A study of industrial cyber security suggests that supervisory control and data acquisition (SCADA) systems might be even less safe from high-tech intrusions than previously thought.
Last fall the British Columbia Institute of Technology (BCIT), a Burnaby, B.C.-based polytechnic school, presented a report on SCADA security at the VDE Congress, a gathering of electrical, electronic and IT professionals in Berlin.
Utility companies, manufacturers and firms in other industries use SCADA systems to monitor and control disparate equipment from a central location.
The BCIT’s report, dubbed The Myths and Facts behind Cyber Security Risks for Industrial Control Systems, describes a substantial increase in computer-based attacks on critical industrial IT infrastructure since 2000.
Whereas the BCIT recorded one to three industrial high-tech security incidents each year between 1995 and 2000, thereafter the number of reports climbed: four in 2001; six in 2002 and 10 in 2003.
The threats increased in part because companies rely more and more on standard networking protocols in SCADA environments, according to the report. SCADA systems used to employ less open, more tech-vendor-specific technologies that were hard to for digital intruders to crack. These days SCADA infrastructure includes common technology — networking protocols that hackers have learned to control.
“The move to open standards such as Ethernet, TCP/IP and Web technologies are letting hackers tack advantage of the control industry’s ignorance,” reads the BCIT’s report.
The document draws on info from the BCIT’s industrial security incident database (ISID), which tracks the impact of denial-of-service attacks, worms, viruses and other binary nastiness on industrial systems. It’s the culmination of public incidents and private reports from companies that seek access to the database.
As of last fall, however, the BCIT had just “34 events of sufficient quality for statistical analysis” in the database, according to the report.
With so small a sample, can the institution’s insight be taken seriously?
“It is a very small sample size,” said Eric Byers, the BCIT’s research manager in critical infrastructure security. “We wish it was larger, but data of this nature is notoriously hard to get. Regardless, we still believe it offers interesting lessons for the industry and does dispel a number of misconceptions, such as the source of attacks and the means of intrusion.”
The threat source is changing. The BCIT’s report says 70 per cent of attacks reported between 2001 and 2003 came from some external entity. Between 1982 and 2000, just 31 per cent of attacks came from the outside.
This shift in threat location started with Code Red 2001. The first automated worm, it changed the attack perspective from angry insider to offsite script kiddie. Increasing reliance on common operating systems like Windows 2000, and the accompanying patch problems, also made external attacks all the more viable. As well, interconnections among enterprises as they exchange supply data, customer details, etc. open industrial systems to outside threats that the local chief security officer might not even know about.
As for the means of intrusion, the Internet remains the most popular route into the industrial brain, “but dial-up connections VPNs, telco networks, wireless systems and third-party connections were all contributors,” the BCIT writes.
Breaches hurt companies’ reputations most of all, says the BCIT. But there can be financial impacts as well. Not all of the incidents listed in the ISID have associated financial impact statements, says the study; but of those that do, 50 per cent reported losses north of $1 million.
The institution prescribes a “defence in depth” strategy to protect industrial systems. Employ AGA-12, a SCADA security standard from the American Gas Association (www.aga.org). Use a SCADA-aware IDS, Byers advised.
“BCIT is actively researching a SCADA-aware micro-firewall that is designed to harden specific SCADA and PLC (programmable logic controller) devices,” he said.
The BCIT isn’t the only group scrutinizing industrial security. The business consultants at Deloitte consider how Calgary-based gas company EnCana Corp. is changing its risk assessment practices regarding industrial systems in this article. The piece also includes the U.S. Department of Energy’s 21 steps to improving SCADA security.
SCADA security became something of an issue in North America after the blackout of 2003. There was some speculation that a worm caused the event, which cut the power in eight states and Ontario. According to an April 2004 report the blackout was the result of procedural breakdowns at a power facility in Ohio.