To understand why they are fragile it’s important to first understand a bit of the ICS architecture. At a high level, most of these organizations have three operational zones.
Zone one
This zone consists of the actual ICS assets. These are generally very simple devices that may only do a small number of tasks, such as opening or closing a valve. They are digital assets that control physics like flow, temperature and pressure.
Zone two
This zone is made up of similarly purpose-built equipment called SCADA, for supervisory control and data acquisition systems. SCADA systems manage those ICS assets and monitor for issues such as the heat set point in a boiler being exceeded because of a malfunctioning coil. Additionally these SCADA systems can house proprietary information regarding system configuration – how long to bake the pizza dough, where to weld the car door, how much light to expose a bacteria to, or what additives to inject into a polymer.
Zone three
This zone is the traditional IT environment that’s similar to what you might find in a bank, retailer or insurance company. In addition to business operations, the IT zone is more commonly connected to the other zones for measurement and monitoring. In the case of power generation, they use the monitoring derived from improved connectivity to more accurately trade excess power in real-time.
Collectively these zones are highly complex, often distributed and well connected. As with any complex system, accidents happen and errors occur. Additionally, they are high-value targets for attackers. These attacks can range from cyber criminals threatening to turn the lights off if their extortionist demands are not paid to a nation-state trying to knockout an adversary by taking down the electric grid, communication and emergency services before launching a kinetic strike. According to Allan Paller, Director of the SANS Institute, “Hundreds of millions of dollars have been extorted, and maybe more. This kind of extortion is the biggest untold story in the cyber crime industry.” In emerging markets like Mexico and India extortion is pervasive according to studies by the Center for Strategic and International Studies.
Over the past couple months I’ve been spending a lot of time with critical infrastructure sector organizations across US and internationally. During that time specific security themes kept resurfacing. For this blog I’m going to focus on five reasons SCADA security is fragile.
1. Cultural, Political and Technical Divides
Every now and again I think that we’ve moved passed this only to be proven wrong in many instances. The divides that once separated the folks working on the ICS assets from those working on the IT assets still exists.
I do get the sense that there is greater communication between people holding a wrench and people wearing pocket protectors than there was a decade ago, or even just pre-Stuxnet, (there I said it – what would a blog on SCADA security be without at least one mention of Stuxnet) but it still seems to be lacking especially when discussing overall security strategies for attacks that might originate in one zone and migrate to other zones thus impacting disparate technical and cultural domains. Some preventative controls are in place between the zones but if they are bypassed there exist few solutions and processes to effectively monitor and respond to these attacks and remediate the issues collaboratively.
2. Legacy and Modern Solutions Operating Side-by-Side
Remember cowboy movies where the stagecoach carrying bags of money, generally marked with dollar signs, was robbed? There aren’t a lot of stagecoaches in operation today; instead money is moved around digitally or with an armored truck. So what does this have to do with ICS?
Equipment that’s several decades old is now communicating with equipment that's just been taken out of bubble wrap. This older equipment will have capabilities bolted on -- like TCP/IP stacks. Often these bolted on upgrades are developed in a vacuum and simply sending them a ping may knock them over. They aren’t engineered in many cases to deal with something unexpected like a ping – because as stated earlier, they may only do two or three things. Why would anybody ping them? This is why penetration testing done for critical infrastructure is rarely conducted in live networks and instead on non-production test beds.
3. The Air Gap Myth
Does anybody still think there is an air gap between the three zones and by extension public networks like the Internet? Yes some people think it but in almost every case I’ve seen they are wrong.
It is this belief that there is a magical moat protecting the ICS operations that can lead to lax security controls and limited monitoring. Because of this myth, ICS vendors may not invest in building solutions that are more secure from cyber attacks. And industry may not ask for more secure solutions because they feel the risk is low. It’s a vicious circle -- incorrect conclusions are based on false assumptions.
4. Connectivity
Some people may disagree with this, but ICS systems are highly connected. They don’t exist in a bubble anymore. They are engineered with multiple conduits for communication by default, or as outlined earlier, they have these capabilities bolted on after the fact.
Some connectivity examples include:
- Serial, IP and Serial over IP
- Modbus and DNP3
- Bluetooth and SMS
- Wired Ethernet and Wireless Ethernet
- Dial-up Modems
- Sneakernet
Many of these older systems operate perfectly fine from a non-security perspective. For example, they were designed to open and close a dam and that’s it. They weren’t designed to communicate with other systems, be monitored and measured across IT networks, etc. They simply don’t stand up to cyber attacks perpetrated through access vectors that didn’t even exist when they were designed. There is a technology gap. It’s like trying to receive a text on a rotary phone.
5. Availability Trumps All Else
Availability does trump everything else across critical infrastructure and it should. This is followed closely by integrity, but confidentially is a distant third. At the end of they day, this stuff is designed to keep working – period.
Issues arise when availability is used as a crutch for poor security. Default passwords are commonplace – think SNMP with a public sting of “public” and a private string of “private” with the difference being that knowing the default passwords on an ICS might allow you to burnout a multimillion-dollar turbine. The excuse I've heard is that if something happens and anyone needs to access the system at anytime, he or she can’t be hunting for the right password. I've heard this same logic applied to multiple users sharing one group account with no individual accountability. Even the ability to enforce encrypted communication may be defeated by an asset having an older CPU that lacks the power to support encryption, thus mandating that communication occur over clear text.
Yes availability is critical, but with these highly complex and connected systems, poor security can have an equally devastating impact on operational uptime. And this all ties back into our first point of the cultural, political and technical divide.
SCADA security is being taken more seriously but it is still fragile. Some segments of critical infrastructure are more proactive than others, but there is a long way to go and much that industry, vendors and the government can do to help – but that content for another blog.
I’m interested in hearing what other SCADA security issues you may have encountered.
Image credit: Flickr.com/teamneworleans