The Increasing Threat to Industrial Control Systems/Supervisory Control and Data Acquisition Systems

23 03 2013

This blog has previously discussed Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition Systems (SCADA) here and again here in November 2012.  Recently, ICS-CERT has released several bulletins that have spelled out trends and numbers showing an increase in the threats to ICS.

How much is the threat increasing?

ICS-CERT noted that in Fiscal Year (FY) 2012 (10/1/2011-9/30/2012) they “responded to 198 cyber incidents reported by asset owners and industry partners” and “tracked 171 unique vulnerabilities affecting ICS products”(ICS-CERT Operational).  This is an approximately five-fold increase over the number of incidents reported in FY2010 (41) (ICS-CERT Incident).

Why is the threat increasing?

While some of this sharp increase may be attributable to ICS-CERT beginning operations in FY2009 (ICS-CERT Incident) and and associated delay in the industry being made aware of this resource, it is likely that there have been an increasing number of ICS cyber incidents for the following reasons:

1)  “Many researchers” have “begun viewing the control systems arena as an untapped area of focus for vulnerabilities and exploits” and are using “their research to call attention to it.” (ICS-CERT 2010)

2)  Availability of search engines such as SHODAN that are tailored to assist operators, researchers (and attackers) in identifying internet-accessible control systems (ICS-ALERT-12-046-01A)

3)  Increased interest by hacktivists and hackers in ICS (ICS-ALERT-12-046-01A)

4)  Release of ICS exploits for toolkits such as Metasploit (ICS-ALERT-12-046-01A)

5)  An increased interest by attackers, possibly associated with foreign governments, in obtaining information regarding ICS and ICS software, for example stealing information related to SCADA software (Rashid) or, in the case of Stuxnet, attacking ICS to damage or shut down the controlled hardware (Iran).

Why are ICS networks still so insecure?

Some responsibility for the state of ICS security should be attributed to the primacy of Availability in the minds of ICS operators when evaluating the Confidentiality-Integrity-Availability triad.  This  leads to long periods of time between declared outage windows in operations and thus an extended period of time before new hardware or network security can be put in place.  However, it should be noted that ICS insecurity can lead to or extend outages, such as the recent failure to restart operations on time seen at a power generating facility due to an infection of the control environment by a virus on a thumb drive (Virus).  In this instance, availability of the plant was impacted by a security event that extended the planned outage by approximately three weeks (Virus).

How can ICS operators increase security?

With this in mind, it is imperative that ICS operators begin or continue to treat increased security of ICS IT operations seriously, and factor increasing security into their procurement and redesign plans.  Failure to do so can lead to increased outages or damage to operating equipment (see Stuxnet).  The good news is that there are security practices that can be put in place in the (hopefully) tightly controlled ICS environment that may not work in the comparatively more free-wheeling office network, including application white-listing (ICS-TIP-12-146-01B).  As many ICS vendors recommend against applying routine operating system patches, white-listing may assist in preventing the execution of malicious code introduced into the environment (ICS-TIP-12-146-01B).

Other possible security controls that ICS operators should consider implementing include those suggested by ICS-CERT  (ICS-TIP-12-146-01B):

Network Segmentation – With the increasing frequency of taking formerly air-gapped control networks and connecting them to corporate networks and the internet, it is increasingly important that appropriate security measures be put in place to segment the control network as much as possible from more general-purpose networks (ICS-TIP-12-146-01B)

Role-Based Access Controls – Access based on job role will decrease the likelihood that an employee is given more access than needed by basing their access on their job function and managing this access by job role instead of user by user (ICS-TIP-12-146-01B)

Increased Logging and Auditing – Incident response, remediation, and recovery (including root cause analysis) in the control network requires that detailed logs be kept and available (ICS-TIP-12-146-01B)

Credential Management (including strict permission management) – Where possible, centralized management of credentials should be implemented to ensure that password policy and resets can be performed more easily.  This centralized management will also ensure that superuser/administrator accounts are tracked and can be more easily disabled if needed (ICS-TIP-12-146-01B)

Develop an Ability to Preserve Forensic Data – Much like logging, the ability to preserve forensic data is important to allow for root cause analysis and, if the event is malicious in nature, identification and prosecution of the intruder/malicious actor.  This includes the ability to capture volatile data such as network connectivity or dynamic memory in addition to the more traditional forensics of hard drives. (ICS-TIP-12-146-01B)


“ICS-ALERT-12-046-01A—(UPDATE) Increasing Threat To Industrial Control Systems.” The Industrial Control Systems Cyber Emergency Response Team. Industrial Control Systems Cyber Emergency Response Team., 25 October 2012.  Web.  28 January 2013. < >

“ICS-CERT – Operational Review Fiscal Year 2012.” ICS-CERT Monitor.  Industrial Control Systems Cyber Emergency Response Team., n.d.  Web.  28 January 2013. < >

“ICS-CERT Incident Response Summary Report.” The Industrial Control Systems Cyber Emergency Response Team. Industrial Control Systems Cyber Emergency Response Team., n.d.  Web.  28 January 2013. <  >

“ICS-CERT – 2010 Year In Review.”  The Industrial Control Systems Cyber Emergency Response Team. Industrial Control Systems Cyber Emergency Response Team., January 2011.  Web.  28 January 2013. < >

“ICS-TIP-12-146-01B— (UPDATE) Targeted Cyber Intrusion Detection And Mitigation Strategies.” The Industrial Control Systems Cyber Emergency Response Team. Industrial Control Systems Cyber Emergency Response Team., 22 January 2013.  Web.  28 January 2013. < &gt;

“Iran Confirms Stuxnet Worm Halted Centrifuges.”  CBS News., 29 November 2010. Web. 2 February 2013. < >

“Virus Infection At An Electric Utility.” ICS-CERT Monitor.  Industrial Control Systems Cyber Emergency Response Team., n.d.  Web.  28 January 2013. < >

Rashid, Fahmida Y.  “Telvent Hit by Sophisticated Cyber-Attack, SCADA Admin Tool Compromised.” Security Week.  Wired Business Media., 26 September 2012. Web. 2 February 2013. < >

Are SCADA Systems Secured?

11 04 2012

Prior to a few years ago, I had no knowledge of a SCADA (Supervisory Control and Data Acquisition) System.  How are power houses, water treatment, gas pipelines, waste water treatment plants, pump stations, and other mechanical systems maintained in a plant, area, or within a country?  I didn’t have a need to know nor did I care.  SCADA Systems are the brains or backbone of mechanical infrastructure in a plant.  Maintenance Engineers use the system as a supervisory tool for pumps, HVAC system, nuclear plants, water flow systems, fans, turbines, generators, etc.  As an IT Manager, I soon learned the importance of the systems and how to support and protect the maintenance systems by protecting the SCADA System of a plant.

Scada Systems are not limited to plants of companies; they are used to maintain mechanical systems for cities, states, or even countries. On a larger scale, the risk of attack on the SCADA systems becomes tenfold more dangerous and the effect could result in some form of a catastrophe.

How Attacks occur and examples

The SCADA System is an industrial control system. The components of a networked SCADA system consist of main computer system to store and process data with web-base interfacing. HMI (human machine interface) and computer provide the operator/ engineer’s ability to input, monitor, and manipulate the system.  Data is gathered from the mechanical devices thru a Remote terminal such as PLC (programmable logic controller) and sent to the server.  The use of SCADA systems has grown over the years.  North America, Africa, Europe and the Middle East are the biggest consumers of SCADA systems.  Analyst believes the use of SCADA systems will continue to grow 10 percent for next five years, which increases the risk of SCADA attacks globally.  (1)  SCADA systems can be seen as a tool to turn on and off pumps in a water treatment facility to controlling spaceships for the government.  It’s a powerful tool and used by many businesses from small companies to the government, who depend on IT to support and maintain the SCADA systems.  The three cornerstones of IT security CIA (confidentially, integrity and availability), Integrity and availability are critical to the SCADA system.  Due to the type of systems that are managed with the SCADA system, engineers and maintenance employees rely on the information obtain to be accurate and available.  Any tampering of data could result in making the wrong decision in turning on or off devices within the system.  Also during a crisis or non-crisis moment, the available of information must be there.  It’s extremely hard to make a decision based on no data.

It is believed that the infrastructure of SCADA system is vulnerable to attacks.  The attack can occur from internal as well as external point.  Downsizing within corporations, has brought on high number of disgruntled employees or ex-employees.  An internal attack could result from changes made to the system thru personal computers or PLC interfacing; a disgruntled employee can change settings, turn off motors or pumps, or implant a virus or worm.  External attacks can occur thru hacking of weak passwords, phishing attack against a hardware, entry thru enabled supply back entry access, or thru a control system modems installed to allow remote users access.  For example, the US government reported in December 2011 a railroad system had experienced a cyber attack. (2)  Railroad cars were delayed on several lines, which increased the risk of cross lines and a potential railway collision.  The incident was a result of external hacking into the Railroad SCADA system.

Methods to Prevent

To reduce attacks on SCADA systems, Information Technology departments will need to increase security protection of the system.  Information Technology departments will need to enforce rules to have users create strong password that require changing every 30 days.  Restrict remote access to SCADA system thru secure IP VPN and remove access modems.   Web servers to the SCADA systems should be placed behind firewalls to provide protection from hackers thru the internet.  In addition, employ the use of DMZ buffer or routers and firewalls to create a separation between the SCADA system and the rest of the corporate network. (3)   Using a combination of the available security measures will reduce the potential of an attack.


With the improvement of technology, the ability to manage railroad systems, gas pipelines, water cooling system, waste water treatment facilities, and other systems have migrated to using SCADA Systems.  There are several manufactures that produce SCADA systems such as Square D,  Modicon, Siemens, Iconics, and CSWorks.  As the use of SCADA system increases, the market of SCADA manufacturers increases as well.  Not all SCADA systems are created with the same level of security, so the buyer must be aware of the risks that exist.  SCADA systems have been and will continue to be targets of attackers.  However, the Information Technology department can work with the maintenance groups to deploy a system that provides a higher level of protection from internal and external attacks.  SCADA systems control many vital systems globally; it is up to the IT departments to migrate the risk of possible attacks as much as possible.  Even the smallest of attack can cause havoc on many.  No one wants to be the organization that’s been hacked.


(1) The Increased Threat of Attacks on SCADA Systems, author Kevin Coleman by, released November September 26, 2011

(2) Reports of a possible cyber-attack against a rail company highlight the issues of protecting industrial control systems that keep the country’s critical infrastructure running, author Fahmida Rashid, by, released January 26, 2011

Securing integrated Scada systems against cyber attacks, author Paul Hurst by, released April 9, 2009

SCADA Systems,  by

The dynamics of information security in industrial control systems

5 10 2011

by Zeal P. Somani

Anyone who followed news last summer would agree that one of the biggest cyber-attacks in recent times to shock the information security community was the malware [i]“Stuxnet” that affected Siemens controls systems running on Microsoft Windows. It was first of its kind to target an industrial control system and compromise a PLC (Programmable Logic Controller)- a programmable device controlling different critical processes – pressure valves, water levels, temperature controls in an industrial environment. It exploited 4 zero-day Windows vulnerabilities. Hence a paradigm shift in information security in critical infrastructures can be concluded.

Risk Drivers

Briefly introducing- Industrial control systems (ICS) or SCADA(Supervisory Control And Data Acquisition) Systems are core to major critical infrastructures of within a country like Energy systems- nuclear/coal/renewable power plants, power grids, Oil/Gas- pipelines, rigs, extraction facilities,  Manufacturing and Production, Metals and mining. These systems have undergone a massive change in their design and the way they communicate in this past decade. To support real time needs of business and with the rise of eCommerce they are largely integrated with Enterprise IT systems e.g. the amount of oil extracted in is fed in real time to the marketing department in an Oil/Gas majors in exploration, production and marketing of crude oil. With the rise of modern IT and pervasive business needs, these systems are not spared from infected portable devices- USB, disk, hard drives etc. They are no longer sacrosanct so the concept of “security through obscurity” no longer applies.

C.I.A  vs  A.I.C-

One of the biggest challenges with ICS is that the CIA(Confidentiality, Integrity, Availability) triad gets inversed. Because the goals of these systems are to keep the critical process available for its uptime. Unfortunately very few IT and IT security folks understand this difference and hence end up failing to secure these systems. For e.g. a Penetration Test on an ICS is a not a good strategy of detective control. It can adversely hamper a critical system making it enter an infinite loop. A good strategy is to have a non –invasive identification and assessment of threats and the resulting risk posture.

Common Vulnerabilities and Attacks

Vulnerability Attack
Legacy Systems unable to integrate physical –logical secured architecture on applications. Systems vulnerable to Viruses, Worms, Malwares, Spywares from portable devices
Industrial Protocols lacking encryption and authentication Eavesdropping, Session Hijacking
Lack of proper segmentation and Defense in Depth Compromised perimeter firewall can leave the entire network compromises
Insecure Database and improperly configured Active Directory SQL injection attacks


Risk Mitigation Framework:

Here I have listed some of the common practices of a sample mitigation framework. This is not exhaustive and it depends on different cases within the industry.

Segmentation and Defense in Depth

One of the first steps is to [ii]segment the network adequately and have a multi layered secured architecture i.e. the SCADA systems polling data from plant is in secure zone 1; it pushes its data to a historian in secure zone 2- a DMZ and the enterprise users in secure zone 3 collect data from DMZ instead of directly connecting to control systems. There could also be a test or a buffer zone between the DMZ and zone 3 to test any software update, patch, new configurations before sending them to live data. In each zone we employ a “defense” mechanism isolated from other zone. This defense could be a technology- e.g. firewall, IPS/IDS(Intrusion Prevention/Detection Systems) or a process

Application White Listing:

Up till now, we focused on black listing the rogue application and programs like viruses and worms. But another approach is to white list i.e. systems runs the programs and applications “whitelisted” for that particular system. This works best for legacy systems and systems which are isolated and remote

Periodic Audits:

Regular audits checks – automated on a tool or manual can prevent many threats from exploiting. These audits are based on industry standards like NERC(North American Electric Reliability Corporation) CIP(Critical Infrastructure Protection) for US grid operators.

[i] “Stuxnet: Fact vs Theory” by Elinor Mils

[ii] “Building a Better Bunker:Securing Energy Control Systems Against Terrorists and Cyberwarriors” –A SANS white paper written by Jonathan Pollet