SCADA on thin ice

Industrial control systems pose a little-noticed security threat.

Editor's note: The sidebar titled "First steps to control systems security" was updated at 11 a.m. May 8, 2006, to correct the name of the Process Control Systems Forum.

The electronic control systems that act as the nervous system for all critical infrastructures are insecure and pose disastrous risks to national security, cybersecurity experts warn.

Supervisory control and data acquisition (SCADA) and process control systems are two common types of industrial control systems that oversee the operations of everything from nuclear power plants to traffic lights. Their need for a combination of physical security and cybersecurity has largely been ignored, said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, an independent research group funded by the Homeland Security Department.

Control systems security is one of six areas of critical vulnerabilities Borg included in a new cybersecurity checklist released in April by the research group.

The private-sector owners of critical infrastructure refuse to release data and deny that their aging, inherently insecure systems pose any security risk, said Dragos Ruiu, an information technology security consultant to the U.S. government who runs several hacker conferences. Control systems security has been a hot topic in the past year at those conferences.

“It’s one of those issues that is so big, you just don’t want to see it because any solutions will be expensive, awkward and prohibitive,” Ruiu added.

Average hackers can break into the systems, said Robert Graham, chief scientist at Internet Security Systems (ISS). He, Borg and other experts fear that major cyberattacks on control systems could have socioeconomic effects as severe and far-reaching as Hurricane Katrina or even the 1986 Chernobyl nuclear disaster in Ukraine.

Most experts agree that measuring the risk from cyberattacks on critical infrastructure is difficult. Attacks are rare because control systems are still complex and individualized enough to make cracking them difficult, although a hacker who knows a particular system well can break into it easily, said Jason Larson, senior cybersecurity researcher at the Idaho National Laboratory, which leads federal efforts into critical infrastructure cybersecurity.

Even if a facility has not been attacked, that doesn’t mean it’s secure or the threat isn’t real, said Michael Assante, senior manager of critical infrastructure protection at the laboratory. “The idea that the technology is obscure and not well-understood by a potential aggressor is dangerous thinking,” he wrote in an e-mail message.

Government and industry have known for years that critical infrastructures offer ripe targets for attack. In 2002, the FBI’s National Infrastructure Protection Center found that al Qaeda members had sought information on control systems for water supply and wastewater management facilities.

Open-heart surgery
Control systems are built to run around the clock for decades without interruption or human intervention. A single critical infrastructure facility can have thousands of SCADA devices spread over hundreds of miles.

Because of the systems’ structure and management, standard IT security practices don’t work for them, experts say.

“It’s more like open-heart surgery,” said William Rush, a physicist at the Gas Technology Institute, a nonprofit research organization for the natural gas industry.

The systems have proprietary operating systems and applications that run on 20- to 30-year-old hardware built before security became a major IT issue, leaving them riddled with vulnerabilities.

According to conventional wisdom, critical infrastructure owners can’t upgrade or patch systems because any jitter or delay caused by IT security features could lead to catastrophic breakdowns costing millions of dollars. Any mistakes in IT implementation could affect the processes the systems control, leading to product alterations, chemical interactions, explosions or worse.

The situation got even more complicated in late 2001 when infrastructure owners started connecting their control systems to Internet-enabled corporate networks to maximize the use of their sophisticated equipment, said Eric Byres, research leader at the Internet Engineering Lab at the British Columbia Institute of Technology, a leading industrial cybersecurity research facility.

That introduced new vulnerabilities on top of existing ones and created complex connections that opened new backdoors, Byres said. The result is a smorgasbord for would-be attackers. “It’s open season,” he said.

‘The stories here are terrifying’
Utility owners say they realize cyberattacks pose a risk but don’t see it as a huge problem, Rush said. The federal government says industry is responsible for protecting critical infrastructure and has told both industry and vendors to get moving. Vendors, however, are waiting for sufficient demand for security products to make them, while industry is waiting for an ample supply of products to buy them.

“It’s a chicken-and-egg situation,” Rush said. All parties are waiting for government standards to guide and certify their efforts.

But Rush and other experts who are passionate about improving security fume at the delays. “Everyone’s waiting for a major catastrophe to happen before they do anything,” Graham said. “There will never be a big move until the government or [malicious] hackers force it.”

Until then, tailored attacks by an individual or a massive worm attack could bring down critical infrastructure. “The stories here are terrifying,” Borg said.

In January 2003, the Slammer worm infected the safety monitoring system at the Davis-Besse nuclear power plant in Oak Harbor, Ohio, and replicated so fast that it disabled the system for nearly five hours. The worm knocked out the plant’s central command system for six hours. A report from the North American Electric Reliability Council found that power wasn’t disrupted, but the failure stopped commands to other power utilities.

At the Black Hat Federal conference in Arlington, Va., in January, Graham presented a dozen horror stories of control system insecurity. For example, during negotiations to provide penetration testing to a critical infrastructure facility, the facility’s operators confidently told an ISS team they didn’t need help because their control system was already secure.

The ISS team promptly found an unsecured wireless access point connected to the facility’s business network, which in turn linked to the control system, Graham said. Using a 10-year-old exploit for Sun Microsystems’ Solaris operating system, the team took over the control system as the operators watched. When the team was within a few keystrokes of breaking something sensitive, the facility’s operators begged them to stop. Needless to say, he said, ISS got the job.

Solutions grow into maturity
The control systems security situation isn’t all bad, said John Sebes, chief technology officer and general manager of the public sector at Solidcore, which develops software that monitors changes to servers and prevents unauthorized code from running on them. The vulnerabilities are real and serious, but facilities now have their pick of mature security products to harden their systems, he said. With work and patience, critical infrastructure sectors have found they can use IT security best practices and install commercial IT security products without crashing control systems, he said.

“Industry as a whole has been moving away from the Chicken Little syndrome,” said Keith Stouffer, a mechanical engineer in the Intelligence Systems Division of the National Institute of Standards and Technology’s Mechanical Engineering Laboratory. “The problem is addressable. Let’s start addressing it.”

Industry better get a move on as attackers ramp up attacks, Graham said. ISS is predicting an increased frequency of minor attacks on control systems during the next three years. “We see it’s inevitable,” Graham said. “We have seen it in every other industry, and these guys are next.”

First steps for control systems security

Experts agree that much can be done to improve control systems security, but those who want to do so must create compelling business cases that convince senior management and infrastructure owners that the investment is worthwhile, said Michael Torppey, technical manager of the Process Control Systems Forum, an industry group that focuses on control systems security.

The federal government should provide regulations and incentives for information security companies to offer better products, said Jason Larson, senior cybersecurity researcher at Idaho National Laboratory, which leads federal efforts on critical infrastructure. His colleague Robert Hoffman, cybersecurity research manager at the lab, said infrastructure owners should find the most evident vulnerabilities first, prioritize them and implement enough security to reach a minimum acceptable level of risk.

Vendors must develop industry-specific security software with critical infrastructure sectors, said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit. Currently, each sector has three or four software suppliers that everyone uses, he said. The same or similar products are used to protect oil refineries, hospitals, power grids and other facilities — all with different equipment and weaknesses.

“No wonder we’ve got vulnerabilities,” Borg said.

— Michael Arnone

Control systems: Your brain on a network

Industrial control systems are the nervous system of critical infrastructure. They connect networks of sensors that read data, relay commands and send alerts when something goes wrong. The systems manage production and distribution of products and enforce safety procedures.

Supervisory control and data acquisition systems and process control systems are two common types of control systems. SCADA systems place their computing power in the field and use radio and Internet connections to control many devices over a broad geographic area, often hundreds of miles. Process control systems centralize information technology in an operator’s console and offer real-time control of everything in a small geographic area or one facility. Facilities often have both kinds of systems in place.

SCADA and other control systems don’t have direct connections to the Internet, but malicious hackers can access them through facilities’ corporate networks that do connect to the Internet. The systems have little built-in security and are easy pickings.

Once in control, malicious hackers can access sensitive facility information or interfere with regular operations. They can stop or alter normal business processes, such as causing a valve to open at the wrong time. Their actions can cause accidents that cost millions of dollars and put human lives in jeopardy.

— Michael Arnone

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.