Non-technical manager’s guide to protecting energy ICS/SCADA

1 2 Page 2
Page 2 of 2

SCADA/RTU Interface

Redundant, secure communication links between RTUs and the central ICS/SCADA application form the basis of a reliable, secure, and safe enterprise. The processes of power routing automation, warning systems, and production/transmission all require communication mediums that may include low-speed dial-up phone lines, medium speed radio frequency, and high-speed, broadband wired/wireless IP.

Most RTU systems do not meet Data Encryption Standard (DES) and Advanced Encryption Standard (AES) requirements. There is an expense associated with upgrading and incorporating new RTU systems using industry standard encryption routines. There is an even greater expense when an entire company suddenly goes black, perhaps because their ICS/SCADA security-by-obscurity policy -- the vain attempt to remain safe because nobody would ever look for them – was ineffective.

Data must be encrypted, both in transmission and at rest. Data exfiltrated in encrypted form generally is useless to an attacker. Watermarks may be used to identify company data and, if data is stolen, identifies the rightful owner; simplifying the identification and prosecution of the thieves. Intrusion Detection Systems and Intrusion Prevention Systems must be configured to verify all packets as valid to deter man-in-the-middle attacks as well as preventing unauthorized access by rogue programs.

The RTU interface may be enhanced by allowing for multiple passwords at multiple access levels. Multiple passwords support the compartmentalization of application software and ICS/SCADA hardware access control to least-privileged users. All hardware should cloak IP addresses through the use of hardware firewalls.

Organizations should maintain a non-repudiation based system – assigning a digital log in for each and every action. An RTU must autonomously keep track of all access related activities as well as fulfill its basic function. Always remove, disable, and rename default accounts and require the use of strong passwords. Consider the use of asymetrically encrypted password protection and maintenance programs like LastPass.

Legacy/stand alone design

ICS/SCADA systems have long operational lives (10+ years). With some systems up to 30 years old it is difficult not only to find replacement parts but even technicians familiar with the components and operating systems. Legacy systems often are associated with legacy communication equipment with similar issues. Companies blindly continue to depend upon “security-by-obscurity.”

Were this ever an effective technique, it has been defeated with tools such as the SHODAN search engine. SHODAN, instead of indexing web page content, indexes data on HTTP, SSH, FTP, and SNMP services for a good portion of the IP net blocks that make up the Internet. So what? An attacker could instantly discover specific devices and manufacturers by using a simple Google-like search. Obscurity is dead.

Many manufacturers have long-since abandoned the support or production of legacy ICS/SCADA hardware, hardware that continues to faithfully serve. With no need for a functional replacement, the need for a secure replacement often is ignored. Developers are not willing to incur the cost for research and development on a replacement for a perhaps unique, decades-old electromechanical device, while business managers are reluctant to spend money to replace a system that still functions. This is false economy. Legacy systems cannot withstand modern attacks and APTs.

Mandiant, a U.S.-based security firm, released a report in February 2013 that disclosed a recent Chinese military-related cyber-attack on a single company with remote access to more than 60 percent of oil and gas pipelines in North America. If the attack had been intended to disable, it could have had far-reaching consequences on energy supply and the environment across the US and Canada

Call to action

Legacy systems are not designed to function within the Internet, or to communicate securely, or to defend themselves from the above-described attacks. The energy sector must come to terms with this and accept the operating cost of upgrading or replacing legacy and unsecured systems with those that support cloaking, firewalls, encryption, and other self-defense measures.

It is not unusual for energy sector partners to experience multiple millions of probes or attacks in a single day. One electrical producer reported 17.8 million occurrences in a 24-hour period. This is the reality of cybersecurity; the attacker only has to be lucky once. You, as the defender, must be perfect every time.

The loss of even short-term energy sector capability could be devastating for the lives of all U.S. citizens. Managers within this sector bear a social, moral, and legal responsibility to protect all facets of cyber and physical security within their span of control.

No longer is the question, “Can we afford the equipment?” The question has become, “When my industry becomes incapacitated in a cyber-attack, who will the public blame? Who will find their names in the newspaper? Who stands to lose everything?” The answer is, you and your company.

Colonel Bryk retired from the USAF after a 30-year career, last serving as an Air Attache (military diplomat) in Central Europe. He holds an MBA from the University of North Dakota and hopes to combine that knowledge with his upcoming MS in Cybersecurity in order to protect our Critical Infrastructure.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline