Once isolated systems, SCADA networks have migrated to using familiar graphical user interfaces on workstations accessible over the network. Over time, malicious hackers have discovered ways of accessing SCADA systems, as well as DCS (Distributed Control Systems), PLCs (Programmable Logic Controllers), and other legacy control systems. The goal here is to describe how operators can protect their SCADA and other control systems with software-based solutions such as personal firewalls, anti-virus software and other specific industrial-based solutions.

The risks
In 2004, the methodology behind the rupture and 3-kiloton explosion of a Trans-Siberian pipeline was described before the U.S. Congress. Two decades earlier, in 1982, a Trojan program inserted into SCADA software had caused the largest non-nuclear explosion ever observed from space. It took over twenty years for the truth to be revealed. The precise methodology has been explained elsewhere and need not be exposed here, but is familiar to all engineers as hydraulic shock.

This was relatively high-tech sabotage. Similar destruction could be accomplished by very low-tech methods, utilizing nothing more than an elemental metal, a common metal oxide and a flower pot. Thus, there are two potential attack vectors, one physical and the other via software. Most experts consider a combination of the two vectors to be the most disruptive. Physical security is fairly well understood and reasonably addressed in the literature. In contrast, the focus here is on the less understood methods of software security, and to describe simple methods of protection against internal and remote untraceable mischief.

Malicious hackers have discovered SCADA (Supervisory Control and Data Acquisition) and DCS (Distributed Control Systems). Once isolated systems, SCADA networks have migrated to using familiar graphical user interfaces on workstations accessible over the network. A former hacker interviewed by PBS Frontline advised that “Penetrating a SCADA network that is running a Microsoft operating system takes less than two minutes.”

The history
Legacy control systems such as DCS, SCADA, and PLCs have been used for decades in power plants and grids, oil and gas refineries, air traffic and railroad management, pipeline pumping stations, pharmaceutical plants, chemical plants, automated food and beverage lines, industrial processes, automotive assembly lines, and water treatment plants.

There are a wide range of security technologies that can be used to protect the corporate network, but these are less successful within a production network. Software-based solutions (personal firewalls, anti-virus software) cannot run on some proprietary operating systems, due to lack of compatibility, and often cannot be integrated into systems which use older processor technology – because these lack the necessary performance. Table 1 provides a chronological history of publicly reported hacking incidents. The list provides a chilling insight into these types of problems and their potential for disruption. Some of these damaging exploits were kept secret for years.

While it is dramatic to consider a deliberate attack initiated by hackers or foreign intervention, the threat comes in many forms. It does not need to be an intelligently directed attack. Worms, viruses and other malware are far more frequent causes of data loss. The non-intelligent Slammer worm covered the globe in 30 minutes, infected business and Pentagon computers in the first eight minutes, curtailed oil production operations in the Gulf of Mexico, and caused $3 billion in damage to Wall Street.

Malware (Trojans, viruses and worms) can be inadvertently downloaded from the Internet, and these can replicate themselves on portable memory devices of all types. In 2008, digital picture frames sold by major retailers were found infected with a program that disabled antivirus software and sent passwords to servers in China.

The danger to pipelines
Beyond the dangers of deliberate, destructive sabotage, are the economic and financial business risks. These need not involve terrorist attacks or the malicious intervention of foreign powers. In many cases, data on measurement and product quality can be the most vulnerable pipeline-related asset.

Data is collected continuously from custody transfer meters and pumping stations along thousands of miles of pipeline. There are millions of dollars involved in the simple reporting of data as recorded electronically from the gathering system to the end user. And there are millions of dollars at stake when a refinery contends that the crude oil delivered contained four-tenths of a percent of water rather than the two-tenths percent water content for which they were being billed.

The discrepancy could occur at either end, whether upon supply or delivery. Volume could be over or under-reported by error, or by adjustments made to the temperature compensation. Because pipelines are shared, with products blended from multiple sources and then delivered to multiple clients, the exact quality is a software-based engineering calculation. The lab test results are also reported via software. All software can be manipulated, and data tampering is easier when the data for the ledger books is all based on software (as was partially the case with Enron, for example).

Now imagine the worst non-destructive scenario. What if the pipeline data stream is interrupted or data logging records lost? This could occur from a random virus, accidentally inserted via a memory stick; electronic picture frame; the laptop of a visiting consultant; or a subcontractor’s website linked to the company website. Or it could be a Trojan program deliberately inserted by a competitor, disgruntled employee, state-supported terrorist or foreign power.

In the later examples the breach might be virtually untraceable. What now is the financial damage? The answer is millions of dollars an hour. What is the economic damage of widespread or recurrent interruptions? Loss of investor confidence and stock losses would be measured in the billions of dollars. Add to that the very human cost of jobs lost as a result of the time-honored practice of assigning blame – down the ladder of responsibility.

Harmful programs, capable of paralyzing automation systems, are often introduced internally. External service technicians, contractors, employees and visiting consultants with laptops can inadvertently (or deliberately) introduce malicious software behind the external firewall. Surveys reveal that roughly 40% of security incidents involved insiders.

Integrated-Network Flowchart

An integrated network solution and various formats: rackmount, DIN mount, PCI, and patch cords.

Downstream facilities
Refineries and petrochemical plants have become increasingly reliant on SCADA systems, DCS and PLCs over the last several decades. And as elsewhere, Windows–based software and Ethernet predominate in the front office, and are migrating into production areas as well. SCADA systems were typically not designed for security. These older legacy systems remain highly vulnerable to intelligent remote attacks, as well as non-intelligent viruses, since these systems are no longer isolated from the Internet. They are accessible via company websites, wireless access points, USB drives, modems, radio transmission, satellite, microwave, wiretap and remote maintenance access.

While electro-mechanical safety switches are designed to provide fail-safe protection, independent of the control programs, the opportunity and occurrences of uncontrolled process accidents remains common. Therefore, both inadvertent software control glitches and deliberate software tampering can be potential causes.

A common example demonstrated by security Red Teams is altering or masking the information being viewed by process operators and engineers. Electro-mechanical safeties can be overwhelmed by unregulated feeds of combustible products to sources of combustion. If the process information being monitored is erroneous, there is no real way to know what is going on, or what action to take.

Common objections
Below are some common objections to the dangers outlined above, followed by a considered response to those objections.

“Our production systems are completely isolated from outside access.” In his book The Art of Intrusion, hacker Kevin Mittnick clearly explains how even a neophyte can easily gain root (administrator) access to the entire network through the corporation’s protected public website, from anywhere in the world. The majority of PLCs are currently ordered with Web services enabled, but 87% of users leave the Web servers active, unused (and not configured), with factory default passwords. Idaho National Labs has published several fine white papers on the protection and risks for SCADA systems, and these are highly recommended as reference materials.

“Our system is secure because it would be impossible for an outsider to understand it.” This is nicknamed “security by obscurity” and has repeatedly been shown to be a false assumption. There are only five to six leading DCS and SCADA systems used throughout the world, and there are millions of U.S. and foreign engineers who have been trained in their use. The Roman Empire did not fall to a more sophisticated or technologically advanced culture. Weakened by economic woes, Rome fell to barbarians at the gates, to whom it had previously outsourced the administration and defense of its frontier territories.

“We’ve never had a problem. There has been no intrusion or disruption in our process or production network.” When new Intrusion Detection Systems (IDS) were installed on U.S. Department of Defense networks, they showed that thousands of attempted illegal penetrations were going on daily. According to former presidential advisor Richard A. Clarke, one general was incensed and complained that: “Before we had these IDS, we were never attacked. Now that we got them on the network, people are attacking our nets every day, thousands of times, trying to get in! And some of them are getting in!”

“We can’t justify the expense and manpower.” The expense of protection is a fraction of 1% of the IT budget. With the latest generation of equipment, a network of protection can be installed, plug and play, by a handful of technicians rather than IT managers. Production need not be interrupted. Beyond ROI, the simplest justification is “What will we suffer if a disaster shuts us down?” The actuarial risk can be difficult to determine. What can be determined is the cost of a catastrophic event. Establishing production network security for critical infrastructure bears a close relationship to the logic of adhering to fire codes.

Industry recommendations

In May 2009, an explosion occurred on a natural gas pipeline on the outskirts of Moscow. The incident was attributed in part to a pressure surge.

In May 2009, an explosion occurred on a natural gas pipeline on the outskirts of Moscow. The incident was attributed in part to a pressure surge.

The ideal solution would require several unique features. It should provide distributed “defense-in-depth” as a second or third layer of protection. This offers greater security, flexibility and lower cost. It should be capable of providing various levels of security. It should be easy to implement, by technicians rather than network administrators, without modification to the network’s configuration.

Templates for devices should be configurable for single units or very large groups from a central location. It should be available in various formats, provide hardware and software-based security, and be applicable to various network configurations. It should monitor incoming and outgoing data packets, offering secure communication via Virtual Private Network (VPN) tunnels. Ideally, the solution and firewall should be invisible to intruders attempting to map the network. Network Address Translation (NAT) should be used to provide protection by IP address masquerading.

For remote maintenance and diagnostics, the ideal solution would be one that denies access, even by the original manufacturer of the production equipment. Remote online access is allowed to the manufacturer only when process operations personnel request it by clicking a physical (or on-screen) button, and the encrypted VPN connection is strictly authenticated via digital certificates of authority.

Specific industrial-based solutions are already available. They may be lesser known in the IT world because they exist in the industrial space, and they may be lesser known in the security world, where there is a tendency to concentrate on physical security and physical access. Available Products include Phoenix Contact FL mGuard, Byers Tofino, Siemens Scalance, Weidmüller IE, Emerson Delta V firewall, Hirschmann Eagle mGuard, and Innominate mGuard. But it was only Innominate Security Technologies AG, the original developer of mGuard, that won the Frost & Sullivan “2008 Global Ethernet Security Product Value Leadership of the Year Award” for their mGuard product family. Some of the products listed above are derived from the Innominate product set or licensed and rebranded OEM products based on earlier Innominate software releases.

Now that inexpensive solutions are available, the security of industrial networks can no longer be ignored. With threats to industrial networks increasing in complexity and scope, decision makers need to take action before it is too late.


Editor’s Note: A copy of the 18-page white paper from which this article was extracted, “Hacking the Industrial Network,” including footnotes, clickable Internet links and detailed research references can be downloaded at www.innominate.com.

About the Author
Frank Dickman, BSMAE, RCDD, is a widely experienced engineering consultant and former delegate to NEMA, TIA/EIA, ISO, CENELEC and the BICSI Codes & Standards Committees. He is a technical consultant to a number of leading data communications firms and is a recognized expert on U.S. and International physical infrastructure network standards. Beyond telecommunications, his experience includes consulting engineering work for petroleum refineries, chemical plants, conventional and nuclear power plants, auto manufacturers and the aerospace industry.