Of chief concern for nation states dealing with cyber security is the protection of critical electronic infrastructure. A core piece of that infrastructure is the supervisory control and data acquisition (SCADA) systems. These computer systems are used to monitor and control industrial processes, physical infrastructure (such as water treatment or oil and gas pipelines), and facility-based processes (such as airports or seaports). SCADA systems are notoriously insecure and are increasingly becoming accessible via networks. Governments must work with the private sector in order to address security concerns before a major disaster.
Key Conclusions
The vulnerability of critical infrastructure is central to the challenge of international cyber security. Over the last few decades, there have been a number of technological advances that brought efficiency and reliability to service delivery and systems management alike. Today, things as diverse as air traffic control, telecommunications, water sanitation, manufacturing, and power production are all heavily dependent on computer networks and automation in many contexts. Because of the ubiquity and interconnectedness of today’s world, disruptions in these systems can have far-reaching consequences.
Analysis
Supervisory control and data acquisition (SCADA) systems have been a crucial piece of the technological gains in managing complex processes. SCADA systems are software applications used to monitor and control all the interlinking physical tasks that make up industrial processes, infrastructure functionality, and facility operations. SCADA systems control, for instance, the energy grid (both electricity as well as raw materials) in most modern economies; all aspects of urban water movement from sanitation to distribution; and the transportation infrastructure on air, land, and sea.
For much of their history, SCADA systems have been largely quarantined from the Internet, traditionally communicating over hard-wired networks or low-frequency radio waves. As such, they have been sheltered from the security challenges found in the wider Internet ecosystem. But as the operations controlled by SCADA systems have become interlinked with broader organizational operations, they have become increasingly linked to Internet-facing organizational networks.
However, SCADA software often lacks the necessary security to ward off potential attackers. For instance, researchers recently uncovered and published a striking 147 “zero-day” (previously unknown) vulnerabilities in SCADA systems.
SCADA vulnerabilities can be of two types. The first is direct access to software. This can be a human-machine interaction, akin to direct sabotage, or malicious code introduced to the host machine. One of the most egregious examples was highlighted by Blake Cornell at the ICCS conference in February. If an administrator attempts to change system passwords and includes an unsupported character, the password reverts to the default admin password of “100” without notifying the user.
The second category of vulnerability involves unauthorized access to the networks that are now connected to many SCADA systems. Because SCADA systems have not historically communicated directly with networks, there is very little or no security on the network-facing aspects of the software. In many cases, if you can send information packets to the SCADA machine, you can control it. In other words, if you own the network, you own the device.
This lack of security was recently brought into stark focus. A trio of posts (see here, here and here) on pastebin.com, a text-sharing web application popular with programmers and hackers, listed misconfigured SCADA webservers and ports found via a web search using the term “:|slot:/” —no skilled hacking was needed. Hackers affiliated with the collective Anonymous also leaked a number of Israeli government login credentials. The leak has since been removed from Pastebin, but the posters claimed that some of these credentials would give access to government SCADA systems.
SCADA attacks are not unprecedented. In January 2000, a disgruntled ex-employee attacked the sewage control system of Maroochy Shire, causing pumps, valves, and alarms to fail and sewage to flow into a tidal canal. In 2003, the SCADA system of the Davis-Besse nuclear power plant in Ohio was infected with the Slammer worm, which disabled the safety monitoring system and the process computer for almost 6 hours. And, of course, the 2010 Stuxnet virus, which is widely believed to responsible for creating stumbling blocks for the Iranian development of the Natanz and Bushehr reactors.
There is a range of possible solutions for nation states to defend against these types of attacks; none of them are cheap or easy. Researchers have suggested endpoint-to-endpoint authentication and authorization. This is the type of security often provided by in-device cryptographic techniques.
Others have suggested using the Payment Card Industry (PCI) as a model. PCI standards were created to protect credit card users personal information and dictate penetration testing, source code review, and strong cryptography. Penetration testing assesses and monitors the SCADA system’s vulnerabilities and reports system weaknesses that allow access to hackers. Companies prevent attacks by using third-party programmers to review the SCADA system source code; these outside programmers verify and test the operations.
At the bare minimum, system administrators need to take steps to properly configure firewalls to protect SCADA systems. Whatever approach governments choose to take, they must do so soon; this problem is not going away.
Chris Perry is a Senior Policy Analyst at the International Peace Institute
