The US DHS reports that 40% of cyber attacks against critical infrastructure are aimed at energy industry targets in the US. Globally the higher profile cases are well reported in the media. Instances appearing in the news this past year include:
- Saudi Aramco experienced a large scale cyber attack in 2012. Aramco’s Vice President for Corporate Planning, as reported by a US news service, stated that more than 30 000 computers were compromised or affected by a so-called ‘spear-phishing’ attack and the disruption of normal activity in the company was crippling.
- Telvent, a major provider of SCADA software in North America and Spain, sent a letter to its software users in September 2012 advising that it had learned of “a breach of its internal firewall and security systems.” According to a security blog, intruders were reportedly Chinese and had installed malicious software and stole project files related to its SCADA software product.
- The well-publicised Stuxnet virus, designed to attack Siemens’ WINCC SCADA software in Iran, has spread despite the strongest of defenses. Shortly after the Stuxnet virus became known, it was identified as having breached the Chevron network (as reported by a computer news service).
However, most incidents go unreported by companies. Instead, concerned by the impact that these reports have on company reputation and stock prices, an aura of secrecy is generated regarding breaches in security.
Nature of the threat
The most serious type of hackers, Advanced Threat Perpetrators (ATP), are able to maintain their connections for extended periods without detection by victims lacking adequate cybersecurity protection. As demonstrated in known incidents, the goal is either the capture of valuable data or interruption of services by foreign governments, industrial espionage syndicates or rogue employees. One group of ATP hackers was documented as able to remain inside their targets’ networks for an average of 355 days after penetration.
Supervisory Control And Data Acquisition (SCADA) systems typically reside on process control networks separated from enterprise or business networks. While attempts to isolate SCADA data networks from the internet are common, they are not always completely successful. Thus, the concept of a system closed to the outside world is not a reality.
Considering the first two words represented by the acronym SCADA, ‘Supervisory Control’ should give a clear picture of a cyber attack’s potential consequences. Maliciously overriding supervisory controls can result in loss of life, serious injury to personnel and nearby individuals, lost production, loss or damage to physical assets, release of material to the environment, loss of reputation and loss of stockholder value.
The last two letters in the acronym ‘Data Acquisition’, can present the other potential consequence of a cyber attack on a SCADA system. Imagine what a white collar criminal hacker could glean and exploit from that historical information on production, product sales, deliveries, operating efficiencies. Impacts on product pricing, shareholder value, futures markets and company reputations are at stake.
Few companies operate SCADA systems without some level of security. However, the security layer design in a company’s landscape may be affected by the hacker’s best friend – standardisation. Access control for users may even be driven by the same systems that grant system access (username and password administration) to the enterprise or business network.
A cohesive cybersecurity strategy is built around the following
Prevention and defense
Protection is typically provided by firewalls (either hardware or software) looking for the type of attacks already seen and for which defenses have been developed. A large majority of the attacks on critical oil and gas infrastructure targets are handled by firewalls. Yet, they are only as robust as the last update. However, even a small company’s firewall can see and prevent a huge number of attempts.
API Standard 1164 states that “implementing a combination of [network monitoring] technologies in addition to firewalls is necessary to enhance network security and management.” Firewalls do not necessarily offer protection for cyber attacks that have not been documented and identified i.e., Zero Day Attacks. Monitoring activity in the network and detection is how Zero Day Attacks will be identified.
Detection and Response
Through monitoring, detection of attacks is possible and developing a customised intrusion detection and response system is pivotal to any cybersecurity plan. API Standard 1164 requires that an Incident Response Plan (IRP) be established. Once an attack is detected, a response plan will be initiated. For example, a confidential response plan could be a fail-over to a mirrored server, while sequestering and isolating the infected server.
Evaluation and risk sssessment
API standard 1164 states that “The operator shall conduct periodic risk and vulnerability assessments.” A credible and legitimate third party can provide the expert staffing required to conduct a risk/vulnerability assessment study. This becomes the road map for designing the network and SCADA system with cybersecurity contingency planning and prioritised counter measure.
Alternatives to the in-house server room
Many companies may argue that their server room is the only safe place for their SCADA system. However, that puts all SCADA eggs in one basket as one large target. One alternative solution is a Distributed Cloud Platform. By dividing the application over multiple sites, if a hacker breaks into one site he has not reached the entire data application.
A second protection phase is having a hardware mirrored installation of a component in different data centres. So, when a hacker incursion does occur, the site can be sequestered and the other data centre with the mirrored installation brought up with minimal downtime. A third protection phase focuses on ensuring adequate encryption. A minimum level of data encryption is typically 256-bit. Levels of 1048-bit are available from some providers.
Complacency and satisfaction are a company’s worst enemies in executing an ongoing SCADA security strategy. Company SCADA systems are particular hacker targets and present a clear and present risk for cyber attacks but a number of tactics can be employed to provide better security for a company’s SCADA system.
Written by Jim Fererro, GlobaLogix, USA.
Read the article online at: https://www.hydrocarbonengineering.com/special-reports/13092013/scada_system_security_special_report/