Safeguarding against a cyber-fallout

While most large organisations are serious about cyber-security they are still not paying enough attention to process control networks and may have to pay a heavy price for their negligence.

Today marks the kick-off of the 11th annual National SCADA conference in Melbourne, which will explore how process control networks need to adapt to a rapidly changing future. In the wake of a spate of disasters in 2011, the imperative for these networks to be robust and resilient has never been stronger.

Recent high-profile compromises to security point to an urgent need to secure process control networks. Stuxnet, a purpose-built worm for attacking industrial control systems, led the way in showing just what can be done by a professional team. More recently, Duqu entered the threat landscape enabling attackers to steal data from manufacturers of industrial control systems and use that data to exploit entities using these systems.

Why are these networks under attack? Most large organisations are serious about security. They run specialised departments tasked with protecting two key networks: data centre (servers) and office automation (workstations). These networks are essential for supporting the business processes throughout the organisation. However a “third network,” the process control network, has yet to receive the same attention. 

Often referred to as SCADA (supervisory control and data acquisition) networks due to their association with industrial processes, these networks connect equipment rather than computers and support systems rather than people. In sectors such as utilities, transportation, logistics, manufacturing and pharmaceuticals, these networks are critical to the operation of the organisation. In utilities, they are so important as to be considered part of the national critical infrastructure. In logistics, they route millions of parcels a day. But in other companies this network operates behind the scenes, quietly mediating access to buildings, controlling heating and ventilation, lifts and data centre cooling.

SCADA networks are the most unprotected networks of all and now cyber-criminals have them in their sights. If they get access, the consequences for many organisations, their customers and perhaps the population at large, could be extremely damaging.

What makes these networks more vulnerable?

  • Attacks are becoming more sophisticated as motives move away from amateur glory seeking, to politics in the form of ‘hactivism,’ espionage and nation-state aggression.  Advanced persistent threats—the professionals—are driving a new level of stealthy and complex attacks that are difficult to discern let alone disarm. 
  • Networks are becoming more connected as the business hungers for data to drive decision-making and suppliers Internet-enable everything in order to drive down support costs and increase customer retention. 
  • Designed in a different time, process control networks have been considered inherently safe and often do not include security basics. When released by systems vendors, patches are difficult to apply due to system availability requirements.
  • The SCADA network is often ‘invisible’ and lacks the attention and investment to raise the level of security commensurate with increased threats.
  • In most organisations process control engineers manage the process control network while the IT department runs the other networks. The two groups have separate mandates and priorities.

Given the typical separate of duties, when considering security solutions organisations should shift their “IT security” mindset to account for the unique requirements and priorities of process control engineers charged with managing the SCADA network. First, security tools should not interfere with closed loop processes that could pose a risk to control. Second, availability/uptime is the most important goal of the network. Third, regular password change policies could endanger a plant, locking engineers out of a system. And, fourth, security tools that require direct Internet access are not viable—many control networks are tightly firewalled from the Internet.

At the same time, process control networks have various areas of vulnerability that must be protected. The Human Machine Interface (HMI), process servers and historians are typically MS-Windows based and are potential entry points for any attacker coming in via the corporate network and using known exploits. The Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs) are often proprietary and require sophisticated knowledge of the control system in order to penetrate, as demonstrated by Stuxnet and Duqu.

The following guidelines should help organisations identify security solutions that respect the requirements and priorities of the process control network environment while enhancing protection. Specifically, organisations should consider solutions that can:

  • Provide the flexibility to operate in passive mode or in-line without interrupting closed-loop processes, even in the event of a software, hardware or power failure
  • Support a vast rule library and an open rule format in order to accept SCADA rule sets, rules provided by government agencies, other third-party rules and proprietary rules unique to an organisation’s own network
  • Control network usage by application, user and group as an ideal way of segregating control network zones for maximum flexibility
  • Provide passive asset discovery, automatic impact assessment and rules tuning to take corrective action only on threats that are relevant to an organisation’s specific network
  • Offer centralised monitoring and management to unify critical network security functions, streamline administration and expedite response

Process control networks are mission critical and security is of paramount importance. Increasingly on the radar of sophisticated attackers, it’s time for the SCADA network to be on the radar of management and get the organisational attention, and protection, it deserves.

Dean Frye is the Technical Director for Sourcefire's Asia Pacific division.