Symantec Intelligence Quarterly Report - October - December 2010
SCADA White Paper March2012
1. HP TIPPINGPOINT
Securing SCADA: Overview, Risks, and Mitigation
HP Enterprise Security Business White Paper
Table of contents
Overview: SCADA in a changing threat landscape .............................2
SCADA and the lessons learned from Stuxnet......................................2
What makes SCADA vulnerable?.......................................................4
Common SCADA security challenges.................................................5
Mitigating SCADA security exposures.................................................6
Introducing HP TippingPoint and other HP security................................7
Getting started with HP....................................................................7
2. 2
Overview: SCADA in a changing threat
landscape
In June 2009, a sophisticated and destructive digital
worm was unleashed with a single-minded purpose—to
cripple the industrial control infrastructure instrumental to
Iran’s uranium enrichment program. The Stuxnet virus not
only became known as one of the most potent “zero-
day” attacks on a critical infrastructure that included a
Supervisory Control and Data Acquisition (SCADA)
system, but it is regarded as an act of cyber sabotage
that would forever change the threat landscape.1
The intent of this white paper is to update CISOs,
network security managers, and as well as line of
business executives on how Stuxnet has significantly
changed thinking on how a nation’s critical infrastructure
is to be protected. A disturbing realization from Stuxnet
is that industrial control systems (ICS) and SCADA
systems are fair game for such cyber attacks, which
means critical industries such as energy, chemicals,
agriculture, discrete manufacturing, and others could be
in harm’s way in the future.
This paper will separate the fact from fiction on the
threats and vulnerabilities to SCADA systems and
networks. It will outline how SCADA systems have
inherent vulnerabilities that can be best resolved by
adhering to security best practices. Considering that
security tools have long secured corporate networks, this
paper will offer how these same solutions can be used to
mitigate the risks to SCADA systems.
SCADA and the lessons learned from
Stuxnet
Unlike previous “zero-day” attacks, Stuxnet was
designed to sabotage a highly unlikely target—
programmable logic controllers (PLCs) and other
computers of a SCADA system used to control
centrifuges within a nuclear facility. The Stuxnet virus
was designed to not only debilitate the SCADA controls,
but to do so in ultra-stealth mode. So covert was this
cyber attack that it took nearly a year before the
infected machines were discovered, and even then, by
accident.
Researchers were surprised to discover that Stuxnet
targeted vulnerabilities in both Windows®
and Siemens
Simatic WinCC Step7 software, the ICS managing the
PLCs that normally drive motors, valves, and switches in
everything from food factories and automobile assembly
lines to gas pipelines and water treatment plants.
A malicious Stuxnet DLL file intercepted commands
and replaced them with its own destructive commands.
To prevent detection, it disabled automated alarms and
masked what was happening to the PLCs by intercepting
communications between computers. It literally stripped
away any signs of an infection, so workers monitoring
the SCADA system could only see legitimate commands
and operation. Amazingly, rather than using email or the
Internet to spread itself, the Stuxnet virus spread via
infected USB sticks and a vulnerability in Windows
Explorer to implant malicious code on computers.
1
“How Digital Detectives Deciphered Stuxnet, the most menacing malware
in history,” by Kim Zetter, July 11, 2011, Wired.
2
“The 2011 Mid-Year Top Cyber Security Risks Report,” September 2011.
3
“Cost of a data breach climbs higher,” by Larry Ponemon, March 8,
2011, Ponemon Institute.
Since 2000, application vulnerabilities are on the rise with
over 8,000 new vulnerabilities discovered annually. Of
this number, half are now Web related.2
Per a Ponemon
Institute report in March 2011, costs have reached $214
per compromised record, and $7.2M per data breach
event.3
3. 3
Zero-day attacks are rare compared to more common
network denial of service or Web application-based SQL
injection attacks. But, a zero-day attack can be more
targeted and with potentially more lethal results such as
loss of life and economic disaster. Figure 1 shows how
the threat landscape has changed in terms of attack
vector, types of virus payload, and cyber attacker
motivation that now includes cyber sabotage. Early
attacks were designed to impact networks and large
numbers of computers. In recent years, threats have
been more targeted using Web applications. Attacks
launched by disgruntled insiders remains a constant
threat.
With Stuxnet, the world needs to come to grips with the
harsh realities and ramifications of politically charged
cyber warfare. Attacks that prey on vulnerabilities with
software upgrades or patches are not new to
information security professionals who have had to
contend in past years with the destruction from such
viruses as Aurora, Ghostnet, and Confiker. Figure 2
shows how Stuxnet differs from previous exploits across
seven stages of an attack. Of interest is how Stuxnet
differs in how its payload was introduced, its command
and control structure, attack vector, and its self-
upgrading capability and stealth presence.
Like with most viruses, payloads are usually variants or
strains from previous exploits. Such hacker code and/or
scripts are traded freely over the Internet. Stuxnet
differed, however, as it had components that virus
researchers had not seen before. In October 2011,
Duqu, the first known variant of Stuxnet was detected in
the wild.4
Duqu contained Stuxnet code; but unlike
Stuxnet, this Trojan virus did not have sabotage in mind,
but rather to gain data from ICS manufacturers, thus
making a future attack more effective.
Over the last several years, botnets have been launched
to compromise computers in order to steal data for profit
or espionage. Hacktivist groups have targeted their
attacks against well-known corporate and government
entities. In response to these changing threats, including
allegations that the Anonymous hacktivist group
attempted to infiltrate French power plants, security
experts from 20 EU nations and the U.S. convened at
Cyber Atlantic 2011. The goal was to explore how the
EU’s Network and Information Security Agency (ENISA)
and the U.S. Department of Homeland Security would
cooperate and engage each other in the event of a
cyber attack on a critical infrastructure.5
A key exercise
was held to simulate an attack that disrupts a SCADA
system in a power-generation infrastructure. The results
of the exercise will be used to formulate national
contingency plans with good practice guides and
seminars.6
4
“First came Stuxnet computer virus: now there’s Duqu,” by Tabassum
Zakaris, October 18, 2011, Reuters.
5
“Simulated Cyberattacks Unites EU and US Security Experts,” by Jennifer
Baker, November 3, 2011, PC World.
6
“First Joint EU-US Cyber Security Exercise Conducted Today, 3rd Nov.
2011,” Brussels, Belgium, PRNewswire.
Figure 1. Changing threat landscape from 2002 to present
Ever changing threat landscape
Angry
employee/
Contactor
Unethical
advertisers
Terrorist,
political
hacktivist
Rival
corporation
Organized
crime
Outsourced
firm or
contractor
Virus TrojanWorm
OS-specific
attacks
P2P
SQL injection XSSPhishing
PHP file include
PHP
SpywareAdware
WhalingDDos
Amateur
hacker/
Criminal
2002–2004 2004–2007 2007–2011+
Network/Server
downtime attacks
Tracking and
masquerading attacks
Web application
attacks
4. 4
Figure 2. Differences in focus with Stuxnet and other zero-day attacks
What makes SCADA vulnerable?
SCADA systems are used widely for control automation
and by discrete manufacturers including energy (hydro,
nuclear), oil and gas, water, mining, automotive, and
other manufacturers. Importantly, most systems are
derived from legacy technologies found in pilot wire
systems of the 1940s and earlier; relay and tone systems
based on Visicode in the 1950s–60s; and modern-day
systems beginning in the 1970s up through 2000. With
analog telemetric roots, ICS and SCADA systems used
leased phone lines for communications between central
and field stations. If an alarm went off, an engineer
drove to the suspect field station to make repairs. By the
mid-1970s, with the advancements in space program
and microprocessor technologies, data could be
multiplexed and collected from field stations and
transmitted to a central location. Radio and leased lines
were incorporated, resulting in the adoption of
unattended monitoring and control capabilities for
pipelines, water, waste water, and utility grids. But, the
design of these industrial control and SCADA systems,
like many legacy systems at the time, did not consider
security.
A modern SCADA network is considered critical to
business operations using the next generation of
intelligent and intuitive real-time applications. However,
paradoxically, the advancements in technology have
only increased the vulnerabilities that can be exploited
and used for an attack. Today, SCADA systems have
transitioned from separate and proprietary networks to
take advantage of modern technologies such as the
Internet and wireless systems. SCADA networks are also
integrated into the corporate computer systems housing
network and asset management, procurement, billing,
and operations management applications.
According to SCADAhacker.com, Italian “security
researcher” Luigi Auriemma publicly disclosed
vulnerabilities with six different industrial control
systems7
, including:
• AzeoTech DAQFacstory (stack overflow)
• Beckhoff TwinCAT ‘TCATSysSrv.exe’ (network packet
denial of service)
• Cogent DataHub (multiple vulnerabilities)
• Measuresoft ScadaPro (multiple vulnerabilities)
• Progea Movicon (multiple vulnerabilities)
• Rockwell RSLogix (overflow vulnerability)
Auriemma also provided proof-of-concept code that
could be used by others to exploit the suspect
vulnerability. Additionally, threat researchers from a
major security vendor have identified a buffer overflow
with the RSLogix 5000 programming software that can
be used to crash the application and deny service to
legitimate users.8
7
Posted by Joe Langill, SCADAhacker, September 14, 2011.
8
“Attack: Rockwell RSLogix RsvcHost.exe CVE-2011-3489,” Symantec and
CVE-2011-3489, MITRE Corporation.
Stuxnet
Conficker
Ghostnet
Strategic
target-based
Operational
Planning
recon
Payload
intro
Command
and control
Footprint
expansion
Target
identification
Attack
launch
Retreat and
removal
Internet
malware
Fire and
forget
Opportunistic Vulnerable
host
IP
endpoint
Weak
deletion
Tight control
Targeted
expansion
Host function
and value
Layered custom
attack vector
Self upgrade
and stealth
Internet
physical and
external
Recent attacks and focus
5. 5
SCADA protocols are also composed of vulnerable
legacy technology. To demonstrate this, a man-in-the-
middle attack simulation was offered by the Pacific
Northwest National Laboratory (PNNL) in Richland,
Washington, USA. A commercially available protocol
analyzer was used as a man-in-the-middle attack device
against a typical intelligent electronic device (IED).
Based on the DNP3 protocol, the most common in North
America, the SCADA software was spoofed and
unaware that the IED was issued commands from the
attack device. Such deliberate or unintentional issuing of
commands within complex critical infrastructure systems
could explain the FirstEnergy power failure of August
2003, which cut power to southeastern Canada and
eight northeastern U.S. states. Fifty million people lost
power for up to two days in North America’s biggest
blackout.9
Other such staged cyber attack exercises and
research reveal vulnerabilities in power grids despite the
influx of modern technology and tools as well as heavy
government intervention in the form of regulation.
Common SCADA security challenges
As previously discussed, most ICS and SCADA systems
are connected to the corporate IT network. Figure 3
shows a hybrid SCADA architecture with the key
computers and devices. Here is a list of the security
issues tied to this architecture:
• Access controls to human-machine interface (HMI) and
other equipment with either no or weak authentication;
a lack of separation of duties for operator,
administrator, and auditor; and inconsistent password
management
• Physical segmentation of the SCADA network
• Rogue wireless access points without encryption
• Unauthenticated command execution
• Older Windows operating system that can serve as a
weak link and be the most vulnerable, especially at the
field station level
• Systems were built for the long term but outdated
operating systems go unpatched
• Software updates can require new hardware
investments that go unbudgeted
• Insufficient controls on contractors have weak policies
governing access, use of laptops, and mobile devices
• Humans write SCADA system software that can be
weak on security
• Attack surface that has been simplified
9
“The 2003 Northeast Blackout – Five Years Later,” by JR Minkel,
August 13, 2008, Scientific American.
10
“The 2003 Northeast Blackout – Five Years Later,” by JR Minkel,
August 13, 2008, Scientific American.
Figure 3. Hybrid SCADA network
One of the realizations since 2003 is that “you can’t just
look at your system. You’ve got to look at how your system
affects your neighbors and vice versa,” says Arshad
Mansoor, vice president of power delivery and utilization
with the Electric Power Research Institute of Palo Alto,
California.10
Back-office mainframes and
servers (ERP, MES, CAPP, PDM, etc.)
Corporate IT
network
Hybrid SCADA network
Office applications,
internetworking,
data servers, storage
PC-based
controllers
Motors, drives,
actuators
Sensors and other
input/output devices
Programmable
Logic Controllers
(PLC)
Robotics
Device-level network Ethernet
6. 6
There are also other related factors that must be
considered when reviewing security challenges with
SCADA systems. These include:
• Differing priorities between those with SCADA,
networking, and security experience
• Primary protocols in use were designed to work in a
secure, segmented environment
• Backup and alternate systems are difficult to come by
for testing purposes
• Current IT security tools are not built to work on
SCADA networks
• Scale of critical infrastructure equipment means costs
are magnified
SCADA systems have also failed due to accidental
causes. The Olympic Pipeline Company gasoline
pipeline rupture in 1999 caused an explosion that killed
three people. A buildup of pressure in the pipeline went
undetected, in part, because the controllers that the
SCADA system used became unresponsive. The failure of
these controllers made it difficult to analyze pipeline
conditions and to make timely responses to operational
problems. The U.S. National Transportation Safety
Board (NTSB) report found cyber security issues before,
during, and shortly after the pipeline ruptured. The
report identified the following issues that led to abnormal
SCADA operation or precluded an ability to determine
the cause of the event:
• Unsecured remote access
• Lack of network separation
• Lack of security technologies, including virus protection
or access monitoring
• Lack of security policies or a cyber security program
• Lack of training with operating system and SCADA
applications
• Lack of audit, diagnostic, and forensic capabilities to
replicate the system slowdown and eventual failure
• This is still the model of many SCADA systems—an
accident waiting to happen, or a deliberate attack to
exploit the vulnerabilities
Mitigating SCADA security exposures
It has been a dozen years since the NTSB report was
issued, and SCADA systems are still not secure. What is
clear is SCADA needs to be secured throughout its entire
lifecycle, and there are best practices, initiatives and
guidelines, and solutions that can help mitigate SCADA
security exposures. Sharing information within industry,
levels of government, and other nations as well as
between security professionals and SCADA engineers is
an essential start and a critical practice.
NERC, the North American Electric Reliability
Corporation, publishes reliability standards for the
planning and operation of the North American bulk
power system. This is a positive step forward toward the
goal of defining standards that will provide guidance to
security administrators to help them mitigate risks and
threats.
In yet another response to the rise and intensity of cyber
attacks, IEEE, the world’s largest professional association
advancing technology for humanity, announced work
has begun to revise Secure Authentication (SA) protocols
contained in its IEEE 1815 Distributed Network Protocol
(DNP3) standard.11
The SA Version 5 revisions will help
bolster overall security for data information gathering,
exchange, and use in applications like supervisory
control and data acquisition (SCADA) systems. SA
Version 5 aims to address and help mitigate digital
security hazards to essential infrastructures across the
power and energy, water, Smart Grid, and other
process automation industries.
11
“IEEE Addresses Evolving Smart Grid Security Challenges with Revisions
to Critical IEEE 1815 Standard,” by Shuang Yu, November 2011, IEEE
Standards Association.
12
“IEEE Addresses Evolving Smart Grid Security Challenges with Revisions
to Critical IEEE 1815 Standard,” by Shuang Yu, November 2011, IEEE
Standards Association.
“As the rate of bolder, more sophisticated cyber attacks
continues to spiral upward, ensuring data integrity
and security has become increasingly challenging. By
necessity, preventing unauthorized intrusion into critical
systems has become a top priority,” said H. Lee Smith,
chair, IEEE 1815 Working Group and president, DNP
Users Group. “By delivering robust security protocols
that are attuned to both existing and emerging threats,
SA Version 5 will help minimize risk while ensuring
the continued efficient and safe operation of vital
infrastructures.”12
NERC has a number of important documents on cyber
security, policy, information and asset protection,
compliance monitoring, auditing, and data retention.
These include:
• CIP-002: Critical Cyber Asset Identification
• CIP-003: Security Management Controls
• CIP-004: Personnel and Training
• CIP-005: Electronic Security Perimeter(s)
• CIP-006: Physical Security of Critical Cyber Assets
• CIP-007: Systems Security Management
• CIP-008: Incident Reporting and Response Planning
• CIP-009: Recovery Plans for Critical Cyber Assets
7. 7
In order to fully mitigate the risks to SCADA systems,
HP security specialists created the following best-practice
checklist:
• Apply your defense-in-depth security strategy to create
a trusted SCADA network. Know what to protect,
know the threats and vulnerabilities, and identify
misconfigured network security products.
• Define and implement security policies when internal
systems are accessed by contractors (password
requirements, system anti-x, etc.).
• Leverage common industry practices:
−− Segmentation and topology hiding (firewalls)
−− Block real-time threats and patch virtually (intrusion
prevention systems)
−− Ensure HMIs are patched with the latest available
service packs
−− Provide password policy and enforcement on all
nodes (modems, devices, servers)
−− Know the role of SCADA and Smart Grid distribution
automation, and leverage SCADA system
authentication
−− Run regular scans of the network to determine
visibility and what has changed (wired and wireless)
−− Leverage free tools to understand your level of
vulnerability to network topology discover (recon),
wireless scanning and password crackers,
vulnerability scanners, and Web server scanners
Introducing HP TippingPoint and other
HP security
To best protect your SCADA systems, HP offers a wide
selection of security solutions. HP TippingPoint is the
pioneer of Intrusion Prevention System (IPS) technology
and the market leader in providing network security to
over 30% of the Fortune 1000. HP DVLabs is the premier
research organization for vulnerability analysis and
discovery to make sure TippingPoint customers have the
ideal preemptive protection for vulnerabilities and zero-
day issues. The team consists of over 1,500 industry-
recognized security researchers who apply cutting-edge
engineering, reverse engineering, and analysis talents
that fuel the creation of vulnerability filters that are
automatically delivered to our customers’ intrusion
prevention systems through the Digital Vaccine®
service.
Since 2005, over 2,800 zero-day vulnerabilities have
been submitted. Further, HP TippingPoint has been
acknowledged 119 times on 20% of all Microsoft®
Bulletins.13
HP DVLabs also offers comprehensive Web
App Scan and DV Filter services to effectively protect
against attacks with vulnerabilities that are moving up
the stack.
Figure 4 highlights how HP TippingPoint Next
Generation Intrusion Prevention System not only prevents
advanced, targeted attacks, but also helps clean
network traffic and provide optimum visibility and control
over your users, applications, and data.
13
Overview of HP TippingPoint Intrusion Prevention System.
Figure 4. Overview of HP TippingPoint Intrusion Prevention System
Dirty Traffic
Intrusion prevention overview
Clean Traffic
• Appliances, software
• Network, cloud, virtual
Users, apps, data Intelligence updates
Digital Vaccine®
Visibility and control
Automatic
protection
Attacks
• Network/Server/Applications
• Trojans, worms, bots
• Network events
• Real-time protection
• Application control
• Cyber reputation
• Network performance
• Global intelligence
• Integrated solutions
