SCADA Security: Stuxnet, Conficker, and Flame, Oh My!!

SCADA systems provide water utilities an indispensable tool to manage distributed assets. By implementing a set of best practices, water utilities can protect their industrial control systems, and minimize the likelihood of a security breach.

Regardless, most utilities are concerned about the intrusion that impacts the system.  These threats tend to come from five groups: nation states, global terrorists, disgruntled insiders (mostly contractors and employees), local entities with a political agenda against the utility, and hobby hackers.

Of these five, two can be eliminated quickly for most systems.  Global terrorists want the press coverage and shock value and will most likely target large municipalities.  Nation states target systems with specific strategic value.  These groups might concern some utilities, however most utilities only have to worry about the last three types.

Hobby hackers usually look for unprotected systems, and are often deterred by security measures.  Thus, they usually do not pose a significant threat to utilities. However, local entities with a political agenda will try to find ways to exploit your system and do pose a risk.  Many times, it is easier for them to exploit another weakness than to create complicated computer code and get it into your system.  Of the five usual suspects for malicious cyber intrusion, the bigger risk is the disgruntled insider.  The trouble here is that the insiders need intimate access to accomplish their jobs, making this the hardest group to handle.

The other type of cyber intrusion, non-malicious, is from someone who accidently crashes a system.  Examples of this type of intrusion range from a backhoe operator who digs up a network cable to an employee loading a memory-intensive game onto a SCADA computer.  It’s estimated that as much as 80 percent of system problems fall into this non-malicious category — these are easy to mitigate, as many of the techniques used to mitigate non-malicious cyber intrusion will also hinder malicious groups from entering a system.

Now that we have discussed the groups that threaten a system, let’s discuss ways to thwart their efforts.

Cyber Security Plan

Proper cyber security requires a well-developed plan.  The plan must be designed to cover the real threats a utility faces, not the ones driven by mainstream media.  It also needs to be a live, flexible and documented plan adaptive to change.

The plan needs to be the first item consulted when a new threat is discovered and can help to quickly determine how to address any threat.  At a minimum, a good plan will cover the following four overlapping categories:

Physical Security

Physical security might seem obvious, but it is often overlooked in utilities and other industrial facilities.  Padlocks should be on every single control panel in a facility because they not only primarily protect against non-malicious incidents, but also help protect against arc flash exposure.

Most SCADA users only need a keyboard, mouse, display terminal and printer.  Thus, utilities should isolate SCADA computers and servers.  The intent is to prevent anyone from creating a disruption via infections or memory-intensive programs from data sticks, discs or media cards.