Tuesday, September 15, 2015

SCADA/Control System Security

Control System Security Overview

Control systems monitor and control industrial infrastructures and facilities including electric, water, oil and gas pipelines, among others.  System types are implemented based on the needs of the facility and their need for either constant measures or simple notification. 

Types of Control Systems

Distributed control systems are geographically local control systems used in power generation facilities, refineries and water treatment plants.  DCS provide constant feedback, via analog input/output (IO), on systems status to engineers.  Engineers can then make adjustments as required.  For example, DCS’s can be setup to issue alarms when a subsystem reaches a certain predetermined temperature.
Programmable logic controllers are also geographically local control systems that, unlike DCS’s, utilize discrete input, which is, in simplest terms, on or off.  PLC’s are used on assembly lines and industrial facilities. For example, a PLC may be used to alert an operator that assembly of a car component has completed.  Like DCS, PLC’s utilize high-speed communications. 
Supervisory Control and Data Acquisition (SCADA), unlike DCS and PLC controlled systems, are more widely distributed. SCADA is, essentially a system where data is collected from a system in order to control it.  Utilizing Local Area Networks (LANS), SCADA installations can cover hundreds or thousands of miles.  They are used in water utilities, oil and gas pipelines and electric utilities among others. The components of a SCADA system are SCADA control centers and the systems that they monitor.  Control centers constantly monitor other systems or field sites, collecting data and keeping track of systems status.  If an event occurs the control center can trigger an alarm, alert an operator or whatever it is designed to do in response to the event.
Energy Management t systems are actually a type of SCADA system designed to monitor and control power systems.  They are generally connected to the SCADA LAN.

Brief History of Control Systems

Prior to the 1990’s control systems were largely isolated networks whose main ‘security’ concern was physical.  The systems were mostly closed-loop networks that relied upon system to system communication.  As the year 2000 approached the industry leaders realized they needed to prepare for potential year 2000 or Y2K issues.  As these improvements were made the industries also began to recognize the cost benefits of interconnecting systems and attached them to networked computer systems.  Systems that were mainly stand-alone were now being connected to corporate networks so that decision makers could get feedback in real or near-real time.  The approach did improve efficiency, but it also introduced vulnerabilities that did not previously exist.

Threats to Control Systems

Being in a more open environment has exposed control systems to the same vulnerabilities that were initially faced in Information Technology (IT).  However, control systems are usually run on much older technology that has not been ‘hardened’ over time as IT systems have.  The lack of maturity leaves them open to vulnerabilities that have long been solved by IT systems.  Attempting to apply IT safeguards to control systems can have adverse effects.  For example, port scanning, commonly used to find open ports on a network, can freeze PLC’s.  Additionally, there is a lack of knowledgeable resources available to tackle the control system cyber security issue with most of those coming from the IT world.

An attempt has been made at protection standardization. The North American Electric Reliability Council (NERC) created the Critical Infrastructure Protection standards to address the issue.  However, many aspects of the standard are too liberal, allowing individual organizations decide what was critical and what was not.  This lack of application of rigorous standards leaves, not only an organizations systems at risk, but any systems that interface with that organizations self-identified non-critical components.