SCADA Systems: Vulnerabilities and Risk Mitigation for Critical Infrastructure
Bottom Line Up Front (BLUF)
Supervisory Control and Data Acquisition (SCADA) system vulnerabilities primarily come from the need to allow people to access, monitor, and control systems remotely. The connectivity or on-site computers required to allow these features create a path for hostile actors to hack into systems and steal data or cause problems to critical infrastructure. To mitigate risk, companies and organizations must implement proper network protocols, software updates, physical security measures, access control, and device policies. (One flaw too many: Vulnerabilities in SCADA systems 2019)
Weak Points in Physical Components of SCADA Systems
Human Machine Interfaces (HMIs) are computers with graphical representations of the systems they control. They allow a person to monitor and manipulate various systems or equipment through Programmable Logic Controllers (PLCs) and Remote Transmission Units (RTUs). Since HMIs are often connected to Virtual Private Networks or other networking solutions that allow remote access, they are vulnerable in the same ways as any network.
Authorized User or Physical Access Exploitation
A hacker can use social engineering techniques to gain knowledge of an authorized user and potentially guess a password, find a password that is used for multiple purposes, or trick a user into revealing their password. They could also gain physical access through use of false credentials or other illegal access techniques to connect to ethernet ports or other access points. A small computer such as a Raspberry Pi or a “pwnie” device connected to a cellular phone can capture information and relay it to the hacker to gain control or steal information.
Software or Mobile Application Flaws
Another path for hackers to access SCADA systems is through software, mobile applications, or web interfaces. (One flaw too many: Vulnerabilities in SCADA systems 2019) The very access methods that make SCADA systems so necessary and convenient for modern society are also an ever-present risk for vulnerabilities. Software and mobile applications can come from numerous vendors and will vary widely from one organization or company to another. If a hacker can discover a flaw in a piece of software or application, they may be able to exploit it to extort money or cause problems.
Mitigation of Risk
To reduce the risk of hackers gaining access to critical infrastructure, companies and organizations must implement multi-layered and ongoing solutions.
People are a Weak Point
The most successful means for hackers to gain access to networks and systems is by simply tricking people into revealing information that will reveal passwords or answers to other personal information. It is essential for all employees to receive regular training in basic security practices. People are often not aware of the methods hackers can use to trick them. Ongoing training programs to educate people in recent incidents and provide them with useful tools and information results in target hardening and better security.
Software Patches and Updates
Any software or application used to access SCADA systems must be regularly updated. Furthermore, cybersecurity personnel should periodically audit all such software in use to ensure it has not become obsolete or “abandonware”.
Management of User Accounts and Physical Access
Timely auditing of access lists and user accounts is essential to mitigate the risk of unauthorized access. People must be strictly limited to only access the HMIs, systems, and physical areas they need to do their jobs, and no more. Granting access based on positions of power or seniority seems logical to some but creates unnecessary additional ways for hackers to gain unauthorized access. Furthermore, access to rooms, buildings, or other areas that contain SCADA equipment should be limited to only those with specific need to do their daily jobs. Equipment such as key cards, biometric scanners, security cameras, and “man-trap” doors are a few effective ways to limit physical access.
Conclusion
Although there has never been a system that is completely immune to attack, risk can always be managed. The use of continuing education, regular review of policy, and security practice audits using the NIST framework or other industry standards will always be the best answer to how to deal with outside threats. Critical infrastructure faces more outside threats than it ever has due to modern needs for remote access and monitoring. The inherent flaws introduced by connecting SCADA equipment to remote systems will always be of concern, but with the right practices and controls, the risk to the public can be reduced to acceptable levels.
Works cited:
Trend Micro. (2019, December 16). One flaw too many: Vulnerabilities in SCADA systems. Security News. https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/one-flaw-too-many-vulnerabilities-in-scada-systems
The Human Factor in Cybersecurity
Journal prompt: During this week’s reading, you’ve been exposed to different points of view regarding human contribution to cyber threats. Now, put on your Chief Information Security Officer hat. Realizing that you have a limited budget (the amount is unimportant), how would you balance the tradeoff of training and additional cybersecurity technology? That is, how would you allocate your limited funds? Explain your reasoning.
A Chief Information Security Officer (CISO) must leverage the knowledge of his most talented subordinates and stakeholders to first develop an accurate picture of the company’s cybersecurity threats, legal obligations, risk tolerance, and policies, among many other factors. Once the CISO has this information, they can begin to consider how to balance training spending against tech spending.
The first thing I would consider as CISO is the tech my company already has on hand. The various services and equipment already in place are a vital piece of the puzzle. I would then assess issues that might arise as employees use the tech we already have. For example, if employees are accessing our network remotely, I would figure out how employees are already trained in that subject. If training is lacking, I would likely increase the budget. If training was deemed adequate, I would likely keep training going at the same pace.
Once I have analyzed what tech we have and whether employees are properly trained in use of that tech, I would start to consider the wants and needs of my employees regarding tech. Tech is flashy, fun, and engaging. When employees get better equipment or software, they tend to enjoy it. Few employees would turn down a shiny new laptop in favor of a beat up four-year-old unit. However, it is not practical to purchase new computers for employees every year or two, just to allow people to constantly use new gear. I would have a system in place for employees to request new tech. Those requests would be carefully considered, not just for the cost, but for the possible training requirements that come along with that tech.
Only then would I start considering how much to spend on tech versus training funds. Often, people only see new computers or software as a simple purchase. There are often hidden costs that must be considered, and training is a major one. In order to complete my budget, I would ensure my stakeholders were all in agreement with planned purchases. I would then consider my total budget and allocate training dollars based on the tech we already have. I would also set aside a small portion of the budget for unexpected expenses related to either tech or training. If there is room in the budget for purchases, I would consider the purchase price plus training and all other expenses. All purchases would be made with full knowledge of all costs associated. This way, we will always be sure we are training our people and not running out of money to do so.
The CIA Triad
The CIA triad is the model on which organizations base cybersecurity policies and
guidelines. The letters stand for Confidentiality, Integrity, and Availability.
Confidentiality is essentially another word for privacy. Organizations need to control who
can see information and when, in order to avoid data breaches. Integrity is how accurate and
unaltered an organization’s information is. An organization can’t rely on information if it cannot
be confident that the integrity of the information is intact. Availability is the freedom to access
information. An organization that cannot access its information is unable to perform its basic
functions.
To ensure the three sides of the CIA triad are functional, an organization must maintain
vigilant watch over authentication and authorization.
“The main difference between authentication and authorization is that authentication
verifies a user’s identity while authorization grants users the right to access resources.”
(Tran, 2023)
As we can gather from Mr. Tran’s writing, authorization is the way an organization knows
that the person trying to access information is who they say they are. Authorization is how an
organization allows people access to the applications, files or any other information or equipment
they need to do their jobs.
It is vital to an organization’s security to know, with certainty, that it is only allowing the
correct people to access their networks. We can think of this as the first layer of security. The
second layer is authorization.
An organization would be unwise to allow all employees to access every file, application,
server, etc., that it controls. To maintain good security, an organization must only allow
employees to access information they need to accomplish their jobs. These needs will change
from time to time based on the projects they might be working on or changes in job titles.
In essence, authentication and authorization are at the heart of any organization’s
cybersecurity posture and the primary concerns of cybersecurity professionals.
Works cited:
Tran, T. (2023, December 26). Authentication vs authorization: What’s the difference? Keeper
Security Blog – Cybersecurity News & Product Updates.
https://www.keepersecurity.com/blog/2023/12/26/authentication-vs-authorization-whats-
the-difference/