SCADA SYSTEMS AND SECURITY

WHITEPAPER

Abstract: This paper discusses some of the options available to companies concerned with the
threat of cyber attack on their critical infrastructure, who as part of their process of tightening up
security, wish to prevent unauthorized network access to SCADA systems that monitor and control
critical infrastructure.

SCADA System Security 1

About the Author(s)

This document was written by Abhishek Bhattacharjee, (previously Senior Technical

Architect, Citect), Stephen Flannigan and Jens Nasholm, both Product Marketing
Managers, Citect.

About Citect

Citect is a worldwide leader in industrial automation and information management. Its

CitectSCADA and Plant2Business software and industrial information management (IIM),
analysis modules are complemented by professional services, customer support and
training. These solutions are enhanced by strong partner programs and are sold in
numerous industries, including mining, metals and minerals, food & beverage,
manufacturing, pharmaceuticals, water, facilities, gas pipelines and power distribution.
Citect is headquartered in Sydney Australia, has 17 offices in Australia, USA, Europe,
China and Africa, and its products are distributed in more than 50 countries worldwide.
For further information, visit http://www.citect.com/

© 2003 Citect Pty Ltd. All rights reserved.

The information contained in this document represents the current view of Citect on the issues discussed as of the date of
publication. Because Citect must respond to changing market conditions, it should not be interpreted to be a commitment on
the part of Citect, and Citect cannot guarantee the accuracy of any information presented after the date of publication. This
white paper is for informational purposes only. CITECT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any
form or by any means (electronic, mechanical, photocopying, recording or otherwise) or for any purpose, without the express
written permission of Citect Pty Ltd. Citect may have patents, patent applications, trademarks, copyrights or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any written license agreement from
Citect, the furnishing of this document does not give you any license to these patents, trademarks, copyrights or other
intellectual property. Citect, CitectSCADA, CitectHMI, Plant2Business and Plant2NET are either registered trademarks or
trademarks of Citect Group Corporation in Australia and/or other countries. The names of actual companies and products
mentioned herein may be the trademarks of their respective owners.

SCADA System Security 2

Contents

About the Author(s) ............................................................................................................................. 2

About Citect ......................................................................................................................................... 2
Contents .............................................................................................................................................. 3
Introduction .......................................................................................................................................... 4
Defining a security policy..................................................................................................................... 4
Measures to secure the SCADA network............................................................................................ 5
Implement a secured firewall........................................................................................................ 5
Keep your network simple................................................................................................................ 5
Minimize network access points................................................................................................... 5
Virtual Private Network................................................................................................................. 5
Deploy Internet Protocol Security ( IPsec) ................................................................................... 5
De-militarised Zones (DMZ) ......................................................................................................... 5
Application Security ............................................................................................................................. 6
Authentication and Authorization ................................................................................................. 6
Secured data storage and communication................................................................................... 6
Audit Trails........................................................................................................................................... 6
Wireless Networks............................................................................................................................... 6
Intrusion Detection............................................................................................................................... 7
Regulating physical access to the SCADA network ............................................................................ 7

SCADA System Security 3

Introduction
In recent times, governments throughout the world have identified critical infrastructure as potential
targets for terrorism. Whilst physical measures have been taken to secure these infrastructures, one
area of concern remaining is the potential attack on the information and process control systems
belonging to the critical infrastructure.

Many private companies controlling vital public utilities such as power, gas or water, who never
considered they would ever be prone to cyber attacks are now having to implement measures to
improve the security of their whole organization. The reality is that many companies have become
highly dependant on digital information systems that have been tightly integrated into their business.

Many SCADA systems that monitor and control critical infrastructure such as Power Generation and
Transmission, Water and Waste Water and Pipelines over a wide area network, run on industry
standard computers and networks. As such, these systems run a higher risk of being hacked into by
cyber terrorists.

Hypothetically, by hacking into a SCADA network monitoring water gates in a dam and taking
control of the SCADA system, a cyber terrorist could wreak havoc by opening and closing of the
gates at will.

Whilst SCADA systems have been around for a few decades, cyber attacks have only become a
prominent threat in recent times. As such, many SCADA systems which have been deployed in the
past, have little or no security built in. In addition, SCADA systems are often a part of a company’s
engineering division and as a result, are seldom covered by their corporate security policy.

Securing SCADA networks is relatively easy and should be considered as part of the company’s
overall security policy, requiring security measures and policies to be implemented on multiple
levels, including:

• Defining a security policy

• Securing the SCADA network and operating environment
• Securing the SCADA application
• Detecting unauthorized intrusions
• Regulating physical access to the SCADA network

Defining a security policy

Security policies are becoming essential in today’s corporate network. A security policy is a living
document that allows an organization and its management team to draw very clear and
understandable objectives, goals, rules and formal procedures that help to define the overall
security position and architecture.

As a starting point, an organization should have a corporate security policy and ensure that its
SCADA network falls under the jurisdiction of this policy. Failure to have a security policy not only
exposes the company to cyber attacks but may also lead to legal action.

A security policy should cover the following key components:

• Roles and responsibility of those affected by the policy
• What actions, activities and processes are allowed and which are not?
• What are the consequences of non-compliance?

Key personnel who need to be included in the development of the policy include:
• Senior management
• Information Technology department
• Human Resources and
• Legal

The following areas of vulnerability should be considered:

• Network and operating environment security
• Application security
• Intrusion detection
• Regulating physical access to the SCADA network
SCADA System Security 4
Measures to secure the SCADA network
Corporate networks linked to the Internet or that use wireless technology may be more easily
accessible to cyber terrorists and hackers. An organization can heighten its level of network security
by isolating its SCADA network thereby restricting channels of external access. In many
organizations, isolating the SCADA network from the Internet or Intranet is difficult because of
requirements such as monitoring plants from a remote location.

In the latter case, measures can be taken to secure your network and operating environment from
unauthorized access to the SCADA systems. These include:
Firewalls
Virtual Private Networks
De-militarized Zones
Authentication

Implement a secured firewall

A secured firewall is imperative between the corporate network and Internet. The single point of
traffic into and out of a corporate network, it can be effectively secured and monitored. A corporate
network should have at least one firewall and a router separating it from the external network that is
not within the company’s dominion. When examining the firewall solution, consider if and how the
firewall supports any security services that you may need. Microsoft Internet Security and
Acceleration Server (ISA) virtual private network (VPN) can be used to set up the firewall.

On larger sites it is also recommended to protect the control system from attack from within the
SCADA network. This may be implemented by providing an additional firewall between the
corporate and SCADA network. To maximize access and minimize the configuration required to
maintain this firewall, a terminal server can be used to act as a gateway. Only traffic from the
terminal server can pass into the SCADA network and a secured terminal server removes the ability
for external applications to be used to attack the control system.

Keep your network simple

Simple networks are at less risk than more complex interconnected networks. Keep the network
simple and, more importantly, well documented from the beginning.

Minimize network access points

A key factor in ensuring a secure network is the number of contact points. While firewalls have
secured access from the internet, many existing control system have modems installed to allow
remote users access to the system for debugging. These modems are often connected directly to
controllers in the substations. The access point, if required, should be through a single point which
is password protected and where user action logging can be achieved.

Virtual Private Network

One of the main security issues facing more complex networks today is remote access. With a VPN,
all data paths are secret to a certain extent, yet open to a limited group of persons, for example, to
employees of a specific company. VPN is a secured way of connecting to remote SCADA networks.
Based on the existing public network infrastructure and incorporating data encryption and tunneling
techniques, it provides a high level of data security.

Deploy Internet Protocol Security ( IPsec)

IPsec can be deployed within a network to provide computer-level authentication, as well as data
encryption. IPsec can be used to create a VPN connection between the two remote networks using
the highly secured Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec).

De-militarised Zones (DMZ)

DMZs are a buffer between a trusted network (SCADA network) and the corporate network or
internet, separated through additional firewalls and routers, providing an extra layer of security
against cyber attacks.

SCADA System Security 5

Application Security
In addition to securing the network, securing access to SCADA system components will provide a
further defense layer.

Authentication and Authorization

Authentication is the software process of identifying a user who is authorized to access the SCADA
system. Authorization is the process of defining access permissions on the SCADA system and
allowing users with permissions to access respective areas of the system. Authentication and
authorization are the mechanisms for single point of control for identifying and allowing only
authorized users to access the SCADA system, thereby ensuring a high level of control over the
system’s security.

To provide effective authentication the system must require each user to enter a unique user name
and password. A shared user name implies a lack of responsibility for the protection of the
password and the actions completed by that user.

Users must be able to be created, edited and deleted within the system while the system is active to
ensure that individual passwords can be maintained. In addition it is highly recommended that
password aging be implemented. Password aging ensures that operators change their passwords
over a controlled time period, such as every week, month or so on.

To provide authorization the system must be able to control access to every component of the
control system. The system must not provide a “back door” with which to bypass the levels of
authentication specified in the application.

Secured data storage and communication

Critical data pertaining to a SCADA system must be securely persisted and communicated. It is
recommended that critical data like a password be stored using an encryption algorithm. Similarly,
remote login processes should use VPNs or encryption to communicate the user name and
password over the network.

Critical data like user name and password must be persisted in a secured data repository and
access rights monitored and managed using secured mechanisms like Windows authentication and
role based security.

Audit Trails
It is recommended that Audit trails on critical activities like user logins or changes to system access
permissions be tracked and monitored at regular intervals. Securing your SCADA application may
make it more challenging for external hackers to gain control of the system, however it won’t
prevent internal employees with malicious intent. Regularly tracking and monitoring audit trails on
critical areas of your SCADA system will help identify unscrupulous activities and consequently take
necessary corrective actions.

Wireless Networks
The two most common ways of gaining unauthorized access to a wireless network are by using an
unauthorized wireless client, such as a laptop or PDA, or by creating a clone of a wireless access
point. If no measures have been taken to secure the wireless network then either of these methods
can provide full access to the wireless network.

Many commercial wireless networks are available, these range in price, complexity and level of
security provided.

When implementing a wireless network a couple of standard security measures can be taken to
minimize the chance of an attacker gaining access to the wireless network.
• Approved clients – The access points in the wireless network contains a configurable list of
all MAC addresses of the clients that are authorized to gain access to the wireless network.
A client not listed in an access point will not gain access to the wireless network.
• Server Set ID (SSID) – This is an identification string that can be configured on all clients
and access points in your wireless network. Any client or access point participating on the
wireless network must have the same SSID configured. The SSID is however transmitted
as a readable text string over the network so only using SSID is not good enough to secure
the wireless network.
SCADA System Security 6
 • Wired Equivalent Privacy (WEP) – All clients and access points should have a configurable
static WEP. This is a 40, 64 or 128 bit encryption string that is entered in all clients and
access points. Without a correct WEP string no access can be gained to the wireless
network and the SSID is also encrypted using this string. In most cases, using an SSID and
a WEP provides a secure solution.
• VPN (described earlier) was developed to provide secure connections through the Internet
to internal corporate networks. A VPN simplistically creates a secure tunnel through open
networks such as the Internet or a wireless network. Data transmitted through the tunnel is
encrypted on the client and then decrypted and validated in a VPN gateway inside of the
wireless access point. Another advantage with using a VPN is that a single solution
provides security both for the wireless and wired network and the maintenance cost is
lower.

Intrusion Detection
Firewalls and other simple boundary devices currently available lack some degree of intelligence
when it comes to observing, recognizing and identifying attack signatures that may be present in the
traffic they monitor and the log files they collect. This deficiency explains why intrusion detection
systems, (IDS) are becoming increasingly important in helping to maintain network security.

In a nutshell, an IDS is a specialized tool that knows how to read and interpret the contents of log
files from routers, firewalls, servers and other network devices. Furthermore, an IDS often stores a
database of known attack signatures and can compare patterns of activity, traffic or behavior it
identifies in the logs it’s monitoring against those signatures so it can recognize when a close match
between a signature and current or recent behavior occurs.

There are various types of IDS monitoring approaches:

• Network-based IDS characteristics: Network-based IDSs can monitor an entire, large
network with only a few well-situated nodes or devices and impose little overhead on a
network.

• Host-based IDS characteristics: Host-based IDS can analyze activities on the host it
monitors at a high level of detail. It can often determine which processes and/or users are
involved in malicious activities.

• Application-based IDS characteristics: An application-based IDS concentrates on events

occurring within some specific application. They often detect attacks through analysis of
application log files and can usually identify many types of attack or suspicious activity.

In practice, most commercial environments use some combination of network- and host- and/or
application-based IDS systems to observe what’s happening on the network while also monitoring
key hosts and applications more closely.

Regulating physical access to the SCADA network

Physical access to your network should be closely monitored:

1. Use built-in Microsoft Windows features such as NTFS to require user authentication when
perusing network shares.
2. Do not allow anyone that does not belong to your organization to connect to your network
Ethernet or have physical access to your IT server room.
3. Monitor your network regularly for activity that may be suspicious and note the IP addresses
when running sniffing software or hardware on the network.
4. Ensure that there are no foreign IP addresses on the list. If you find a foreign IP address,
trace route to the IP address. Once you locate where this foreign IP address originates from
you can take action. If you are unsure physically disconnect the segment where the
potential intruder may be on the network.

For further information on

Citect products and services,
visit http://www.citect.com/

SCADA System Security 7