SCADA Security Methods and Techniques in M.P. East Discom: Abstract

Download as pdf or txt
Download as pdf or txt
You are on page 1of 11

SCADA Security Methods and

Techniques in M.P. East Discom


Dr. ASHOK KUMAR TIWARI, EE (RAPDRP-SCADA), MPPKVVCL, Jabalpur
Dr. VIVEK CHANDRA, Head IT, MPPKVVCL, Jabalpur
-------------------------------------------------------------------------------------------------- ----------------------------------------

Abstract : for IT systems are now being applied to


Supervisory control and data acquisition SCADA systems and their associated
(SCADA) systems are vital components of networks and control components. The
most nations’ critical infrastructures. They utility is categorizing the threats to SCADA
control pipelines, water and transportation operations and developing guidelines and
systems, utilities, refineries, chemical plants, methodologies for improving their security
and a wide variety of manufacturing posture. In this paper various issues on
operations. SCADA provides management SCADA systems are discussed along with
with real-time data on production the strategy being followed by MP.East
operations, implements more efficient Discom.
control paradigms, improves plant and
personnel safety, and reduces costs of Introduction:
operation. These benefits are made possible For reasons of efficiency, maintenance, and
by the use of standard hardware and economics, data acquisition and control
software in SCADA systems combined with platforms have migrated from isolated in-
improved communication protocols and plant networks using proprietary hardware
increased connectivity to outside networks, and software to PC-based systems using
including the Internet. However, these standard software, network protocols, and
benefits are acquired at the price of the Internet. The downside of this transition
increased vulnerability. has been to expose SCADA systems to the
same vulnerabilities and threats that plague
Power Distribution Utilities, information Windows-based PCs and their associated
security professionals, control engineers, networks. Some typical attacks that might be
managers, and a cadre of government and mounted against SCADA systems that
private officials are recognizing the employ standard hardware and software are
importance of protecting SCADA systems. listed here:
This recognition is not as widespread as it
should be at this time, but it is growing. ■■ Malicious code such as viruses, Trojan
From believing that SCADA systems were horses, and worms
invulnerable or, at least, not of interest to ■■ Unauthorized disclosure of critical data
anyone with malicious intent, the SCADA ■■ Unauthorized modification and
community is developing security standards, manipulation of critical data
conducting training, and focusing on best ■■ Denial of service
practices and safeguards for securing ■■ Unauthorized access to audit logs and
SCADA systems. The same risk modification of audit logs
management and vulnerability analysis
techniques that have been standard practice
1
Most SCADA systems, particularly the local Conventional IT Security and
PLCs or controllers, have to operate in real- Relevant SCADA Issues
time or near real-time environments. Thus, Over the years, information system security
they cannot afford delays that might be professionals developed a number of
caused by information security software and generally accepted best practices to protect
that interfere with critical control decisions networks and computing infrastructures
affecting personnel safety, product quality, from malicious attacks. However, these
and operating costs. Also, plant SCADA practices cannot be applied directly to
system components do not usually have SCADA systems without accounting for the
excess memory capacity that can different requirements of IT and SCADA
accommodate relatively large programs systems. The following list provides
associated with security monitoring examples of IT best practices and the state
activities. In summary, conventional of their application to SCADA systems:
information technology (IT) systems are
concerned with providing for internal and Audit and monitoring logs: After-the-fact
external connectivity, productivity, analysis of audit trails is a useful means to
extensive security mechanisms for detect past events. Monitoring, on the other
authentication and authorization, and the hand, implies real-time capture of data as a
three major information security principles system is operating. Both techniques are
of confidentiality, availability, and integrity. successfully employed in IT systems. Their
Conversely, SCADA systems emphasize application to SCADA systems will yield
reliability, real-time response, tolerance of benefits similar to those derived from their
emergency situations where passwords use in IT systems. Because of the varying
might be incorrectly entered, personnel ages and sophistication of some SCADA
safety, product quality, and plant safety. system components, many do not have
logging capabilities. The cost of installing,
SCADA and IT Convergence in operating, and maintaining extensive
Discoms auditing and monitoring capabilities in a
There is an emerging trend in many SCADA application must be weighed
organizations comprising SCADA and against the potential benefits.
conventional IT units toward consolidating Biometrics: Biometrics are attractive
some overlapping activities. For example, because they base authentication on a
control engineering might be absorbed or physical characteristic of the individual
closely integrated with the corporate IT attempting to access relevant components of
department. This trend is motivated by cost a SCADA system. Currently, biometrics are
savings achieved by consolidating disparate promising, but are not completely reliable.
platforms, networks, software, and Depending on the characteristic being
maintenance tools.In addition, integrating examined, there might be a high number of
SCADA data collection and monitoring with false rejections or false acceptances,
corporate financial and customer data throughput problems, human factor issues,
provides management with an increased and possible compromises of the system.
ability to run the organization more However, the technology is progressing and
efficiently and effectively. biometrics should become a viable option
for controlling SCADA system access.

2
Firewalls: Firewalls can be used to screen be weighed against the perceived SCADA
message traffic between a corporate IT risks and benefits of such software.
network and a SCADA network. Thus, in Passwords: In a SCADA environment, a
many instances, a firewall can protect control operator might need to enter a
SCADA systems from penetrations that password to gain access to a device in an
have occurred on the corporate side. Some emergency. If the operator types in the
issues that have to be considered when password incorrectly a few times, a
applying firewalls to SCADA systems are conventional IT security paradigm, which
the delays introduced into data presumes an intruder trying to guess the
transmissions, the skill and overhead password, is to lock out the operator.
required set up and manage firewalls, and Locking out the operator is not a good thing
the lack of firewalls designed to interface in real-time control environments. For
with some popular SCADA protocols. operators on local control devices,
Intrusion detection systems: Intrusion passwords might be eliminated or made
detection systems (IDSs) are either host- extremely simple. At the supervisory level,
based or network-based. A host-based IDS better and longer passwords might be used,
can detect attacks against the host system, two-factor authentication employed, and
but does not monitor the network. challenge-response tokens used. In
Alternatively, a network-based IDS views situations where the passwords might be
the network by monitoring network traffic subject to interception when transmitted
and assesses the traffic for malicious intent. over networks, encryption should be
IDSs are useful in protecting SCADA considered to protect the password from
systems, but cannot be universally applied compromise.
because, at this time, IDSs are not available Public-key cryptography: With public-key
for some SCADA protocols. As with other or asymmetric-key cryptography, there is no
safeguards, IDSs might slow down certain need to exchange secret keys between
SCADA operations and their cost and sender and receiver. A public key is
operation have to be weighed against the available to anyone wishing to communicate
potential benefits derived with the holder of the corresponding and
from their use. mathematically related private key. The
Malicious code detection and elimination: private key is protected and known only to
The computational overhead associated with the receiving party. The main feature of
detecting and eliminating malicious code public-key cryptography is that it is virtually
that might infect a SCADA system can impossible to derive the private key from the
seriously affect the real-time performance of known public key. Public-key cryptography
SCADA system components. Activities such also provides the ability for a sender to
as running antivirus software, updating virus digitally sign a document and transmit it for
signature databases, and quarantining or anyone to read who can access the sender’s
deleting malicious code require time and public key. This signing guarantees that the
computing cycles that might not be available document was sent by the owner of the
on SCADA system components. Updating private key of the public-key–private-key
virus databases from the Internet also pair. As one can deduce, key management,
exposes the SCADA systems to additional including certification that the public key
viruses and attacks from the Internet. Again, actually belongs to the named person, is an
the cost of antivirus implementations must important issue that has to be handled by the

3
organization. Relative to SCADA Redundancy as a Component of
operations, public-key cryptosystems require SCADA Security
relatively long processing times that are In addition to technical and administrative
incompatible with the real-time security controls, various physical security
requirements of control systems. measures can be applied to protect SCADA
Symmetric-key cryptosystems, discussed in systems. Backup, duplicate, geographically
the next section, are more suitable for use in separated control centers can provide
the SCADA environment. redundancy and, therefore, protection
Symmetric-key cryptography: With against human attacks and natural disasters.
symmetric-key cryptography, also known as On a smaller scale, a hot backup standby
secret-key cryptography, the sender and SCADA system at the supervisory control
receiver have to share a common, secret key. center provides a means to continue
This key is used to encrypt the message at operating if the primary system is disabled.
the transmitting end and decrypt the As an additional security layer, the SCADA
message at the receiving end. Thus, the control center could be located in a remote
secret keys have to be distributed securely area in an unmarked, inconspicuous
from all transmitters to all receivers. This building.
distribution is a concern. One popular
solution is to use public-key cryptography to
distribute the secret key and then use Security and Vulnerability of
symmetric-key cryptography to send the SCADA Systems
message. Because the key length is SCADA systems have evolved in recent
relatively short compared to the messages, years and are now based on open standards
time is not an issue with public-key and
cryptography. Symmetric-key cryptography COTS products. Most SCADA software and
is orders of magnitude faster in operation hardware vendors have embraced
than public-key cryptography. Symmetric- Transmission Control Protocol/Internet
key cryptography has not yet been widely Protocol (TCP/IP) and Ethernet
applied to SCADA systems. It is applicable communications, and many have
to data transmitted over a long-distance encapsulated their proprietary protocols in
SCADA network and is not as important in TCP/IP packets. While all of this evolution
local plant control loops. Symmetric key towards more open-based standards has
encryption will be applied to the critical made it easier for the industry to integrate
portions of a SCADA network. various diverse systems together, it has also
Role-based access control: This type of increased the risks of less technical
access control is gaining popularity in personnel gaining access and control of
government and industry sectors because of these industrial networks.
its ability to accommodate changes in There are many tools and techniques that
personnel and organizations. In this type of could be used to address these threats, and
security control, access is based on the role flexibility of security configurations is a key
of a person in an organization rather than the design consideration. There is no one magic
identity of the individual. It has not yet been solution for industry. Each entity must
widely applied to SCADA systems but holds determine what their goals are and arrive at
promise for use at the supervisory level of a cost effective solution to these issues.
SCADA operations.
Attacks Against SCADA Systems
4
In today’s corporate environment, internal corporate network. Once the corporate
networks are used for all corporate network is compromised, then any IP-based
communications, including SCADA. device or computer system can be accessed.
SCADA systems are therefore vulnerable to These connections are open 24x7 to allow
many of the same threats as any TCP/IP- full-time logging, which provides an
based system. SCADA Administrators and opportunity to attack the SCADA host
Industrial Systems Analysts are often system with any of the following attacks:
deceived into thinking that since their • Use a Denial of Service (DoS) attack to
industrial networks are on separate systems crash the SCADA server leading to shut
from the corporate network, they are safe down condition (System Downtime and
form outside attacks. PLCs and RTUs are Loss of Operations)
usually polled by other 3rd party vendor- • Delete system files on the SCADA server
specific networks and protocols like RS-232, (System Downtime and Loss of Operations)
RS-485, MODBUS4, and DNP, and are • Plant a Trojan and take complete control of
usually done over phone lines, leased private system (Gain complete control of system
frame relay circuits, satellite systems, and be able to issue any commands available
licensed and spread spectrum radios, and to Operators)
other token-ring bus topology systems. This • Log keystrokes from Operators and obtain
often gives the SCADA System usernames and passwords (Preparation for
Administrators a false sense of security future take down)
since they assume that these end devices are • Log any company-sensitive operational
protected by these non-corporate network data for personal or competition usage (Loss
connections. of Corporate Competitive Advantage)
• Change data points or deceive Operators
Security in a power utility network can be into thinking control process is out of
compromised in many places along the control and must be shut down (Downtime
system and is most easily compromised at and Loss of Corporate Data)
the SCADA host or control room level. • Modify any logged data in remote database
SCADA computers logging data out to some system (Loss of Corporate Data)
back-office database repositories must be on • Use SCADA Server as a launching point to
the same physical network as the back-end defame and compromise other system
database systems, or have a path to access components within corporate network. (IP
these database systems. This means that Spoofing)
there is a path back to the SCADA systems The impact of these and other SCADA
and eventually the end devices through their Security Risks is summarized in Table 1
TABLE 1

5
6
Developing a SCADA Security Strategy application system layers, communications,
For a company to protect its infrastructure, it and policy and procedures. Strategies for
should undertake the development of a SCADA Security should complement the
security strategy that includes specific steps security measures implemented to keep the
to protect any SCADA system. Such a corporate network secure Figure 1 below
strategy may include the following illustrates the typical corporate network
approach. Developing an appropriate “ring of defenses” and its relationship with
SCADA security strategy involves analysis the SCADA network. Successful attacks can
of multiple layers of both the corporate originate from either Internet paths through
network and SCADA architectures including the corporate network to the SCADA
firewalls, proxy servers, operating systems, network, or from internal

FIGURE 1

7
attacks from within the corporate office. • Applications: Application layer attacks;
Alternatively, attacks can originate from i.e., buffer overruns, worms, Trojan Horse
within the SCADA network from either programs and malicious Active-X5 code, can
upstream (applications) or downstream incapacitate anti-virus software and bypass
(RTUs) paths. What is an appropriate the firewall as if it wasn’t even there.
configuration for one installation may not be • Policies and Procedures: Policies and
cost effective for another. Flexibility and the procedures constitute the foundation of security
employment of an integrated and policy infrastructures. They include requiring
coordinated set of layers are critical in the users to select secure passwords that are not
design of a security approach. based on a dictionary word and contain at least
Most corporate networks employ a number one symbol, capital letter, and number, and
should be over eight characters long. Users
of security countermeasures to protect their should not be allowed to use their spouse, child,
networks. Some of these and a brief or pet’s name as their password. The above list
description of their functions are as follows: is common to all entities that have corporate
• Border Router and Firewalls: Firewalls, networks. SCADA systems for the most part
properly configured and coordinated, can coexist on the same corporate network . The
protect passwords, IP addresses, files and following list suggests ways to help protect
more. However, without a hardened the SCADA network in conjunction with the
operating system, hackers can directly corporate network:
penetrate private internal networks or create • SCADA Firewalls: SCADA Systems and
a Denial of Service condition. Industrial Automation Networks, like
• Proxy Servers: A Proxy server is an corporate network operating systems, can be
internet server that acts as a firewall, compromised using similar hacking
mediating traffic between a protected methods. Oftentimes, SCADA systems go
network and the internet. They are critical to down due to other internal software tools or
re-create TCP/IP packets before passing employees who gain access into the SCADA
them on to, or from, application layer systems, often without any intention to take
resources such as Hyper Text Transfer down these systems. For these reasons, it is
Protocol (HTTP) and Simple Mail Transfer suggested that strong firewall protection to
Protocol (SMTP).However, the employment wall off your SCADA networking systems
of proxy servers will not eliminate the threat from both the internal corporate network and
of application layer attacks. the Internet be implemented. This would
• Operating Systems: Operating systems provide at least two layers of firewalls
can be compromised, even with proper between the SCADA networking systems
patching, to allow network entry as soon as and the Internet.
the network is activated. This is due to the • SCADA Internal Network Design:
fact that operating systems are the core of SCADA networks should be segmented off
every computer system and their design and into their own IP segment using smart
operating characteristics are well known switches and proper sub-masking techniques
worldwide. As a result, operating systems to protect the Industrial Automation
are a prime target for hackers. Further, in- environment from the other network traffic,
place operating system upgrades are less such as file and print commands. Facilities
efficient and secure than design-level using Wireless Ethernet and Wired
migration to new and improved operating Equivalent Protocol (WEP) should change
systems. the default name of the Service Set
8
Identifier6 (SSID). This will at least require on the SCADA system that turn all outputs
someone driving by with a wireless card to to ON or “1” state. Trojan horses and
know the name of the SSID, and have the viruses can also be planted through an email
appropriate encryption key for the wireless opened by another computer in the plan, and
network. then it is silently copied over to adjacent
• SCADA Server Operating Systems: SCADA servers, where they wait until a
Simply installing a firewall or segmenting specified time to run. Many times plant
SCADA IP addresses will not ensure their control rooms will have corporate computers
SCADA Infrastructure is secure. An with the Internet and email active on them
experienced hacker can often bypass within the same physical room, and network
firewalls with ease and can even use switches as SCADA computers.
Address Resolution Protocol (ARP) trap Methodologies to mitigate against these
utilities to steal Media Access Control types of situations are: the use of anti-virus
(MAC) addresses. The hacker can also software running on the computer where the
deploy IP spoofing techniques to maneuver SCADA application resides; systems
through switched networks. Operating administrators disabling installation of any
systems running the SCADA applications unauthorized software unless the user has
must also be maintained. SCADA administrator access; and Policies and
applications on Windows NT, 2000, or XP Procedures applicable to SCADA systems,
are properly patched against the latest which are addressed below.
vulnerabilities, and that all of the default •SCADA Policies and Procedures:SCADA
NULL NT accounts and administrator policies and procedures associated with
accounts have been removed or renamed. remote vendor and supervisory access,
SCADA applications running in UNIX, password management, etc. can significantly
LINUX, Novell, or any other Operating impact the vulnerabilities of the SCADA
System (OS), must also be maintained as facilities within the SCADA network.
above. All operating systems have back Properly developed Policies and Procedures
doors and default access accounts that that are enforced will greatly improve the
should be removed and cleaned off of these security posture of the SCADA system.
SCADA Servers. Initiative in M.P. East Discom: the
• SCADA Applications: We must also Ministry of Power, Government of India has
address security within the SCADA approved Re-structured Accelerated Power
application itself. Trojan horses and worms Development & Reforms Program (R-
can be inserted to attack application APDRP) during 11th plan as a Central
systems, and they can be used to manipulate Sector Scheme to expedite the distribution
data or issue commands on the server. There reforms across the country to achieve
have even been cases of Trojan horses being sustainable improvement in the distribution
deployed that completely emulate the sector. The Power Finance Corporation has
application. The operator or user thinks that been made Nodal Agency to operationalise
he is clicking on a command to stop a pump the programme under the guidance of
or generate a graph of the plant, but he is Ministry of Power. The scheme is proposed
actually clicking on buttons disguised to to cover urban areas; town and cities with
look like the SCADA screen, and these population of more than 30,000 (as per 2001
buttons start batch files that delete the entire census) and accordingly 27 such cities are
hard drive, or send out pre-derived packets eligible in the area under jurisdiction of the
9
East Discom. As per guidelines of Ministry team with senior staff support from
of Power, Government of India , SCADA / operations, facility engineering, and
DMS system shall be implemented only in Information Technology (IT). The SCADA
project areas having a population over 4 lacs Security team should first analyze the
and annual input energy of 350 MU. As per current risks and threat at each of the rings
the provisions of the scheme Jabalpur town of defense, and then initiate a work plan and
is qualified for Implementation of SCADA project to reduce the security risk,while
and DMS system which is a component of remembering to avoid any major impacts to
Part-A of the scheme. operations.
Web servers with Firewalls SCADA systems can be effectively
and IPS: Redundant Web servers shall be protected against attacks and intrusions if
conventional information-system security
provided to allow the access of
methods are modified and applied taking
SCADA/DMS system data, displays by
into account the demanding SCADA system
outside users. One router shall be provided
performance and reliability requirements.
which shall be connected to the external
Developing and applying SCADA-system
LAN/WAN communicating SCADA/DMS
security policies, eliminating unnecessary
system. The external LAN/WAN users shall
network connections and services,
be able to access SCADA/DMS data
performing vulnerability analyses, relying
through the Web server system through this
on technical audits, managing risk, and
router. Web servers shall also be provided
providing security awareness training are
with host based Intrusion prevention &
basic proven approaches that will work in
detection system (IPS ). The host-based IPS
fortifying SCADA systems. IDSs are also
will be installed in both the Web-servers.
important tools that can be applied
The Network based IPS shall be supplied for
successfully to detect and thwart intrusions
both the SCADA/DMS dual LAN and DMZ
into SCADA systems, but existing IDSs
dual LAN. All necessary hardware &
have to be altered to incorporate SCADA
software for Web Servers with firewalls and
protocols and signature components.
IPS shall be supplied by the contractor.
Firewall: Two firewalls shall be References:
provided, one between Web servers & 1. North American Electric Reliability Council.
SCADA/DMS dual LAN and another Security Guidelines for the Electricity Sector,
between Web servers & W eb server dual version 1.0. June 14, 2002.
LAN. Specification of the firewall is given 2. The British Standards Institution. Information
in the chapter for software requirements. Security Management-Specification for
Contractor shall provide equivalent tools Information Security Management Systems
such as Apache etc for Web servers if UNIX (British Standard BS 7799).
or LINUX O/s is used to meet the security 3. The Electronic Attack Threat to Supervisory
Control and Data Acquisition (SCADA) Control
requirement as envisaged in the
& Automation Systems. London, UK: National
specification. Infrastructure Security Co-ordination Center
(NISCC), July 12, 2003.
CONCLUSION: 4. ESCI Hyderabad- SCADA and DMS ,
In summary, these multiple “rings of November 2010
defense” must be configured in a 5. NDPL – SCADA as is study report for
complementary and organized manner, and Jabalpur City, 2010
the planning process should involve a cross-
10
RESUME:
About the authors:

Dr. ASHOK KUMAR TIWARI-

Dr. Tiwari is B.E.(Electrical Engg.), MBA and Ph.D. in Energy Management. He did EDP from
IIT-Delhi and IIM-Calcutta. He has around 22 years of experience in power transmission and
distribution and is presently working at M.P. Poorv Kshetra Vidyut Vitaran Co. Ltd., Jabalpur as
Executive Engineer. He has also acquired training in SCADA and DMS systems at ESCI
Hyderabad. He is presently looking after Distribution SCADA Project being implemented in
Jabalpur City. He has authored two books, one book chapter and more than 32 research papers in
reputed Journals and Seminars. His contact is [email protected]

Dr. VIVEK CHANDRA-

Dr. Chandra is B.E. (Electrical), M.Tech. (IT) and Ph.D. in Computer Science. He has around
22 years of experience in power distribution and automation. He is currently posted at M.P.
Poorv Kshetra Vidyut Vitaran Co. Ltd., Jabalpur as Head (IT) and involved in the planning and
development of IT systems for Power Distribution automation and reforms. He has also acquired
training in GIS at ESCI Hyderabad. He is presently looking after implementation of the
prestigious R-APDRP and ERP Projects in the Discom. He has authored a book on Information
Security and has over 30 research papers published in reputed National/International Journals
and Seminars. His contact is [email protected]

11

You might also like