ICS/SCADA networks threats and defenses
This post has been written by Manos Athanatos.
Modern societies and economies rely on Critical Infrastructure sectors for providing vital services to the general public. Failures in Critical Infrastructures can have a series of cascading effects leading to the debilitation of the societies and economies. Yet their core functionalities rely on SCADA systems that are vulnerable to damage from physical incidents, natural disaster or cyberattacks. Vulnerabilities in industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA), impacting critical infrastructure organizations managing complex IT and physical networks continue to emerge with an alarming rate.
Vulnerabilities in SCADA systems could allow malicious code to manipulate power grids, energy providers, healthcare databases and patient equipment, environmental monitoring systems, national defense and nuclear plant systems that could result in a real-world catastrophic physical damage. The cascading effects of a successful SCADA attack could include blackout, disruption to water supply, traffic jams or other more catastrophic events that could lead to life losses.
From analysis of past successful attacks, the common path of the infection starts with a phishing attack that will drop the malware inside the network of the Critical Infrastructure. Then the malware starts spreading and compromising critical assets of the Infrastructure. The early detection and prevention of these kinds of events is of paramount importance for CIs. Thus, there is a need for cybersecurity monitoring sensors inside the Critical Infrastructure’s network in order to timely and accurately identify security threats from both internal and external sources. Having a balanced number of sensors and an accurate display of the ongoing and upcoming threats to the security systems administrators is in the scope of CIPSEC.
Securing such systems, involve understanding what connections are taking place at any given time to the SCADA network, conducting a thorough analysis of all SCADA network connections, performing a risk analysis for each of these connections. Once each connection is identified and ranked, the unnecessary connections to the network need to be disconnected. If connectivity is still needed even in high-risk areas, establishing designated “safe zones” in the form of network DMZs to keep necessary connections away from the sensitive SCADA areas, is required.
Identifying critical ICS/ SCADA network points and setting up cybersecurity detection sensors that are able to timely alert personnel should a breach occur, is one of steps that SCADA network administrators can take to remain alert of what is happening within their systems. Network monitoring sensors with custom-made SCADA specific ruleset, along with ICS/SCADA honeypots can become a valuable line of defense against attacks. Network monitoring sensors can detect and provide alerts for known vulnerabilities and attack vectors against ICS/SCADA systems. They are limited by how well-defined and up-to-date is the ruleset they use. On the other hand, low interaction Industrial Control systems honeypots, can deploy virtual potentially exploitable server side services that can lure attacks and provide real time information about a variety of attacks. These attacks include unauthorized access, malicious code insertion, including zero-day exploits and protocol-based attacks.
Despite all these measures, cybersecurity in SCADA networks is not guaranteed and reliance solely on the few safeguards in place will not promise a bulletproof system. Cybersecurity continuously changes per the trends in malicious software and hacking attacks, so keeping the security team up-to-date with cybersecurity training, having patching and updating mechanisms for all protocols used and having routinely reviews of the security system using vulnerability assessment services, can guarantee a healthy and robust cybersecurity system in place.