By Joe Weiss, PE, CISM, KEMA, Inc.
Much has been written lately concerning control system cybersecurity. Most often, it has been referred to as SCADA security. The purpose of this article is to attempt to bring some clarity and understanding of the issues. Currently, there is much confusion as to what constitutes an acceptable security program, what systems are vulnerable, which need to be addressed, and what can be done now.
Several items make what is occurring with security today challenging and unique:
- The lack of knowledge about what makes control system cybersecurity different from IT security;
- The use of personnel with limited knowledge or expertise with control systems;
- The complex and often conflicting interactions between the IT and operations groups;
- The lack of a “silver bullet” hardware or software solution;
- The need for a comprehensive, on-going program unique to control systems; and
- The lack of information sharing and a business case for control system cybersecurity.
What Makes Control Systems Unique
There is no one single accepted definition of a control system. The most common response is “I’ll know one when I see one.” Control systems include supervisory control and data acquisition (SCADA), remote terminal units (RTUs), intelligent electronic devices (IEDs), distributed control systems (DCSs), programmable logic controllers (PLCs), intelligent field devices, and even intelligent meters including those used for automated meter reading.
There have been more than 80 cases where control systems have been impacted by unintentional or intentional cyber events.
The one aspect all control systems have in common is they are used to monitor and/or control actual physical processes. As such, they differ fundamentally from the traditional IT paradigm of CIA-confidentiality, integrity, and availability. For control systems, it is most important to meet availability and integrity requirements; confidentiality for a control system is much less important. This also implies that the technologies needed to secure control systems are different. Encryption is critical for confidentiality; it may not be near as important for availability and integrity considerations. In fact, the use of encryption alone can negatively impact availability and may not provide data integrity.
Control system generally consists of two aspects: an operator interface (which today is often built upon a general operating system such as Windows, UNIX, or LINUX) and field devices (which are generally proprietary real-time operating system-based). Much of the traditional IT security technologies and practices can, and should be used, to protect these modern operator interfaces. However, the real-time controllers and field devices are different and need different protection. They have stringent reliability and timing requirements that must be met at all costs. Except for modern electric SCADA and distributed control system master stations, control systems have limited computing resources. This means that there is a possibility that implementing traditional IT security technology can impact required control system performance. Most legacy control systems were not designed for security. Many legacy control systems do not utilize traditional TCP/IP stacks which makes scanning of these devices problematic at best. At the 5th KEMA Control System Cyber Security Workshop, a power plant control system engineer presented a case history where every power plant workstation was either slowed down or shut down because of IT scanning of the control system network. Some older control system workstations cannot accept complex passwords; some cannot accept ANY passwords. Many legacy workstations do not have the computing power to utilize the newest anti-virus programs. And the list goes on.
Control System Cybersecurity Issues
The following Venn diagram is used to illustrate the dearth of people who are knowledgeable about control system cybersecurity. In the author’s view, there are fewer than 100 people world-wide who truly understand control system cybersecurity. The bulk of the people coming into the control system cybersecurity circle are coming from the IT security community. There is a need for more people with control system experience to migrate from the control systems circle into the control system cybersecurity circle.
Security should be considered as simply another challenge to the reliability and availability of control systems. Until the onset of the security issue, control system personnel (SCADA control center operations, substation operations and maintenance, and power plant operations and maintenance) viewed challenges to their systems as issues that required intimate knowledge of system operations and only involved personnel with substantial control system experience.
In my opinion, the most pervasive problem in securing control systems is that the approach has been to try to address control systems as if they were typical IT business systems. In almost all industries, there is an innate cultural conflict between the IT and operational organizations. This affects not only personnel but also security policies and procedures. However, there is a need to have both IT and operations involved in securing control systems. They should be employed to best bring the appropriate expertise to the table. Generally, that means operations should be leading the efforts to secure the control systems with IT support and IT should be leading the efforts to secure IT infrastructure such as WAN/LANs, etc. with operations support.
A common assumption is that all control systems are “air gapped” and isolated from the business networks and the Internet. Several companies are contemplating collapsing their multiple networks including control system networks into a single network to minimize costs and maximize common expertise. However, this can have some potential cyber implications. New control system technologies are precluding air gaps by incorporating Internet access, dial-up modems, wireless modems, WI FI and Blue Tooth communications, and other forms of remote access directly into new control and monitoring systems. Other critical misconceptions that affect control system cybersecurity include:
- VPN equals security,
- Firewalls equal security,
- Data only goes one-way,
- IDS applies to control systems and can detect all malicious traffic,
- Security policies and procedures are general, and
- Small systems cannot impact larger systems.
Consequently, demonstrations of hacking control systems were conducted at the 6th KEMA Control System Cyber Security Workshop to illustrate the inadequacy of these assumptions. Specifically a virtual electric distribution system and a small virtual power plant were used to provide compromised control systems protocols (ICCP and OPC) via a VPN connection from about 200 miles away to impact electric control center operations.
There is no hardware or software “silver bullet.” Cyber security is also dynamic-every time you modify a control system either by hardware or software you may potentially be modifying its cyber integrity.
Prudence requires a utility identify all systems that could impact business operations. Cybersecurity exacerbates this effort as systems that may not be critical to business operations can be electronically connected to systems that are critical to business operations. Examples of these types of systems include telecom, distribution, and generation independent of size. From a cyber perspective, the cyber connections make those “non-critical” systems critical. Additionally, when systems are integrated, particularly with SCADA, it usually leads to less secure systems being integrated with more secure systems making the more secure systems vulnerable. An example of this event was presented at the 4th KEMA Control System Cyber Security Workshop where integrating a GIS system into a SCADA system led to a cyber compromise of the SCADA system.
Even risk assessments for control system cybersecurity are different than traditional risk assessments. Risk is defined as frequency times consequence (R=FxC). For control system cybersecurity, the only two values that are not known for control system cybersecurity are frequency and consequence. Defining the risk profile takes great care and working with all of the appropriate stakeholders to prudently define the risk and the associated mitigation costs.
Information sharing on control system cyber events, whether intentional or unintentional, has been abysmal at best. This has contributed to the lack of a business case for control system cybersecurity. In reality, there have been more than 80 cases where control systems have been impacted by unintentional or intentional cyber events. Impacts have ranged from trivial impacts to significant equipment damage to deaths. In most cases where the author has presented examples of control system cybersecurity impacts, at least one individual has recognized and mentioned (in private) they have experienced similar issues.
What Should Be Done
The following can be done now to help mitigate control system cybersecurity issues:
- Awareness of control system cybersecurity for senior management;
- Develop and implement control system cybersecurity programs;
- Coordinate and cooperate within operations and maintenance groups and with IT;
- Assure that people working on these systems know and understand the systems (which also applies to IT systems);
- Test any technology in a control system environment to ensure it will not impact control system performance.
Substation “ËœBack Doors’ and Cybersecurity
Editor’s note: The following is excerpted from Chapter 12 of the book Cybersecurity for SCADA Systems by William T. Shaw. The book provides a high-level overview of SCADA technology and offers strategies for decreasing or eliminating system vulnerabilities. Shaw is chief technology officer for SWANTECH and is a regular presenter, speaker and author on SCADA cybersecurity. The book is published by PennWell Corp. (which also publishes Utility Automation & Engineering T&D magazine) and can be ordered online at www.pennwellbooks.com.
To understand the unique attributes of electric utility SCADA systems and the corresponding cybersecurity issues, it is necessary first to consider the main application of SCADA technology within electric utilities. The overwhelming majority of RTUs interfaced into an electric utility SCADA system will be located in electrical substations, for the purpose of controlling switchgear and transformers and making electrical measurements.
To a certain degree, the components that form the electric power grid are like a row of dominoes, and like a row of dominoes, if you set one falling, it can take down the next, which takes down the next, and so on. Protective relays and switchgear are positioned at various key points in the grid to break the chain and thereby limit damage; the Northeast blackout in August 2003, however, demonstrated that this process doesn’t always work as intended. Thus, it is vital for an attacker to be prevented from gaining communications access to substation RTUs, because that would provide the ability to control and operate switchgear and transformers.
The primary danger if an attacker were to gain communications access to an RTU would be that the attacker could then operate critical switchgear-for example, a circuit breaker controlling a major power delivery circuit-or trip a transformer, thus causing a domino to fall in the analogy invoked previously. To accomplish this, however, a knowledgeable attacker would not have to penetrate the SCADA system or wide area communications system. Most large substations have a back door that can be used for the same purpose (i.e., to control equipment).
Since substations are distributed over large geographic areas, it is understandable that with digital (microprocessor-based) relays, the protection organizations would seek to establish remote communication mechanisms. In most instances, this amounts to placement of a “port switch” on an incoming dial-up telephone line and connection of the communication/configuration ports of all of the relays to this switch. With such a scheme, a relay engineer (or a hacker with a war dialer program) can dial into the desired substation from his desk, using a PC and a modem, and then send a short character sequence that causes the port switch to select the desired port/relay. Security is provided by having each relay require a password. Of course, most relays are set to the same password for convenience (often the factory default). If the passwords have been changed, it is common to use the name of the substation as the password. Most relays place no limit on the number of times you could try to log in and enter the password-which is a very convenient feature for an automated password cracker program.
If one is communicating to these relays, there is no need to bother with the SCADA system or RTUs, as the relays also control the circuit breakers (and other switchgear) and can, depending on make, model and configuration, be commanded to trip or close the breakers via the dial-in port. This dial-in relay connectivity is one of the greatest vulnerabilities in the electric power grid, and most utilities are taking steps to close this back door to their substations. Port switches have gotten smarter, and manufacturers have added levels of access control and authentication; some can now even perform encryption. Undoubtedly, though, a large number of substation back doors remain vulnerable.
-William T. Shaw