SCADA and ICS: combating the security risk

SCADA and ICS technology that supports critical national infrastructure (CNI) is ageing. But it is also becoming more connected, opening it up to new threats. How do we minimise the risk of these CNI systems being breached?

By Tim Ferguson

Critical national infrastructure (CNI) is what keeps modern society functioning. The services it provides — electricity, water, communications and transport — can be taken for granted, but if they’re interrupted, the implications are huge, potentially affecting millions of people.

Think of the impact of a power cut at home, and scale that up to hundreds or even thousands of businesses and public services that would be forced to stop operating if an element of CNI fails.

Physical security of plants and assets has long been a focus for CNI. And in the context of modern global terrorism, which has the potential and means to attack airports, power plants and water treatment facilities, this remains important.

But cybersecurity has often been less of a priority than physical security, meaning industrial control systems (ICS) that sit at the heart of much CNI, such as supervisory control and data acquisition (SCADA), aren’t always as secure as they could be.

That is worrying for the security of CNI given recent research by the Centre for Economic and Business Research and Opinium that found 56 per cent of utilities respondents think their IT system security may be compromised within a year – higher than any other sector.

And attacks are taking place. Ireland’s electricity transmission grid EirGrid, for example, was attacked in 2017 by what was believed to be state-sponsored hackers. Symantec provided further evidence of the scale of the threat facing CNI organisations, when it reported in September 2017 that Russian-linked hacker group Dragonfly had penetrated power grid networks in the US and Europe.

These high-level ICS and SCADA systems within CNI oversee and coordinate the running of plants and machinery and have the ability to control large-scale processes across multiple sites and large distances. They connect with other controllers to monitor processes and issue commands and were designed primarily for reliability, safety and uptime, rather than security.

Historically, SCADA systems were fairly isolated and unconnected, but this is changing. It’s now common for them to link with other corporate networks and the internet as CNI providers look to generate efficiencies and enable new services.

In addition, SCADA systems often use legacy operating systems that haven’t been updated to cope with more modern cyber threats. They often lack basic security practices and regular patching, antivirus, back-ups, network filtering and access control, making them vulnerable to attack. And as they are embedded in critical tasks and have complex change control systems, it’s also difficult to update or replace them.

Perimeter protection can help make SCADA and ICS more secure but with cyber threats becoming increasingly sophisticated and fast moving, attackers will find a way through even these defences if they feel the target is worth the effort.

Assuming that security compromises will happen, it’s good practice for CNI providers to make use of real-time network monitoring and forensics to ensure all activity within the network is monitored.

With numerous legacy and embedded systems generating data that often ends up in separate siloes, data lakes can also help by storing a range of data in different formats and give access to analytics tools which support machine learning and automation.

This will support user and entity behaviour analytics (UEBA) which detect and respond to intrusion attempts and unusual behaviour from employees or partner organisations. For example, a user could be accessing information in larger quantities than normal, or for an area of work that they don’t normally deal with. While this may be innocent behaviour it may also indicate the account has been compromised or is in collusion with attackers. ICS installations also often perform predictable activity where unusual patterns of behaviour can be more easily detected.

Once these anomalies have been detected, CNI organisations must then respond to them. This is where security incident and event management (SIEM) can play a key role, by flagging and prioritising activity for further investigation by security analysts and automating the containment of threats.

If, for example, the temperature in a section of pipeline appears to be increasing, the situation needs to be investigated further to determine whether it’s a real problem or spoofed data generated by an attacker to interrupt supply.

The latest SIEM technology also provides the means to deal with hundreds of different technologies logging data and creating audit trails — something that is particularly relevant for ICS and SCADA. SIEM can translate a huge range of machine data — such as error codes — into a standardised language, enabling analysts to identify even the most unusual cyber threats.

Implementing fit for purpose security technology on ageing ICS and SCADA systems isn’t without its challenges, but the technologies now exist to ensure that their vulnerabilities can be addressed. And the potential consequences of failing to protect them adequately could be huge, not just for operators but for citizens, and even national economies.