The word SCADA may mean little to you at first glance, but this apparently innocuous acronym denotes one of the UK's most crucial analytics tools, one which keeps the country moving by ensuring our nuclear power plants, our airports and our weapons caches continue to run smoothly.
SCADA systems, or, to give them their full name, Supervisory Control and Data Aquisition systems, use a series of codes to relay messages from sensors to central terminals when a fault occurs, and ensure the fault is analysed immediately. As well as the aforementioned facilities, they are used to control manufacturing plants, oil and gas pipelines, recycling stations, wastewater treatment works... pretty much any public facility, in truth.
Many of these SCADA and ICS (Industrial Control Systems) systems were built decades ago when cyber security was not yet an issue. But now they are being hacked with ever-increasing regularity; according to the 2015 Dell Security Annual Threat Report released this week, the number of attacks in 2014 was 100% up on the previous year.
Most of these attacks occurred in Finland, the United Kingdom, and the United States, probably due to the fact that in these countries SCADA systems are more likely to be connected to the Internet. Furthermore, many of them received little or no media coverage.
"Since companies are only required to report data breaches that involve personal or payment information, SCADA attacks often go unreported," said Patrick Sweeney, executive director, Dell Security when discussing the issue. "This lack of information sharing, combined with an aging industrial machinery infrastructure, presents huge security challenges that will to continue to grow in the coming months and years."
Given the obvious strategic importance of the facilities controlled by SCADA systems, the hacks are often politically motivated and backed by foreign state actors with motives such as industrial espionage or military sabotage.
Many SCADA and ICS systems were built decades ago when cyber security was not yet an issue. To add cyber security defences to these systems is a major task, coupled with the fact that due to their critical nature, downtime for system upgrades is virtually impossible.
However, there are several key protocols which could be introduced to reinforce our SCADA defence. Many of them are extremely simple, yet they would make the task of hacking our core systems much more difficult.
Here are five of the protocols we would like to see introduced:
#1 Air-Gap Systems: Since many SCADA systems do not include cyber security controls, it is important to physically separate these systems from the Internet and corporate network. If the systems are connected to the network, strong firewalls, intrusion detection systems and other security measures must be put in place to protect against unauthoriSed intrusion.
#2 Avoid Default Configurations: Avoid using default configurations on network and security appliances. Factory passwords must be changed immediately and a system of strong passwords and regular password updating should be enforced.
#3 Apply USB & Portable Device Security: Since air-gapped systems are not connected to the network, often the only way to bring files in and out of the SCADA system is by using portable media such as USB drives or DVDs. As key attack vectors for air-gapped networks, it is very important to deploy a portable media security system that thoroughly scans portable devices for any threats before they are allowed to connect to the secure SCADA network.
#4 Defend Against Advanced Persistent Threats (APT): Attacks are becoming more and more sophisticated, with malware lying in wait undetected for a long period of time. It is important to fight APT's at different levels; not only trying to prevent APTs entering the network, but also detecting APTs that have already gained entry.
An effective way to detect APTs is to use a multi anti-malware scanner that will scan files with multiple anti-virus engines using a combination of signatures and heuristics and will therefore be able to detect more threats. In addition, technologies such as data sanitisation can prevent zero-day and targeted attacks that may be missed by anti-malware engines by converting files to different formats and removing any possible embedded threats and scripts.
Devices should be continually monitored for any abnormal activity and files on the network should be continually scanned with multiple anti-virus engines; a threat that was previously not detected could be found by an updated signature database.
#5 Perform Penetration Testing: Regular penetration testing and vulnerability assessments, if possible conducted by a third party, are very helpful to get realistic input on the current security level and shed light on which areas still need additional security precautions.
The above measures, along with employee awareness training and continuous evaluation, will significantly boost the security of critical infrastructure systems.
Deborah Galea is a manager at software management firm OPSWAT.