Supervisory control and data acquisition (SCADA)

Utility companies such as electricity or gas need to offer 24/7/365 services. Many of them use automated remote sites and equipment to ensure their product is always available. 

These types of industries use a huge number of devices to operate and monitor equipment from a control centre. This is where SCADA comes in. Supervisory control and data acquisition, known as SCADA or Industrial Control Systems (ICS), haven’t typically been included in the security risk assessments. However, these systems have become increasingly integrated with other IT and network systems, so the risk of them being attacked has increased significantly.

SCADA is a system used to monitor and control field devices. Field devices are sensors or controllers that perform an action, e.g., a sensor detects something, and a controller then opens a valve or switches on a light. An organisation may have huge numbers of these field devices – often in remote locations - so a consolidated system, i.e., SCADA or ICS is essential to manage all these devices.

The primary risk associated with SCADA systems is that an attacker can log into the equipment and change the settings. This could lead to a change in the threshold value of a temperature alarm which could, over time, cause the device to overheat.

In theory, if this occurred in a building management system, plant equipment might catch fire, so a simple configuration change could lead to a catastrophic outage.

One of the most notorious attacks was the Stuxnet worm. This attacked Windows systems and Siemens industrial software, which suggested that it was a co-ordinated, targeted activity crafted specifically to attack the Iranian Nuclear Enrichment systems that it infected. It succeeded in attacking the computers that coordinated the transformation of uranium into nuclear fuel. This caused a serious nuclear accident at the Iranian Nuclear Enrichment facilities in 2009.

There was also a famous SCADA incident at a power station in Ukraine in 2015. This sophisticated operation began with a spear phishing attack which led to 225,000 residents losing power after the hackers took the power station offline.

Since the discovery of Stuxnet, the security industry has become more aware of these dangers. As a result, the risk assessment should pay particular attention the following possible attacks:

• Turning off equipment
• Disrupting energy supplies
• Overheating and blowing-up equipment
• Physical security listening through walls/doors

Other risks that can raise SCADA risk include security-unaware employees. Employees can commit unintentional human errors which can lead to serious damage, so security awareness and training are crucial.

Lack of software and hardware maintenance can also weaken a system. Software and hardware need to be updated regularly not only to improve performance but also to advance SCADA security.

Countermeasures

Countermeasures against SCADA infiltration can include:

• Separating the SCADA equipment and network from the general IT network. Networks should communicate through a DMZ.
• Implementing good password management and security awareness training.
• Protecting remote access channels, including PSTN controls and, if possible, restricting remote access.
• Implementing VPNs to protect the connection between the components in the SCADA network.
• Training and Education.

As you can see, a general theme when it comes to protecting SCADA systems is restricting access as much as possible. This can reduce the likelihood of breach at source and make monitoring easier and more effective.

Figure 1: SCADA users

Enormous rate of growth

Eleks estimates that SCADA systems adoption is growing at an annual growth rate of 6.6%. Therefore, this is an area that is only going to become more significant in terms of cyber risk. With that in mind, you should pay attention to the typical weaknesses of the hardware and software our organisation uses, to avoid tailored hacks like Stuxnet or Ukraine 2015.

What's next?

Related closely to SCADA is VoIP which is what you will be reading about in the next step.