SCADA Systems Explained
This paper is to explain to you SCADA systems, what they are, vulnerabilities that are associated with SCADA systems, and how to mitigate these risks.
Supervisory control and data acquisition, also known as SCADA, is an Industrial control system (ICS) that is used to control infrastructure processes like water treatment plants, wind farms, gas pipelines etc. SCADA also controls facility-based processes like airports, space stations, etc. as well as controls industrial processes like production, refining, manufacturing, etc. SCADA systems have a centralized system to control these processes mentioned above called remote terminal units or programmable logic controllers. This is so the sites don’t have to be physically manned and can be controlled remotely. (csoonline.com)
Just like any system that is out there in the world today, vulnerabilities exist. According to a study on the IEEE website by using the National Vulnerabilities Database (NVD) and using the keywords like “SCADA”, “RTU”, “MTU” etc. (all keywords are related to SCADA systems) some of the vulnerabilities found were:
Buffer errors – an attacker can read or write to a memory location (ieeexplore.ieee.org)
Input validation – input is not appropriately validated by the software leading an attacker to craft input altering flow control or arbitrary code execution (ieeexplore.ieee.org)
Path traversal – elements within a pathname of the file or directory are identified by external input
Permissions, Privileges, and Access control – deals with users having access to files and privileges they are not supposed to have access to
Listed above were some of the key vulnerabilities listed. (See citation for IEEE article if you want to see a further detailed list of vulnerabilities)
Now let’s go over ways that these vulnerabilities can be mitigated. According to the IEEE article many exploits were detected because the SCADA systems still had their default username and password to gain access to the system. By providing security training on the significance in changing the default passwords and usernames (as default usernames and passwords can be found easily online) this would help mitigate some of these vulnerabilities. To address the top three concerns of buffer overflows, improper input validation and path traversal these vulnerabilities are usually inherited by low-level, insecure programming languages. Increasing security in the programming and using a more secure programming language for these systems can help mitigate these vulnerabilities. A simple yet effective solution is to have system administrators patch all “high” severity vulnerabilities since the article stated that 38% of the vulnerabilities have disrupted SCADA system availability so the main mitigation techniques that should be used are some few general practices such as: access control, vulnerability patching, debugging IDS’s, and cryptographic solutions.
Works Cited
Constantine, Lucian. “Cisa Warns of Critical Flaws in ICS and SCADA Software from Multiple Vendors.” CSO Online, 7 Apr. 2023, www.csoonline.com/article/575013/cisa-warns-of-critical-flaws-in-ics-and-scada-software-from-multiple-vendors.html.
G. Yadav and K. Paul, “Assessment of SCADA System Vulnerabilities,” 2019 24th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), Zaragoza, Spain, 2019, pp. 1737-1744, doi: 10.1109/ETFA.2019.8869541.