By Juan C. Asenjo, Thales
The security of legacy supervisory control and data acquisition (SCADA) systems has come under intense scrutiny as a result of homeland security initiatives being put in place to protect the nation’s critical infrastructure. Presidential Decision Directive 63 and a number of more recent government and industry efforts have put pressure on the electric, water and gas utility industries to develop and implement policies and solutions to protect against the threat of cyber attack. This article examines specific aspects of existing SCADA systems that are vulnerable to cyber attack and addresses how these can be effectively protected with cryptographic mechanisms to improve their security and mitigate risks.
SCADA systems perform key functions that deliver essential services and commodities to the public at large. Originally designed when security concerns were less prevalent, SCADA networks are vulnerable to cyber attacks that can result in public safety concerns and serious disruptions to the nation’s economy. Improving the security of legacy SCADA systems against cyber attack requires flexible solutions that are easy to install and do not impact system performance and operations. While many SCADA systems today have some form of authentication function for access control, this is typically the only security measure employed. As a result, systems remain vulnerable to interception, alteration and replay of data that can allow an intruder to effectively seize operations.
Because the critical infrastructure is typically owned and controlled by both the private sector and government, both industry recommendations and government legislation are forming part of the framework for future regulations describing processes, procedures and technology implementations to protect SCADA networks. The standards being developed are expected to become enforceable and auditable in the near future as federal legislation is already in place to establish regulatory mechanisms for these best practices.
Development of retrofit solutions that can provide robust cybersecurity to existing fielded SCADA systems has been of particular interest to industry organizations such as the North American Electric Reliability Council (NERC), the Gas Technology Institute (GTI), and the Instrumentation Systems and Automation Society (ISA). Since SCADA systems typically have useful lives of more than 15 years, retrofit solutions are expected to play a key role in addressing cybersecurity concerns and to bring fielded systems into compliance, while embedded security features are designed as a part of more robust SCADA systems in the future. The efforts of the aforementioned organizations are yielding security recommendations, including NERC (CIP-002 through -009) and the American Gas Association (AGA-12) standard, that provide guidelines on the establishment of security policies and procedures, including the use of retrofit cryptographic devices.
Deploying retrofit cryptographic solutions to address the critical security needs of existing SCADA systems has come to be known as a “bump in the wire” solution. The solutions can be installed without affecting the control system infrastructure in place and without causing disruption to the system’s performance. Retrofit solutions of this type will protect communications between remote terminal units (RTUs) connected directly to field devices and the SCADA master control centers. Unique features necessary in the retrofit solution include strong authentication and encryption for access control and protection of message integrity and confidentiality. With these features, the security of existing SCADA systems can be significantly enhanced to protect against cyber attack. By implementing a phased-in approach, retrofit solutions can be deployed in a systematic manner, first across the more vulnerable connections, followed by wider deployment across the entire SCADA network.
To further address the cyber attack threat, a complete solution should also focus on the security of RTUs and intelligent electronic devices (IEDs). IEDs, like RTUs, are also connected directly to field devices but are generally not linked back to a control center as they have internal processing capability to execute control functions based on preset parameters. The setting and maintenance of these parameters in both RTUs and IEDs is typically performed by technicians who access maintenance ports through remote dial-up connections. Controlling access to these ports is another critical security aspect. By providing a robust authentication mechanism for service personnel accessing these devices remotely, overall system security can be further strengthened.
Security solutions involving cryptography always require an underlying management system to enable key generation, distribution and revocation functions across the deployed system. In the following paragraphs, each of these aspects, including SCADA circuit protection, modes of operation, remote access security, and key management are examined in further detail.
SCADA circuit protection typically refers to point-to-point applications connecting RTUs in the field to SCADA master control centers through permanent dedicated circuits, ad-hoc dial-up or routed network connections. When these circuits are deployed in point-to-point scenarios, the connection between the SCADA master and RTUs requires only a discrete one-to-one security scheme allowing the use of a simple link encryption device. Multi-drop scenarios where the SCADA master control is connected to multiple RTUs in the field are more complex and require a point-to-multipoint encryption scheme that, using the communications protocol employed such as MODBUS or DNP, can create specific protected tunnels between the various fielded devices and the control center. An additional configuration, typical in any network infrastructure, is the mixed-mode scenarios where not all connections to RTUs need to be secured. In these configurations, two or more RTUs downstream in the network may be configured with multiple addresses for encryption or clear operation. The mixed-mode environment is commonly found in SCADA networks that are in the process of being transitioned to secured operation, and support for this application provides tremendous flexibility as encryption solutions can be added as required and in accordance with established security policies and priorities.
Remote access applications are perhaps among the most vulnerable components of SCADA systems, as these permit entry into fielded substation devices typically through dial-up connections with little or no authentication. To enhance the security of these, role-based access control (RBAC) mechanisms are critically important, as field technicians normally use mobile computer platforms to connect to these RTUs and IEDs and perform routine operations such as changing parameters or setting thresholds used to monitor and automatically control operational processes. In these remote access operational scenarios, cryptographic devices employed will benefit from the use of remote access and encryption client applications to facilitate the mobility of the security solution. Client application software installed in the field technician’s mobile platform (such as a notebook computer) will authenticate the user and, through a dial-up modem or other connectivity method, establish a secure connection with the remote site. To ensure both authenticated access and encryption, two-factor authentication requiring a token and password are recommended to ensure that only authorized technicians are allowed access to the intended field devices for maintenance.
It is important for any security solution to be as transparent to the user as possible and introduce minimum unnecessary overhead to the operation. For this reason, no security solution is complete without a set of tools that enables the customer to properly configure, deploy and manage an effective security system. To achieve this, two basic functions must be provided: a security authority and a management application. The security authority is the component that generates key material and digital certificates necessary to enable the utility customer to establish ownership over the cryptographic devices (software or hardware) configured and deployed within the utility. The management application, on the other hand, performs the function of loading certificates into the devices before they are fielded, and also provides a mechanism to create and issue tokens for access control to authorized operators, field technicians and selected trusted support vendors. The token issuance application must define the access rights of each operator depending on his or her role. A schematic representation of the scenarios and functions described is shown in the figure on page 52.
Protected SCADA system depicting underlying security authority and management applications; secured point-to-point, multi-drop, and mixed-mode SCADA communications; and secured remote maintenance access.
The cost of retrofitting an existing SCADA system with cybersecurity measures must be weighed against the likelihood of potential losses that can be caused by a successful attack. These losses can include not only disruptions to internal utility operations, but also service disruption to customers and, in extreme cases, disruption to a region’s economic activity. As new regulations are put in place and the cost of comprehensive retrofit solutions decreases, the economic advantage of pursuing system security upgrades will become more compelling. That should, in turn, contribute to improved reliability and availability of critical infrastructure commodities and services.
Strong encryption of communications links between SCADA master control centers and fielded RTUs, secure remote access to vulnerable maintenance ports of RTUs and IEDs, seamless automatic key management mechanisms and key revocation capabilities are all vital elements of a comprehensive strategy to enhance SCADA system cybersecurity. As government continues to encourage securing critical infrastructure assets against cyber attack, and as industry organizations such as AGA and NERC finalize specific standards and recommendations dictating how to secure deployed SCADA systems, one can expect more hardware and software retrofit solutions with the characteristics outlined in this article to become commercially available. Implementation of these solutions, together with sound threat awareness training and physical security policies, will strengthen the protective posture of existing SCADA systems and control the risk of cyber attack against the nation’s critical infrastructure. à¢®à¢®
Juan Asenjo has more than 20 years experience in the information security field, formerly with the National Security Agency, and most recently with Thales’ product development and marketing departments. He has degrees in engineering, business and is a Certified Information System Security Professional. For specific questions concerning this article, Asenjo can be contacted by e-mail at firstname.lastname@example.org.