Computer system-based attacks on infrastructure organisations, including electric utilities and power stations, are on the increase. Defending against them requires a holistic approach and a commitment from board level down.
There has been a tenfold increase in successful cyber attacks on process control and SCADA (supervisory control and data acquisition) systems since 2000, according to a 2004 report titled “The Myths and Facts behind Cyber Security Risks for Industrial Control Systems”. Many of the systems attacked were responsible for the operation of critical services including electricity, petroleum production, nuclear power and communications. The report was produced jointly by security experts at the British Columbia Institute of Technology (BCIT) and PA Consulting Group (PA).
Network systems are increasingly under cyber attack
The report noted that industrial control and automation systems have traditionally been seen as immune to external attack, as systems were based on proprietary technologies and isolated from other IT systems. But it said the ten reported cyber attacks in 2003 were likely to be just the tip of the iceberg and industry estimates indicate that between 100 and 500 unreported cyber attacks occur every year.
The situation is being exacerbated by new efforts by the hacker community to specifically target process control and SCADA systems for attack. A recent hacker conference included a demonstration on how to attack a water utility control system. Of those organizations that put a figure on the impact of cyber attacks on their process control and automation systems, 50 per cent experienced financial losses of more than $1 million. In one example, a so-called slammer worm hit the Davis-Besse nuclear power plant in January 2003. The plant and corporate networks were connected to external networks via a firewall, and an SQL slammer worm entered the system because no access control policies were in place. Infected servers on the corporate network left vulnerable ports open and the result was an overloaded network and interrupted server communication.
Analysis shows that the increase in successful industrial cyber attacks is the result of:
- an increasing alignment of process control and corporate IT systems;
- the fact that corporate IT security measures often cannot be applied to process control systems;
- increasingly powerful and malicious cyber threats.
Research was based on data collated in the BCIT Industrial Security Incident Database, dating back to 1981. Results were born out by a separate report from the US General Accounting Office (“Critical Infrastructure Protection,” March, 2004) which said, “there has been a growing recognition that control systems are now vulnerable to cyber attacks from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and other malicious intruders.”
Eric Byres, BCIT researcher, said: “The results were a surprise to us because they indicate that industry has been focusing its security efforts in the wrong direction. The real threat is coming from outside the organization, rather than from within, as most of us originally believed. We can’t just throw in a firewall and hope all our security problems will be solved.”
Gary Sevounts, director of power and energy industry solutions at Symantec, identified several reasons why traditional approaches to managing SCADA cyber security have fallen short. Typically, disparate internal factions have worked independently and security projects have taken a micro view. There has been little coordination of efforts between IT and operations departments and there has been little SCADA cyber security expertize and few cyber security products.
Sevounts also said SCADA systems’ vulnerabilities have been made more exposed because of their increased connectivity to the rest of the world. For example, there is an increasing need to share SCADA information with corporate enterprise networks for various administrative functions. Those systems, in turn, are exposed to the Internet. Through this connectivity, a malicious insider or outside hacker could misuse SCADA controls.
An Internet security threat report published by Symantec in March 2004 describes and compares the vulnerabilities and cyber security challenges that industries face. The report identifies power and energy organizations as being nearly twice as likely to experience a “severe” Internet attack as other industries.
As part of a report prepared for Symantec in May 2004, Battelle Pacific Northwest evaluated security products in a SCADA environment and developed a list of potential vulnerabilities associated with servers used in communication between two utility control centres (or between a utility control centre and another entity). Those vulnerabilities included:
- Denial of service
- Disgruntled employees
- Packet sniffing at ISP/carrier
- Modifying packets
- Unauthorized access to control centre network
Many of these vulnerabilities highlight a reluctance in applying traditional security measures such as patching, authentication, virus scanning, and password management to systems with the precise timing issues required by SCADA systems. Yet, as SCADA systems increasingly connect with other networks and systems, their exposure to threats increases.
According to reports from Symantec, power and energy companies’ approaches to protecting their digital assets within corporate networks and SCADA systems are beginning to change. There are unified information security organizations, corporate-wide information security policies (combined with routine vulnerability audits), incident management programmes, and comprehensive deployments of protection technologies. Some information security providers now also offer SCADA and corporate network assessment services to help utilities evaluate their corporate and SCADA networks and connections, identify vulnerabilities, and offer recommendations.
Increasing connections with external IT systems offer points of attack and adds to system vunerability
Early warning systems, in turn, are available to keep electric utilities alerted to attacks that are occurring elsewhere across the globe and that might affect their corporate or SCADA networks – before those attacks can affect the organization.
But the company said the underlying fact was that a corporation cannot achieve effective information security by tactical deployments. The practice of “cherry picking” individual solutions has proven costly in the context of the business. Instead, the approach must be holistic – and a strategic organizational priority.
Symantec maintains that a comprehensive information security programme should combine the proper mix of people, technology, and processes. For power and energy companies, that programme ideally focuses on these seven priorities:
- Security risk awareness
- Regulatory readiness
- Perimeter security
- Network and host security
- Incident response
- Secure systems management and recovery
- Security strategy and planning
How should power companies and utilities address these priorities with real security measures? There are a number of very practical ways. For example, companies should use internal firewalls to throttle traffic between operational and other corporate networks. They should use VPN to secure communications with remote users and networks. Companies should ensure that operations servers and remote user PCs are compliant with security policy. In addition, they should use intrusion detection to detect misuse/anomalies, and use anti-virus on all systems connecting to the operations network.
When anti-virus, firewall, and intrusion detection solutions are implemented at various internal and external points of the cyber infrastructure, power and energy companies can quickly recognize and stop malicious code and hack attempts.
In the past, corporations within the electric power sector used a highly fragmented, divisional organizational approach for protecting their digital assets within corporate networks and SCADA systems. Now, the industry is showing signs of change.
SCADA systems can be affected by different cyber attacks
In 2002, the United States Department of Energy (DOE) published a list of 21 steps to improve the cyber security of SCADA networks. Of particular importance, according to Symantec, is step 20: “Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable for their performance.”
Suppliers have also responded: Symantec is now working with Areva’s T&D division to provide a comprehensive security solution that includes products, services and best practices for SCADA systems in the electric power industry. The tested solution includes Symantec Manhunt Intrusion Detection System, Symantec Gateway Security, Symantec Client Security, and Symantec AntiVirus.
“Interconnection between SCADA environments and corporate networks introduce specific security needs around protocols and applications used that are not addressed by majority of existing cyber security products,” said Brent Broback, security marketing director for AREVA T&D Division. Gary Sevounts added, “The challenge with introducing untested information technology security products into a SCADA environment is that it can cause service interruptions, performance degradations, while still not addressing SCADA specific security needs. We believe this partnership will ease the mounting pressure by providing products, services and best practices for SCADA and corporate environments that have been tested and validated in SCADA environments.”