Recently, I sat down with Susan Sons — whom I interviewed in a recent post — and Phil Salkie, manager at Jenariah LLC, who has more than 20 years of experience in industrial automation controls systems. The topic of discussion was supervisory control and data acquisition (SCADA), Stuxnet, and security.
SCADA is the central nervous system of any industrial control (IC) system. It receives reports from programmable logic controllers (PLCs), which make things move or happen in the real world as to the state of those things. It passes those reports to the operator interface terminal (OIT), which allows workers to view a graphical representation of the entire system — such as if a tank is empty or full.
Since SCADA systems monitor data coming in from IC systems, and, more importantly, have direct serial access to PLCs, it’s very important to secure them. The problem is that SCADA systems are designed to run without replacement for decades, in the desert, in salt water, on top of mountains in thin air, and on Antarctica. The OIT often runs an ancient version of Microsoft Windows that should never be connected to anything and that has an unprotected and insecure serial or Ethernet connection to the SCADA system. In fact, one major vendor of SCADA systems sends the password unencrypted via serial to the OIT and says, “Is this the password that was entered?” A simple serial bus sniffer (putty or minicom) will yield the password.
The problem is that companies need to know what their assembly line, water treatment plant, or power station is doing — how many widgets were produced today so that the enterprise resource planning (ERP) system knows how many orders were filled and what information to send to shipping. Often this means that machines running Windows 3.1, NT4, are stuck unprotected on the corporate LAN, sending this data to a database somewhere.
These machines are ideally air gapped, i.e., not connected to any LAN. If they must be connected, the SCADA system should be kept behind dedicated firewalls, and segregated from the corporate LAN. They should only be allowed to talk to the database servers. Additionally, there are proprietary protocols that SCADA systems can send out on an Ethernet interface. And if you run such a system, you should be sniffing for these to ensure that some well-meaning person doesn’t plug your SCADA box directly into the network. Stories abound of the third-shift employees plugging OIT hardware into the corporate network so that the employees can stream videos and watch them on the OIT.
There are physical protection concerns as well for SCADA systems. Ensure that untrained employees cannot access the SCADA hardware. Newer units may have USB or other interfaces that can be compromised, and the same goes for OITs.
Since Stuxnet, SCADA is a day-to-day reality for CSOs. By using restrictive firewalls, air gapping when possible, and protecting the physical hardware, the risk of your SCADA system being breached can be mitigated. Modern SCADA systems that have a better focus on security are coming, but they will either need to be protected or ship with an OIT that runs software with a 20-year end-of-life policy.
Interested in learning more? Enter your email address below to subscribe to our blog!