Home » Data Protection » Network Security

SCADA System Security: Out of Control

Industrial control systems such as SCADA systems sit squarely at the intersection of the digital and physical worlds. They're vulnerable, they're unpatchable, and they're connected to the Internet.

The insecurity of these systems is manifested in plenty of other ways. Control system communications used to be proprietary; that changed when those systems began getting hooked up to enterprise networks and the Web. "The SCADA commands are now going over TCP/IP and clear text, and are highly vulnerable," says Pollet. "There's no way for a [control device] to know the SCADA command is what it says it is; there's no authentication, no encryption. They're highly vulnerable to denial-of-service [attacks] and viruses." He adds that easily downloadable TCP/IP packet-sniffing toolssuch as Ethereal and Ettercapcan be used to read clear text. That would allow a hacker to read and capture user names, passwords and even commands.

SCADA systems also connect to a wide variety of other communications mediaincluding public telecom networks, wireless radio, and private microwave and fiber networks. In testimony before a House subcommittee looking into control system vulnerabilities in March, Gerald Freese, director of information security at American Electric Power, talked about the interdependencies between SCADA networks and the telecommunications functions that support them. "We have to keep in mind that telecommunications is vulnerable in its role as a transport medium. It is subject to attacks such as 'man in the middle,' where transmissions are intercepted and altered, redirected or destroyed. Also, many power plants and substations use modems [vulnerable to a number of intrusion exploits] to manage equipment such as breakers, relays and switches over telephone lines."

Because SCADA systems were designed for efficiency and ease of use, vendors enable their products to be accessed remotelythrough dial-up modems, wireless handhelds and the likeso that customers will have an easier time making fixes to systems, often with no authentication required. And companies often fail to install the same security measures on control systemssuch as firewalls and intrusion detection systemsthat they use to protect IT systems. But those technologies have their limitations as well, since they weren't designed with control systems in mind. For example, Weiss says a typical firewall filters Internet protocols such as TCP/IP but not control system protocols.

Patch management is another gnarly issue. The message from vendors sometimes seems to be: Patch at your own peril. That's because installing patches can interrupt the real-time functioning of the operating system, which could have bad consequences. "We had a control system supplier send out a warning letter to all its clients saying, Whatever you do, don't put in a patch for the Slammer worm. The patch will get you," says Weiss. Gary Sevounts, director of industry solutions at Symantec, notes that part of the problem is that it's difficult to test patches (or any other security technology) in an actual control system environment because of the requirement for 100 percent availability and predictable performance. "If there's a 10 to 15 percent hit on performance in a banking application, perhaps there's a delay, but the customer is probably OK," but the same 10 percent to 15 percent delay in a SCADA system can lead to a power blackout, Sevounts says.