Industry insiders smile at movies when villains hack into power grids: a few clicks on a laptop and somebody says, “We’re in!”a few more clicks, and everybody’s lights go out. But even far-fetched movie scenarios may contain a grain of truth. Utilities and other businesses have genuine concerns that critical process control systemsoil and gas pipelines, water supply and filtration systems, dams, power plants, manufacturing operations, and moremay be vulnerable to attack. These systems, often called SCADA (Supervisory Control and Data Acquisition), were designed and built before the age of cybercrimes, with a primary focus on performance, availability and reliabilitynot security. So as adversaries grow more sophisticated and exploitable SCADA vulnerabilities become more widely known, organizations are taking a hard look at risks in their operations to ensure the safety and security of the nation.
Risks to operations that depend on SCADA systems are actually growing. To control costs, many organizations have connected their SCADA systems to business networks, exposing them to a new class of vulnerabilities. It is more critical than ever for organizations to evaluate their processes and technologies to manage network risk and security.
But risk analysis can’t obscure the original goals and objectives for SCADA systemsmaximum performance and reliability. Control system management requires continuous commitment to minimizing and mitigating interruptions, routine and periodic maintenance, and prompt incident response, along with enhanced security and reduction of exploitable vulnerabilities.
Fortunately, a new generation of high-performance security products lets utilities defend their SCADA networks using the same technology that protects telecommunications, banking, and other critical IT infrastructure. The general principles are the same: keep outsiders out, keep insiders honest, keep an eye out for trouble, and keep communications open, clear, and fastespecially during emergencies. This is a review of some of the security technologies now available to protect SCADA, computer, and communications networks. But keep in mind that technology by itself isn’t enough! It requires proper design, configuration, and monitoring, along with solid security processes and a well-trained, security-aware staff to achieve its full potential in protecting critical infrastructure.
FirewallsWhen the subject is network security, “Firewall” is often the first word that comes to mind. That’s as it should be: firewalls define and protect the boundaries of a network, scanning information packets for the tell-tale “signatures” of viruses, worms, and attacks in progress. But firewalls are only as effective as the security policies they enforce. Poor configuration, inconsistent updates, inadequate testing, or remote-access software on network PCs can make firewalls little more than a “speed bump” for an attacker. Both actual and demonstration attacks have penetrated or circumvented firewalls, and gone on to harm systems, equipment, the environment, and personnel.
Intrusion Detection and PreventionConsumer-grade and small-business firewalls perform a top-level analysis of traffic crossing into a network. But sophisticated attacks may bury themselves deep inside information packets, spread out across multiple ports, hide in applications, or otherwise cover their tracks. Equally sophisticated Intrusion Detection and Prevention (IDP) systems, built into the best enterprise-grade firewalls, look deep inside to test every packet of information that crosses a network boundary, blocking any that violate security policies. But these solutions go further, reassembling information streams and analyzing them for suspicious activity. By enforcing security compliance on all network traffic, these solutions can defend against attacks even before their “signatures” are identified and distributed.
Access ControlFirewalls and IDP systems protect networks against external threats. Equally important are defenses against attacks from within, by disgruntled or compromised employees, guest users, or attackers who steal or exploit the credentials of legitimate users. Access Control solutions grant permission to use specific network services on a session-by-session basis, based on characteristics that include the user’s identity, job function, location, and even the device used to access the network.
Virtual Private Networks (VPN)With today’s mobile workforces and porous networks, it’s common for authorized employees to need network access from off-site. This is especially true in distributed utility networks, where critical infrastructure may be on a mountainside half a state away. Remote access raises risks that an attacker may intercept, corrupt, or simulate legitimate access without risking physical access to facilities. Virtual private networks (VPNs) secure access using session-by-session encryption of communication between a user and a network, or between two networks. The encrypted information is useless to an eavesdropper, and without the key, attackers can’t hijack a session. Many VPNs use a protocol called IPSec, in which the communicating parties authenticate one another. Secure Socket Layer (SSL) encryption goes one step further, using a trusted third-party certificate provider to authenticate both user and the network.
Valuable as they are, VPN solutions can’t substitute for Access Controls: they protect only access to the network. Access Control solutions are still necessary to manage permissions to use network services once an employee has gained secure access.
Putting It All Together
It’s worth repeating: no single technology, or even combination of technologies, can secure a SCADA system or any other network. Careful network design, backed by proven security processes and trained, alert personnel, are essential for security in today’s threat environment. Fortunately, many of the practices SCADA security requires have been implemented, tested and proven in high-volume, high-risk financial, communications and military networks. These are some of the most important lessons:
- Be prepared for change. In selecting firewall and IDP solutions, control system designers should insist on daily updates that cover attacks on SCADA protocols (like Modbus and DNC3) as well as more-common Internet threats. Updates are available from security specialists who maintain their own research laboratories, and maintain decoy networks specifically designed to lure attackers into revealing their methods.
- Don’t compromise on performance. Security systems that operate at less than full network speed compromise service, and may open the door to “denial of service” attacks that slow performance until administrators turn off defensesopening the door to the real attack. Designers should insist on high-performance solutions that forward legitimate traffic at full speed, so critical SCADA control systems and critical infrastructure maintain peak availability and performance, even in the midst of a sustained attack.
- Defend your defenses. Multi-pronged Internet attacks that combine “social engineering” or denial-of-service attacks with malicious software are growing more common, and SCADA systems aren’t immune. Control physical as well as electronic access to your security solutions, and make sure they have the backup power, cooling and communications they need for emergencies.
- Use your information. The best Firewall, Intrusion Detection and Prevention, and Access Control systems track security policy violations, and adapt to changing threat environments. One or two failed logins may be a user’s memory lapse; a thousand is an attack. Design your network to tighten access controls automatically during attacks, to defeat multi-prong assaults faster than any administrator can react.
- Use your “eyes on the street.” SCADA security specialists have a powerful support networkutilities, solutions providers, consultants, government agencies and academics all focused on protecting critical infrastructure. Stay away from single-company “proprietary” solutions that can cut you off from the latest innovations in security technology and processes.
Industry standard protocols help avoid disconnected security “islands” that can be singled out for attack. The most robust solutions are the ones backed by the most people. Pick vendors who work closely with the Federal Energy Regulatory Commission (FERC) and security leaders, to move beyond compliance to leadership in protecting critical infrastructure control networks.
SCADA security threats are real, vulnerabilities significant and consequences potentially catastrophic. There is a growing awareness of the challenges and the need to take immediate steps to adopt protective measures that secure much of the nation’s critical infrastructure.
About the Author: John Yun, a senior product marketing manager for Juniper Networks Services Layer Technologies team, is an industry veteran with more than 15 years of experience in network security, VoIP and wireless communication. Since joining Juniper Networks, he has played a key role in the success of Juniper Networks Intrusion Detection and Prevention products and more recently led the marketing efforts for the Juniper Networks High-end Security Systems firewall and IPS products.