SCADA security: understanding your risks

By GE Fanuc

Being at the hubs of today’s transmission and distribution grids, SCADA systems have received a great deal of attention. The focus on infrastructure security has grown exponentially in the last decade due to various cyber threats and other vulnerabilities—casting a microscope onto an industry to which, since inception of mass power generation and distribution, has never had such scrutiny.

The SCADA market has been evolving over the last 20+ years with functionality, scalability and interoperability at the forefront. For example, SCADA Software has evolved from being a programming package that enables quick development of an application to visualize data within a PLC to being a development suite of products that delivers powerful 3D visualizations, intelligent control capabilities, data recording functions, and networkability.

With SCADA systems advancing technologically and implementations becoming increasingly complex, it’s difficult to know where to start in securing the entire system. NERC standards have taken aim at ensuring that critical SCADA systems are more secure, and companies are reviewing their information security systems and standards to conform to these new regulations. Yet what many companies fail to realize is that these regulations are designed to ensure reliability—not to secure the entire system. 
   
Vulnerabilities of a SCADA system
To minimize existing security gaps, companies need to first understand where potential vulnerabilities typically lie within the system. Powerful software features, along with the advancements in automation hardware and industrial communications, have made power and energy control systems multi-layered, complex and susceptible to threats.

A SCADA system’s level of security is best understood if broken down into two major elements: Communication and Software Technology.

Communication
Communication advancements have made large-scale SCADA system implementations successful for electrical generation, distribution and transmission applications. There are two levels of communication that exist within the system—information technology (IT) and the field, which have notable security level differences.

IT – Components of the SCADA system are modular, not only to allow for easy troubleshooting but also to distribute the computing load and eliminate a single point of failure. It is not uncommon to have multiple thick, thin, web and mobile runtime clients connected to the main SCADA server hub over an internal Ethernet-based network, but in some cases, systems may use external leased lines, modems, wireless, cellular, or satellite technologies in order to cover the vast distances that a power grid SCADA system demands.

The main SCADA server hub also consists of multiple networked servers to distribute the load, ensure uptime and store the mass amount of data. With these components all networked in some way, they use standardized common protocols to transfer data—all of which are largely unencrypted, requiring weak or no authentication.

Field – With the industry adopting standardized communication protocols such as DNP3 and IEC61850, a wide variety of SCADA software can communicate with remote substations, devices and RTUs with minimal effort. This communication is typically two way and facilitates the system’s ability to perform binary functions such as the opening and closing of switchgear, relays, diverters and more. The general ideology when these communication protocols were developed was to keep it simple with a high level of reliability, which left the integration of data encryption out of the design.

Software Technology
Software has largely become feature-bloated as companies keep adding new features while maintaining all of the existing ones, increasing the complexity of software security. There are two separate but interdependent software technologies in the system, the SCADA software and the Platform Operating System, which have distinct differences when it comes to security.

SCADA Software - Most SCADA software installations have either external network connections or direct Internet-based connectivity to perform simple remote maintenance functions and or connect up to enterprise systems. While these types of connections help companies reduce labor costs and increase the efficiency of their field technicians, it is a key entry point for anyone attempting to access with a malicious intent.

Platform Operating System – More and more utilities choose to utilize operating systems that employ elements of consumer or “open” source operating systems such as Windows Server, Linux and Unix variants to reduce costs. This trend toward consumer-based technologies has made proprietary custom, closed, highly secure systems a direction of the past, but it increases the risks. 

Also, due to the fact that SCADA systems are complex and contain multiple layers of technology, even a simple system patch is a major undertaking that requires planning, funding and time. The risk elements are also substantial because many systems now rely solely on their SCADA system for visualization, data recording and some control elements. And to this point, some utilities hold back on patches, service packs and upgrades, while others choose not to apply any new patches, employing a “it works, don’t touch it” policy.

Some would say that even if utilities could keep their platforms current, with the fast pace of consumer-based operating systems and large number of system exploits, platform operating systems connected to the internet are the single largest security risk in the system.

The inherent security of system designs minimizes some risks
The good news is that some vulnerabilities are minimized by the nature of the electrical system and their SCADA software designs, whereby the fundamental principles and canons of engineering mandate safe and reliable systems and provide a level of security against terrorism.

Looking closely at a sample design ideology, the general design rule can be surmised by “if a single point of failure exists, protect it or provide secondary means,” and system design engineers use this rule for all levels of the system.

• Software: With many viewing SCADA software as a visualization tool that provides a means for dynamic operator input and visualization as a flexible information terminal, the reality is that software capabilities are much more exhaustive. When elements are added such as control and logic capabilities, system engineers must examine the risk from a potential failure standpoint and the extent of control that is allowed without being in sight of the component(s) being controlled.

Software is also developed from the operator’s perspective and uses company guidelines throughout the application to ensure the operator is controlling with intent. For example, the “select before operate” design philosophy is typically used in SCADA applications, which requires the operator to select an item on the screen, pull up the controlling elements, then operate the item and finally confirm in order to send the command. While this may seem like a simple ideology or a drawn out process, the intentional design ensures an operator’s actions are deliberate as opposed to hastily reacting to an urgent situation.

• Hardware: At this level, design engineers employ many techniques to ensure safe control, either physically or by the SCADA software. Thousands of individual devices & remote terminal units (RTUs) can exist in a system and are typically implemented with an area-based manual or automatic control selection; field technicians use manual control to perform maintenance or to address a software failure—locking out the software control and establishing local control.

Additionally, when engineers and electricians design and install this level of the system, many hardware-based fail-safes are built in. Items such as fusing or interlock logic to which examine the local situation so when the electrical components are commanded by the software, there is a hardware level of checks to ensure it can be executed. This protects the system from unsafe or even incorrect software control. Furthermore, many critical applications use triple and quad redundant logic controllers to ensure continuous operations.

The design philosophies drive a holistically safe and secure environment, which can severely impede an intruder’s ability at the SCADA software level to trigger a massive destructive event like surges, explosions or overloading.

Be proactive: Enhance your security with software capabilities
Even the safest system design and NERC standards cannot secure a system 100%, and therefore, companies should not rely on them wholly to protect their systems. Those that make this realization today can take a proactive approach to enhancing security in their new systems upfront rather than retrofitting them later.

Off-the-shelf SCADA vendors offer software security-based elements that companies can leverage in their systems to minimize the security gaps, including:

• Biometrics  – When bio-security elements are integrated to the system, customers can program their system to require finger scans to perform specific functions such as switching on and off the grid’s main switchgears, which ensures that the appropriate person be physically present to execute the order. This type of integration eliminates the possibility of a hacker performing the same operation virtually—reducing the overall potential impact and enhancing the overall system security.
• Electronic Signature – Many view this option as a simple reporting tool, however the features are much more comprehensive. For example, it can introduce authentication potential at the command level to verify the user performing the operation with a user name and password as well as a separate authentication, typically a manager, for verification. The information is then stored in a system audit trail that can be recalled in the future; some customers also choose to integrate this feature with biometrics to eliminate the use of a single, widely known user name and password.
• Trusted Connections & Client/Server Data Encryption – Some off-the-shelf SCADA software products now have built-in features that limit the allowable client connections to known computers and use integrated data encryption for client communications. This eliminates the possibility of a terrorist or hacker simply loading the SCADA client and connecting over the network.
• Domain Authentication – To leverage complex alphanumeric passwords at the SCADA level, some software packages offer an add-on capability that introduces Windows Domain Authentication security integration. The application maps group memberships to the SCADA roles and when integrated, the users and subsequent passwords are managed at the IT level. This allows for the SCADA application to leverage existing group IT level policies, which are typically very stringent and can exceed NERC requirements.

Funding in today’s business climate
Improving an overall system’s security can be a costly endeavor, and companies must find the right balance between spend, design and process to make their systems safe. This is especially true as companies face increasing cost reductions mandated in today’s challenging economic environment. In response, off-the-shelf SCADA vendors have developed industry solution packs that include specifically tailored tools to help reduce development and overall system costs.

For example, GE Fanuc Intelligent Platforms’ iPower offering provides complete pre-developed SCADA drag-and-drop elements, graphics, toolsets and configuration tools that significantly reduce both the initial and ongoing costs associated with SCADA software. As a result, these packs enable cost savings that companies can re-route into additional security software and hardware to augment the inherent safety of their systems—reducing overall vulnerability.

Conclusion
The vulnerabilities of SCADA systems pose a serious threat, and the complex nature of the multiple technologies make it difficult to completely secure our utility infrastructures. But companies can minimize their security gaps if they better understand where vulnerabilities exist and what options are available to address those susceptible areas.

They must also realize that NERC standards are a step in the right direction toward critical infrastructure protection—and that the inherent safe design of most SCADA systems offer some protection—but are by no means enough to fully protect their systems. A proactive approach, which can include the implementation of off-the-shelf enhanced security capabilities, can significantly minimize risks and costs for a sustainable competitive advantage.

Contact details:
Marcel Van Helten, Global Industry Director, Infrastructure
E: marcel.vanhelten@ge.com, W: www.gefanuc.com