Unknown SCADA Connections Could Mean Disaster

by Michael Markulec

• Analyzing TCP/IP connectivity in assets and networks, uncovering risk patterns and pinpointing policy weaknesses is crucial to power utilities and other critical industries where water level and pump control vulnerabilities could risk lives.

The ease with which TCP/IP (Transmission Control Protocol/Internet Protocol) enables one to connect networks has been a huge boon for the power generation industry. Far-flung operations can be hooked up to the network and controlled remotely, and devices that once required manual adjustment can now be tweaked with the click of a mouse button. The easy flow of information throughout the organization has made nearly every aspect of business more efficient and effective.

But easy connectivity isn't always desirable, especially with supervisory control & data acquisition (SCADA) systems that control the vital infrastructure of industrial operations in water management and power systems, traffic signals, mass transit systems and others. One thing is certain: SCADA security incidents will occur and, given how much of the world's infrastructure they control, could potentially have serious repercussions.

In fact, some serious accidents and safety breaches have resulted from linking SCADA systems to the main TCP/IP network. In March, for instance, the 883-megawatt unit 2 at the Hatch Nuclear Power Plant in Georgia had an emergency shutdown as a result of a software update made on the plant's business network. The update synchronized information on both systems, wiping out much of the data on the SCADA side. After everything was reset following a reboot, the SCADA safety system detected a lack of data, which it interpreted to mean the water level in the cooling systems for the nuclear fuel rods had dropped — a dangerous situation indeed, if in fact it actually occurred. Unfortunately, the safety system instigated an automatic shutdown due to a software update.

Engineers were aware of the two-way communication link, but didn't know the update would synchronize data between the two systems. Luckily, in this case, no one was hurt, but as with any unplanned shutdown, it was expensive, as the plant was completely offline for three days. Still, it was only the latest in a string of accidents and unnecessary shutdowns caused by some problem on the network. The Browns Ferry nuclear plant in Alabama, for example, shut down in 2006 when a network traffic overload locked up pump controls. And in 1999, a steel gas pipeline ruptured near Bellingham, WA, with tragic results: two children and an 18-year-old were killed and eight others injured. A subsequent investigation found that a computer failure just prior to the accident locked out the central control room operating the pipeline, preventing technicians from relieving pressure, which caused the explosion.

Some engineers believe the best protection is to sever all ties between the business and SCADA networks, but they would be mistaken in thinking that the SCADA network is safe without a regular assessment of connectivity to ensure no connections between the SCADA network and corporate network appear. TCP/IP networks are designed to make connectivity easy, and the ubiquity of today's corporate networks open up the possibility of someone inadvertently connecting SCADA to the larger network, with potentially disastrous consequences.

In truth, industry need not necessarily give up on the cost and management advantages of connecting its SCADA networks to the larger network. As long as strong safety systems are in place and frequent and regularly scheduled network scans are conducted to understand the full scope of connectivity and guarantee all connections conform to security policy, critical infrastructure should not fall prey to unforeseen security risks.

Understanding the network risk profile of today's SCADA systems requires new insights into the nature of security threats. Following are examples of common network vulnerabilities today's utility companies face when implementing next generation networks:

• Remote access vulnerabilities — SCADA and other process control system networks often consist of a primary network linking SCADA-related facilities, with additional connections to the corporate network of the utility company. Since network connectivity is often permitted to the Internet, business partners, regulators and outsourcer networks, there's increased potential for unauthorized access to supposedly "separate" SCADA networks as well. Use of remote access services also increases likelihood of security breaches.

• Network leak vulnerabilities — Improper network configuration often leads to inbound and outbound network leaks — between SCADA networks, corporate networks, business partners, regulators and outsourcers, and even the Internet — which pose a significant threat to network reliability. Network leaks can allow worms, viruses or hackers direct visibility to vulnerable SCADA systems.

• Network security design — The network infrastructure layer that supports SCADA and other process control systems is often developed and modified based on business and operational requirements, with little consideration for the potential security impact of network changes. Over time, security gaps may be inadvertently introduced within the network infrastructure. These gaps may represent a back door, or even a front door, into networks.

• Lack of formal and documented SCADA network policies, processes and procedures — Due to highly proprietary and legacy nature of these systems, owners, administrators and vendors often don't follow strict configuration change management procedures. This may lead to security oversights that may again lead to serious network exposures and risks.

• Improperly configured and/or unauthorized network services — Use of improperly configured or unauthorized network services running on systems, such as SendMail, Finger, Telnet, FTP and NFS can create network exposures that can leave systems vulnerable to attackers.

To protect their SCADA networks, utilityies and other industrial companies need to develop comprehensive security risk management programs that adopt a proactive approach to isolating and closing network exposures that are often the "first point of attack" for intruders and are weaknesses vulnerable to internal errors like the incident at the Hatch Nuclear Power Plant. Solutions now exist to identify network vulnerabilities while also conveying a deep understanding of how network defenses are deployed in relation to SCADA systems.

Via sophisticated data analysis techniques, these solutions can show how an IP-based SCADA network is "wired together" including all the sub-networks, systems, devices, and routes that IP traffic can traverse. Through use of regular scans, organizations can understand how their network is changing over time — even identifying devices previously unknown to administrators — so as to ensure their SCADA networks remain separate and secure.

Conclusion

Unknown network connections aren't just security risks. When you're talking about the controls systems for nuclear power plants, hydroelectric dams, chemical factories and other vital infrastructure, stakes could quite literally involve hundreds or thousands of lives. The complex designs, interconnected nature and extreme sensitivity of SCADA and other process control systems mandates utility and other critical industrial organizations implement comprehensive plans for assessing and mitigating potential network vulnerabilities and threats. To do this successfully requires development of security risk management programs that start with gaining control over network risk.