it! Even the organizations that have taken steps to secure SCADA often provide external access to vendors who help maintain their system. However, if those external vendors aren’t compliant with their own security policies, they can quickly become an avenue for attack. That is why monitoring (with a U.S. Security Operations Center) is such an important part of ensuring security.

2. Weak/No Network Segmentation
This is one of the most likely contributing factors for a SCADA compromise. Many organizations have little or no segregation to their SCADA devices. I’ve seen an electric cooperative that had their guest wireless network shared with the entirety of their network, including the operation and server networks.

An organization might have taken steps to segregate traffic between VLANs, but then will plug a computer in that is connected to other parts of the networks, allowing for a pivot point for attacks. These machines, a nexus point of IT and OT are often inherently necessary. However, this needs to be done carefully and judiciously. Further, the planning on access to this machine needs to be thought out and limited. The best approach is to build in internal firewall to this nexus and limit who can access this and how.

3. Tyranny of the Default Configurations
I can’t even begin to tell you how many organizations leave the default password in place. I remember thinking someone had done a good job making up a great password for all their SCADA equipment, when I was informed by an engineer that it “came with that password”.

Unfortunately, many SCADA devices come shipped with outdated firmware. When they arrive they often already have known security vulnerabilities and need to be updated immediately. Updating these once they are deployed is absolutely difficult, as it often requires a physical “touch” to each device, sometimes requiring scheduled downtime of the device. When I was working at an electric cooperative, I actually spent a solid couple weeks driving across our 6,000 miles of line to every one of our SEL SCADA devices so I could physically update the firmware. Many of these devices required that I run a serial connector and held my laptop up in the air as the firmware transferred to the device! Was it grueling? Yes! However, it was a necessary requirement to ensure security.

4. SCADA Protocols are Weak
SCADA was never designed to be connected to the internet. It also was not not designed with security as a consideration. I’ll use the MODBUS protocol as an example. MODBUS uses clear text communication, no encryption. This means an attacker can easily eavesdrop on the traffic and see exactly what is happening back and forth. Even when authentication is put in place, the security exchange is still just done in plain text. Not only is this bad for a particular device, but often allows an attacker to gain valuable information, such as the password you just used to login!

5. SCADA Applications are Weak
It shouldn’t be a surprise that systems designed without security in mind have applications designed with little to no security in place either. SCADA systems are vulnerable to web and client type attacks. Attacks like Packet Injections, SQL Injections, Parameter Manipulations, and more! These SCADA apps tend to lack encryption which leads to bad actors being able to sniff out credentials. I’ve seen several of the web interfaces that use the plain url authentication to determine if the user is valid or not. The URL at the top of the page may just need to be edited from http://10.0.10.15/login=false to become “http://10.0.10.15/login=true” and suddenly you’re in! This is not security…

6. Lack of a Security Culture
Even the most secure organization can’t maintain security if their employees are allowing themselves to be used by bad actors as a means of compromise.  Employees often fall prey to phishing and social engineering attacks simply because they lack basic security training. If employees don’t maintain a sense of ownership of the security, the entire organization can become compromised with one bad click. From there, an attacker can 

spread from the employees compromised machine to more deeply penetrate the network. This pivot point is a common avenue for attacks.

USB drives are a common avenue for attack. How do you easily get a virus into an organization? Scatter a few USB drives around the parking lot or in the lobby. Still not enticing enough? Label the USB drives “Pay Raise Discussion” or “Suggested Terminations 2020”. You’ll get an employee to open the infected USB drive into their computer and launch the application. Even worse, because of the subject matter, they are less likely to admit they did anything not letting IT know that they are under a targeted attack.

Conclusion
At one time, the way we did SCADA was safe. Today, that is no longer the case. If you’d been breached, would you even know? What harm could be done? Hackers often sit on a breach creating several avenues to be able to revisit until a determined time, looking to coordinate their attacks during holidays off hours or global/national events. Worst off, state sponsored actors may only be gaining access to use you as part of a larger cyber-attack on the United States energy sector. You must secure your network, develop the ability to detect, control, and contain any security threat.

SkyHelm, focusing on safety and reliability, has the security expertise to secure your network. We offer customized security training services and a wide range of services and products focusing on security. We have a US based 24/7 NOC/SOC that can monitor your organization for potential threats and bad actors. SkyHelm builds safe and reliable infrastructure using advanced and proven technologies.