Security Issues in SCADA based Industrial Control Systems Bijoy Babu1, Thafasal Ijyas2, Muneer. P2, Justin Varghese3 1
Department of Computer Engineering, King Khalid University, Saudi Arabia Department of Electrical Engineering, King Khalid University, Saudi Arabia 3 Department of Computer Science, King Khalid University, Saudi Arabia
[email protected],
[email protected],
[email protected],
[email protected] 2
Abstract—Ongoing research and developments in modern information and communication technologies have revolutionized the design of industrial control systems (ICS). There is a major domain transition from traditional electromechanical systems to network based digital systems, which has indeed created a powerful interface between state-of the-art computing technologies/paradigms and physical processes sought to be controlled. ICS play a critical role in the industrial and manufacturing sector. Major infrastructures like petrochemical industries, waste water treatment facilities, nuclear power plants, pharmaceuticals, food and beverage industries etc. cannot run properly without ICS. Real-time processing, reliability and advanced distributed intelligence are some of the core characteristics of ICS which are incorporated with the help of state-of-the-art internet communication and computing technologies. The complex embedded coupling of hardware and software components such as actuators, sensors and the physical processes are all monitored and manipulated by the communication and network protocol based controllers like supervisory control and data acquisition (SCADA) systems, programmable logic controllers (PLC), distributed control systems (DCS) etc. The integration of these technologies makes the access to ICS from the external world much easier. On the other hand, this has led to many critical cyber-security issues also. These issues are of such a nature that they may sometimes pose a serious threat to the safety of humans and the environment as well. Unless managed properly, these can have adverse implications for the national economy also, in terms of production losses. In this paper, we attempt to give a comprehensive review of the unique aspects of cyber-security issues in ICS. Specifically, we delve upon the issues of security assessment and architectural reviewing of ICS. We also give a brief survey on different threat attacks on ICS. Keywords— Industrial Control; Cyber-attacks; SCADA;
I.INTRODUCTION Current industrial control systems (ICS) are the result of augmenting several state-of-the-art information technology and telecommunication features to ordinary electromechanical physical systems [1]. This has led to the emergence of 'smart trends' like smart buildings, smart transportation systems, smart production lines etc. ICS is a generic term for many control system configurations and 978-1-5090-5814-3/17/$31.00 ©2017 IEEE
architectures like distributed control systems (DCS), supervisory control and data acquisition systems (SCADA), programmable logic controllers (PLC), industrial automation and control systems (IACS) etc. In ICS, the combined activities of all the physical control elements (electromechanical, hydraulic, pneumatic) result in the accomplishment of diverse industrial goals[2]. A typical ICS comprises of remote troubleshooting facilities, maintenance tools, a human machine interface (HMI), and various control loop configurations. All these are designed to work with standard network protocols. The critical nature of ICS systems with the accompanying networking and communication features demand the deployment of adequate security mechanisms[4]. SCADA based control systems makes use of a centralized data acquisition mechanism to supervise the field targets which are distributed unevenly. The integration of precise data acquisition, data transmission and HMI software aids provide monitoring and centralized control over numerous physical processes in the field, which in fact makes SCADA systems the most popular choice from among the ICS configurations. SCADA systems are widely used in waste water treatment plants, petrochemical pipelines, electrical transmission lines and public transportation systems including railways[6-9]. II.SECURITY CONCERNS IN INDUSTRIAL CONTROL SYSTEMS An ICS may be characterized by many different types of security issues. The operation of an ICS requires transfer of critical data over the internet. Here, we encounter many issues. One is the capability of legacy control systems to deal with the sophisticated cyber threats of our times[3]. Many of the systems have been developed and installed without giving adequate concern to these recent security issues. Also, it is difficult to incorporate the necessary security mechanisms in these systems. To characterize the security model for a SCADA-based ICS it is necessary to first identify the different types of security threats that are relevant to such systems. One important characteristic of cyber attacks in general is that the techniques of attack become more
sophisticated with the proliferation of the systems connected to a network. For example, collaborative attack models based on botnets, worms, advanced persistent threats (APT) etc. have become lethal now. This scenario is important for ICS as well. Recent studies reveal that there are over one million ICS/SCADA systems connected to the internet with unique IP addresses. It is said that this figure is rising every day by an amount of 2000 to 8000 new systems [5]. This has created a significant pool for which sophisticated attacks can be built.
the set-points and to set the controller parameters. The HMI has the additional task of logging and displaying the process status data. The troubleshooting and maintenance mechanisms are there for prevention, identification, and recovery from system malfunctioning and system failures.
Metadata based search engines like Shodan and its various clones have demonstrated the capability to easily detect and connect to critical control systems. This has brought to light the serious vulnerabilities of such systems. Shodan specifically focuses on SCADA systems. Botnets are also a serious alternative to hack ICS [6]. The crux of the problem is that many of the communication protocols used in ICS does not require authentication. III. ICS- AN OVERVIEW Table.1 shows the world percentage of different types of ICS components. The major share is contributed by SCADA/HMI based systems followed by the PLC and hardware based systems. TABLE.1 ICS COMPONENTS DISTRIBUTION PERCENTAGE
TYPE
SCADA/HMI SCADA PLC HMI HARDWARE
GLOBAL PERCENTAGE
31 12 27 27 3
A typical layout of an ICS system is depicted in figure 1. The system has many components like control system loops, remote station monitoring & maintenance tools, and machine interfaces. These are all built around specific network protocols over layered network architectures. The process variables are manipulated by the ICS using transducers/sensors, programmable logic controllers, actuators etc. [3]. The sensors measure the input physical quantities and then give the corresponding outputs in terms of electrical or nonelectrical quantities. This data is sent as control variables to the controller. Upon receiving this data, the controller makes use of a process algorithm and set-points to generate the manipulated variables. Further, it is transmitted to the actuators. There are various control valves, motors, switches etc. in the constitution of actuators. The process is controlled by making use of these components. The process control is implemented based on the instructions from the control. The control personnel interact through means of the human machine interfaces (HMI) to monitor and adjust
Fig. 1. ICS Operation Layout
In figure 2, we have given the physical layer architecture of an ICS system. This architecture of ICS network consists of seven layers that are used mainly to define the security controls and patterns in the system. ICS can no more be considered as stand-alone, independent, self-made systems with application-specific hardware and software embedded parts. Rather, they have evolved as networked multilevel systems running on technical, enterprise and business applications. In order to boost up the remote terminal accessibility and industrial connectivity, ICS has adopted many advanced communication and information technology solutions.
Fig. 2. ICS Physical Layer Architecture
Layer 1 comprises of end terminal devices like data acquisition modules, programmable logic controllers (PLC), sensors, line protection devices etc. Layer 2 interfaces the layer 1 devices to field terminal units (FTU).
IV. VULNERABILITIES IN ICS As mentioned earlier, ICS systems are affected by many vulnerabilities. The types of vulnerabilities have increased drastically during recent years from 1997 in 2010 to 189 in 2015[7]. The increase in the vulnerabilities is plotted in figure 3.
attacks are reported by major ICS vendors as shown in figure 4.
Fig. 4. Threats vs. Vendors (2015) (Source: ICS-CERT Report-2015)
Fig. 3. ICS cyber-attacks by year (Source: ICS-CERT Report-2016)
This drastic increase is due to two important reasons: i. The hectic research activity by security experts and hackers to determine and patch up the potential vulnerabilities in industrial control systems. ii. Increase in the number of ICS with TCP/IP connectivity as is mentioned earlier. Now we will examine some important types of vulnerabilities that may affect an ICS, especially SCADAbased systems. Memory overflow is an important issue in SCADA systems. When the data overruns the allocated memory space, it will corrupt other data and program sections. This is a high-risk flaw. Overflow can be created by a malicious agent through a denial-of-service (DoS) attack. This is possible due to the lack of authentication in ordinary TCP/IP connections. A remote attacker can bypass the hardcoded cryptographic keys[10-12]. This is also a high-risk vulnerability. Another threat is through malware scripts injected by an attacker in the code of the client websites. An attacker can also masquerade as a client with a genuine request. Legacy ICS in general do not have a mechanism to verify the authenticity of such requests. Since data is transmitted as clear text, sensitive information can be sniffed. This is all the more severe due to lack of proper encryption techniques. The human-machine interfaces (HMI) in ICS are vulnerable to password stealing also. SQL injection attack is another prominent threat in which attacker data is injected to corrupt query strings and variables used in SQL commands. All these
V. CHALLENGES IN SCADA SECURITY A general layout of a SCADA system is shown in figure 4. The control center comprises of the control server, routers, HMI, data archiving server and control work stations. The data from the remote field instruments are collected by the control center and presented to the HMI[14]. The control center initiates the required actions based on the detected events. Field sites are connected to the control center by means of a WAN or dial-up modem connection. Field sites have control mechanisms for actuators and have the capability to capture information from the sensors/transducers in the required format. The connection between the SCADA and the remote terminal units (RTU's) are established by different means for eg. wired, wireless RF and even by satellite communication systems. Sensors as well as actuators which are commonly referred as RTU's plays vital roles in gathering the physical information and feeding that to the master controller like PLC's and other controllers
Fig.5. SCADA - General system schematics
Attacks on a SCADA system can be conducted in many ways. The network connections between the control center and the field sites are potential locations for attacks. Critical information can be spoofed, sniffed or modified by attackers [15]. As mentioned earlier, the communication protocols used do not have any authentication mechanism in general. Security has to be overlaid as specific implementations on these protocols.
Fig. 6. Different topologies of SCADA system
There are many SCADA communication topologies, viz., point-to-point, series, series-star, and multi-drop [5]. These are shown in Figure 6. The point-to-point topology, though simplest in its functionality and commonly-used, is not economically viable due to the requirement of individual channels for each connection. The number of channels is significantly less in the series topology. However the efficiency of the systems is compromised due to the sharing of channels. Series-star and multi-drop configurations employ one channel for each connected device results. This increases the overall complexity of the system. The functionality of these topologies will have to be augmented with dedicated components for managing communication, message switching and buffering tasks. In large systems, the primary server will be assisted by subservers in controlling the operation of the numerous RTUs. We will go into the specific threats faced by SCADA system in the following section. VI. MAJOR THREATS TO SCADA SYSTEMS A. Zero Day Vulnerabilities: The term zero day implies that the developer does not get enough time to develop and deploy a patch to overcome the flaw. Before that, an attacker exploits the flaw and/or creates and deploy malwares to attack the SCADA system. There are many zero-day flaws that may affect a SCADA system. Stack overflow is one of them. This attack can occur on the field devices as well as the servers. The stack buffer in the memory can be corrupted by a malicious player, leading to
injection of dangerous executable code into the running program and thus usurping the control of the industrial process. The WellinTech KingView 6.53 HistorySvr vulnerability reported in China is a well-known example. Zero day attacks can also occur in the form of DoS attacks that overload computer resources. B. Non-prioritization of Tasks: This is a serious flaw in many industrial control real-time operating systems. For example, in embedded operating systems like VxWorks there is no prioritization of tasks. Memory sharing between the equally privileged tasks lead to serious security issues. Accessibility to create OEP (Object Entry Point) in the kernel domain is a feature of VxWorks, which can lead to loopholes in security. Non-kernel tasks may be protected from overflows using guard pages. However, typically the guard pages are of small size in many implementations and thus not provide stringent protection. C. Database Injection: Database injection also exploits the vulnerabilities in a SCADA system. Harmful query statements can be created when the client inputs are not properly filtered. This is widely reported for SQL-based databases. Similar attacks are possible for the widely-deployed MongoDB systems also. In SQL injection, the attacker sends a command to SQL server through the web server and attempt to reveal critical authentication information. D. Communication Protocol Issues: Even though, the recent developments in encryption and authentication are at par with the sophisticated cyber-attacks and threats encountered, they are not adopted in an adequate manner in ICS and SCADA as is done in the case of the general clientserver secure communication scenario. This is due to many reasons, the major one being that during the development and installation of these legacy systems, security was not a major concern. Hence communication protocols did not give sufficient importance to authentication. This does not mean that authentication and encryption methods cannot be used with these systems. It should be noted that encryption is effective only in an authenticated commincation between entities. For secure TCP/IP communication, Internet Protocol Security (IPsec) framework can be employed. It will help create a secure channel of communication for industrials systems as well. IPsec uses two protocols for authentication and encryption: Encapsulating Security Payload (ESP) and Authentication Header (AH). APT attacks can be effectively dealt with protocols like Syslog that keeps security logs which provide a means for detecting stealthy attempts to gather information prior to building sophisticated attacks by malicious players. CONCLUSIONS In this study, we have analyzed the security vulnerabilities of industrial control systems in general with a
special emphasis on SCADA systems. Attempt has been made to highlight the recent security risks. The different categories of threats are listed. The study will provide a necessary background to delineate the threats/ risks associated with the communication protocols used in SCADA systems. Through and overlay of additional digital security mechanisms and techniques, it is possible to achieve competent security in ICS and SCADA systems. REFERENCES [1] [2] [3] [4] [5] [6]
M. Cheminod, L. Durante, A. Valenzano, "Review of Security Issues in Industrial Networks," IEEE Trans. Ind. Informatics, vol.9, February 2013,pp.277-293. D. Dzung, M. Naedele, T. P. von Hoff, and M. Crevatin,“Security for Industrial control systems,” Proc. IEEE, vol. 93, no. 6, Jun. 2015, pp. 1152–1177. “ICS-CERT year in review—2015,” 2015. [Online]. Available: https://ics-cert.us-cert.gov/sites/default/files/" Annual Reports Year in Review FY2015 Final.pdf". R. J. Robles and M.-K. Choi, ``Assessment of the vulnerabilities of SCADA, control systems and critical infrastructure systems,'' Int. J. Grid Distrib. Comput. vol. 2, no. 2, March 2009, pp. 27-34. J. D. Fernandez and A. E. Fernandez, ``SCADA systems: Vulnerabilities and remediation,'' J. Comput. Sci. Colleges Arch., vol. 20, no. 4,Apr. 2005, pp. 160-168. Y. Cherdantseva et al., ``A review of cyber security risk assessment methods for SCADA systems,'' Comput. Secur., vol. 56, Feb. 2015, pp. 1-27.
[7]
S. Hong and M. Lee, “ Challenges and Direction toward Secure Communication in the SCADA System,” in 2010 8th Annual Communication Networks and Services Research Conference. IEEE, 2010, pp. 381–386. [8] A. M. Grilo, J. Chen, M. Diaz, D. Garrido, and A. Casaca, “An Integrated WSAN and SCADA System for Monitoring a Critical Infrastructure, ”IEEE Transactions on Industrial Informatics, vol. 10, no. 3, Aug 2014, pp. 1755–1764. [9] R. Johnson, “Survey of SCADA security challenges and potential attack vectors,” in Internet Technology and Secured Transactions (ICITST), 2010 International Conference for, 2010, pp. 1–5. [10] A. Giani, G. Karsai, T. Roosta, A. Shah, B. Sinopoli, and J. Wiley, “A testbed for secure and robust SCADA systems,” ACM SIGBED Review,vol. 5, no. 2, pp. 1–4, July 2008. [11] Kaspersky, “Cyperthreats to ICS systems,” 2016. [Online]. Available: http://media.kaspersky.com/en/business-security/critical-infrastructureprotection /Cyber_A4_Leaflet_eng_web.pdf. [12] N. Leall, “Lessons from an insider attack on SCADA systems,” 2009. [Online].Available: http://blogs.cisco.com/security. [13] K. Stouffer, J. Falco, and K. Scarfone, “Guide to Industrial Control Systems (ICS) Security,” NIST SP 800-82, 2008. [14] S. A. Boyer " SCADA: Supervisory Control and Data Acquisition" International Society of Automation 2009. [15] B. Miller and D. Rowe, “A Survey of SCADA and Critical Infrastructure Incidents,” in Proceedings of the 1st Annual conference on Research in information technology - RIIT ’12. New York, New York, USA: ACMPress,2012,p.51.
