Supervisory Control and Data Acquisition System Security Issues

1 Introduction

Computer systems and networks constitute a fundamental component of Critical Infrastructure; therefore electronic attacks are
considered nowadays a severe threat. Comprised of fields such as government services, telecommunications, banking and finance,
electrical power, oil and gas refining systems, water supply, transportation and emergency services, Critical Infrastructure is one
of the most important factors supporting a nation's life. Due to its extreme importance Critical Infrastructure could become a
target of antagonists who, besides physical attacks employing traditional weapons, may also use electronic attacks to destroy a
nation's source of living.

These considerations along with actualities such as cyber terrorism make Critical Infrastructure Protection a National Security
issue. SCADA systems are widely deployed in Critical Infrastructure industries where they provide remote supervisory and
control. Despite the relevant importance of SCADA security, SCADA systems are reported to be vulnerable to electronic attacks.
Taking into account the wide deployment of networking technologies in SCADA and a high connectivity of SCADA networks
with other networks such as the corporate intranet or even the internet, SCADA systems are exposed to electronic attacks
nowadays more than ever. For the purpose of implementing an efficient defense of SCADA and Process Control Systems in
general it is necessary to research on novel security approaches, implement them and carefully measure their suitability in terms
of efficiency and overhead.

2 SCADA System General Layout

SCADA System General Layout [Figure 1 - SCADA]

Ref: Guide to Industrial Control Systems (ICS) Security, National Institute of standards and technology

The figure above gives a general layout of a SCADA system. SCADA (Supervisory Control and Data Acquisition) is a collection
of systems that measure, report, and change in real-time both local and geographically remote distributed processes. It is a
combination of telemetry and data acquisition that enables a user to send commands to distant facilities and collect data from
them. The fundamental components in the above figure are the control center usually computer-based, referred to as MTU
(Master Terminal Unit), RTU (Remote Terminal Unit) or also called as field site, and the communication link between them. The
basic functions MTU issues commands to distant facilities and gathers data from them, interacts with other systems in the
corporate intranet for administrative purposes and interfaces with human operators. In a SCADA system it is the MTU which has
full control on distributed remote processes. An operator can interface with a MTU through an interface device consisting in a
video display unit, a keyboard, etc. Control commands sent by a MTU to distant facilities are triggered by programs in that MTU
which are executed either manually or through a programmable built-in scheduler.
The field sites mentioned above is an integral component of SCADA and is referred to as RTUs (Remote Terminal Units). RTUs
are generally based on microprocessors and are physically placed in remote locations. Their task consists in controlling and
acquiring data from devices such as sensors, actuators, controllers, pulse generators, etc. An MTU communicates with one or
more remote RTUs by sending requests for information that those RTUs gather from devices, or instructions to take an action
such as open and close valves, turn switches on and off, etc. The communications between a MTU and RTUs follow a master-
slave schema, in which the MTU is a master and RTUs are slaves, and only the MTU is allowed to initiate a transaction.
3 SCADA Architecture in detail

Ref: Critical Infrastructure Protection, Challenges in Securing Control Systems.

4 Why securing SCADA is important?

SCADA system is originally designed to be isolated but operates in corporate environment. Control systems have been designed
to be efficient rather than secure. The source code of the systems is open. The providers of SCADA always do the maintenance
job through remote accesses. Communication protocols of SCADA have been designed with little security considerations.
Because of the above reasons, the security of the SCADA system was compromised which led to a threat to the critical
infrastructure. SCADA systems were so vulnerable that they were very susceptive to cyber attacks. Consequences of attacks on
these vulnerabilities would be that adversaries would identify and exploit vulnerabilities to execute attacks, and the effects of
those attacks become one or more consequences.
 Physical impacts: Physical impacts encompass the set of direct consequences of SCADA disoperation. The potential
effects of paramount importance include personal injury or loss of life. Other effects include the loss of property
(including data) or damage to the environment.
 Economic impacts: Economic impacts are a second-order effect from physical impacts ensuing from cyber intrusion.
Physical impacts could result in repercussions to system operations, which in turn inflict a greater economic loss on the
facility or company. On a larger scale, these effects could negatively impact the local, regional, national, or possibly
global economy.
 Social impacts: Another second-order effect, the consequence from the loss of national or public confidence in an
organization is many times overlooked. It is, however, a very real target and one that can be accomplished through cyber
attack. Social impacts may possibly lead to heavily depressed public confidence or the rise of popular extremism.
Hence research and development is being carried out by various organizations in order to combat these attacks and make the
SCADA system more secure.
5 Security Issues in SCADA
5.1Public Information Availability
Often, too much information about a utility company corporate network is easily available through routine public queries. This
information can be used to initiate a more focused attack against the network. Examples of this vulnerability are listed below:
 Websites often provide data useful to network intruders about company structure, employee names, e-mail addresses,
and even corporate network system names
 Domain name service (DNS) servers permit “zone transfers” providing IP addresses, server names, and e-mail
information
5.2 Policy and Procedure Vulnerabilities
 Inadequate security policy for the SCADA
 No formal SCADA security training and awareness program
 Inadequate security architecture and design
 No specific or documented security procedures were developed from the security policy for the SCADA
 Lack of administrative mechanisms for security enforcement
 Few or no security audits on the SCADA
 No SCADA specific continuity of operations or disaster recovery plan
 Lack of SCADA specific configuration change management
5.3 Platform Configuration Vulnerabilities
 OS and application security patches are not maintained
 Inadequate Access controls. Poorly specified access controls can result in giving an SCADA user too many or too few
privileges. The following exemplify each case: System configured with default access control settings gives operator
administrative privileges, system improperly configured, results in an operator being unable to take corrective actions in
an emergency situation.
 Password policies are needed to define when passwords must be used, how strong they must be, and how they must be
maintained. Without a password policy, systems might not have appropriate password controls, making unauthorized
access to systems more likely.
5.4 Platform Software Vulnerabilities
 Buffer overflow: Software used to implement on SCADA system could be vulnerable to buffer overflows; adversaries
could exploit these to perform various attacks.

 Denial of service (DoS): SCADA software could be vulnerable to DoS attacks, resulting in the prevention of authorized
access to a system resource or delaying system operations and functions. They could proactively exploit software bugs
and other vulnerabilities in various systems, either in the corporate network or the SCADA network, to gain
unauthorized access to places such as control center networks, SCADA systems, interconnections, and access links.
Cyber-attacks that are based on denial of service (DoS) mechanisms, and others that spread due to viruses and worms by
causing a traffic avalanche in short durations, can potentially bring down systems and cause a disruption of services and
are known as Flood-based Cyber Attack Types.

 Intrusion detection/prevention software not installed: Incidents can result in loss of system availability; the capture,
modification, and deletion of data; and incorrect execution of control commands. IDS/IPS software may stop or prevent
various types of attacks, including DoS attacks, and also identify attacked internal hosts, such as those infected with
worms. IDS/IPS software must be tested prior to deployment to determine that it does not compromise normal operation
of the SCADA.

 Malware protection software not installed, definitions not current, implemented without exhaustive testing:
Malicious software can result in performance degradation, loss of system availability, and the capture, modification, or
deletion of data. Malware protection software, such as antivirus software, is needed to prevent systems from being
infected by malicious software. Outdated malware protection software and definitions leave the system open to new
malware threats. Malware protection software deployed without testing could impact normal operation of the SCADA.

5.5 Network Configuration Vulnerabilities

Weak network security architecture

The network architecture design is critical in offering the appropriate amount of segmentation between the Internet, the
company’s corporate network, and the SCADA network. Network architecture weaknesses can increase the risk that a
compromise from the Internet could ultimately result in compromise of the SCADA system. Some common architectural
weaknesses include the following:
 Configuration of file transfer protocol (FTP), web, and e-mail servers sometimes inadvertently and unnecessarily
provides internal corporate network access.
 Network connections with corporate partners are not secured by firewall, IDS, or virtual private network (VPN)
systems consistent with other networks
 Dial-up modem access is authorized unnecessarily and maintenance dial-ups often fail to implement corporate dial
access policies
 Firewalls and other network access control mechanisms are not implemented internally, leaving little to no
separation between different network segments

5.6 Network Perimeter Vulnerabilities

Network Leak Vulnerabilities

TCP/IP networks by their very nature promote open communications between systems and networks, unless network security
measures are implemented. Improper network configuration often leads to inbound and outbound network leaks—between
SCADA networks, corporate networks, business partners, regulators and outsourcers and even the Internet—which pose a
significant threat to network reliability. Network leaks can allow worms, viruses or hackers direct visibility to vulnerable SCADA
systems.

Insecure Connections Exacerbate Vulnerabilities

Potential vulnerabilities in control systems are exacerbated by insecure connections. Organizations often leave access links—such
as dial-up modems to equipment and control information—open for remote diagnostic SCADA, maintenance, and examination of
system status. Such links may not be protected with authentication or encryption, which increases the risk that hackers could use
these insecure connections to break into remotely controlled systems. Also, control systems often use wireless communications
systems, which are especially vulnerable to attack, or leased lines that pass through commercial telecommunications facilities.

Firewalls nonexistent or improperly configured

A lack of properly configured firewalls could permit unnecessary data to pass between networks, such as control and corporate
networks. This could cause several problems, including allowing attacks and malware to spread between networks, making
sensitive data susceptible to monitoring/eavesdropping on the other network, and providing individuals with unauthorized access
to systems.

5.7 Network Communication Vulnerabilities

The SCADA systems are built using public or proprietary communication protocols which are used for communicating between
an MTU and one or more RTUs. The SCADA protocols provide transmission specifications to interconnect substation computers,
RTUs, IEDs, and the master station. The most common protocol is DNP3 or Distributed Network Protocol Version 3.3. It was
developed to achieve interoperability among systems in the electric utility.

The following list presents features of DNP3 that provide benefits to the user:
 Open standard
 Interoperability between multi-vendor devices
 A protocol that is supported by a large and increasing number of equipment manufacturers
 Layered architecture conforming to IEC enhanced performance architecture model
 Optimized for reliable and efficient SCADA communications
 Supported by comprehensive implementation testing standards
 The ability to select from multiple vendors for future system expansion and modification

Here are some attacks which exploit the protocol specifications

 Passive Network Reconnaissance: An attacker with the appropriate access captures and analyzes DNP3 messages. This
attack provides the attacker with information about network topology, device functionality, memory addresses and other
data.
 Baseline Response Replay: An attacker with knowledge of normal DNP3 traffic patterns simulates responses to the
master while sending fabricated messages to outstation devices.
 Rogue Interloper: An attacker installs a “man-in-the-middle” device between the master and outstations that can read
modify and fabricate DNP3 messages and/or network traffic.
  Length Overflow and DFC Flag Attack: These attacks either inserts an incorrect value in the Length field that affects
message processing or sets the DFC flag, which causes an outstation device to appear busy to the master. These attacks
can result in data corruption, unexpected actions and device crashes.
 Reset Function and unavailable function Attack: This attack sends a DNP3 message with Function Code 1 (reset user
process) to the targeted outstation. The attack causes the targeted device to restart, rendering it unavailable for a period
of time and possibly restoring it to an inconsistent state. Examples are interruption of an outstation and modification of
an outstation. In unavailable function attack, the attacker sends a DNP3 message with Function Code 14 or 15, which
indicates that a service is not functioning or is not implemented in an outstation device. The attack causes the master not
to send requests to the targeted outstation because it assumes that the service is unavailable.
 Destination Address Alteration: By changing the destination address field, an attacker can reroute requests or replies to
other devices causing unexpected results. An attacker can also use the broadcast address 0xFFFF to send erroneous
requests to all the outstation devices; this attack is difficult to detect because (by default) no result messages are returned
to a broadcast request.
 Fragmented Message Interruption: The FIR and FIN flags indicate the first and final frames of a fragmented message,
respectively. When a message with the FIR flag arrives, all previously-received incomplete fragments are discarded.
Inserting a message with the FIR flag set after the beginning of a transmission of a fragmented message causes the
reassembly of a valid message to be disrupted. Inserting a message with the FIN flag set terminates message reassembly
early, resulting in an error during the processing of the partially-completed message.
 Transport Sequence Modification: The Sequence field is used to ensure in-order delivery of fragmented messages. The
sequence number increments with each fragment sent, so predicting the next value is trivial. An attacker who inserts
fabricated messages into a sequence of fragments can inject any data and/or cause processing errors.
 Outstation Data Reset: This attack sends a DNP3 message with Function Code 15. The attack causes an outstation
device to reinitialize data objects to values inconsistent with the state of the system. Examples of this attack are
interruption and modification of an outstation.
 Outstation Application Termination: This attack sends a DNP3 message with Function Code 18, which is used to
terminate applications running on outstations. A message with this function code causes a device to become
unresponsive to normal requests from the master. Examples of this kind of attacks are interruption and modification of
an outstation.

6 Security Issues in SCADA

Security Issue
Public Information Availability
Policy and Procedure Vulnerabilities
Platform Configuration Vulnerabilities
Platform Software Vulnerabilities
Network Configuration Vulnerabilities
Network Perimeter Vulnerabilities
Network Communication
Vulnerabilities
Description Security Threat Levels
Information available through manuals, vendors, and Confidentiality
through routine public queries.
Inadequate security policies, without the security Integrity
architecture and design pose a threat. Lack of security
audits, disaster recovery plan etc.
OS and application security patches are not maintained. Confidentiality, Integrity,
Inadequate access control to systems, inadequate Availability
password policies.
Buffer Overflow. Denial of Service, Intrusion Confidentiality, Integrity,
detection/prevention software not installed, malware Availability, Accountability
protection not provided
Weak network security architecture, data flow control Availability, Integrity
not applied
Firewalls nonexistent or improperly configured, Insecure Confidentiality, Integrity,
Connections Exacerbate Vulnerabilities, Network Leak Accountability
Vulnerabilities
Passive Network Reconnaissance Integrity
Baseline Response Replay Accountability
Rogue Interloper Integrity
Length Overflow and DFC Flag Attack Integrity, Confidentiality
Reset Function and unavailable function Attack Availability
Destination Address Alteration Availability
Fragmented Message Interruption Integrity
Transport Sequence Modification Integrity
Outstation Data Reset Integrity, Availability
Outstation Application Termination Availability
Countermeasures like building a role based access model for access control, and enhancing the communication protocol security
features like DNPSec framework, wrapping of protocols in IPSec or SSL/TLS implementations are available and will be included
in the following report

6 References

1) Guide to Industrial Control Systems (ICS) Security, National Institute of standards and technology.
2) A taxonomy of attacks of the DNP3 protocol, Samuel East, Jonathan Butts, Mauricio Papa and Sujeet Shenoi
3) Critical Infrastructure Protection, Challenges in Securing Control Systems.
4) Investigating the security of Electrical Power Systems SCADA, Edward Chikuni, and Maxwell Dondo.