SCADA systems are used to control and monitor physical processes, examples of which are transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of modern society.
The security of these SCADA systems is important because compromise or destruction of these systems would impact multiple areas of society far removed from the original compromise. For example, a blackout caused by a compromised electrical SCADA system would cause financial losses to all the customers that received electricity from that source. How security will affect legacy SCADA and new deployments remains to be seen.
A number of types of security challenges to which SCADA systems may be vulnerable are recognized in the industry.
The list includes:
AUTHORISATION VIOLATION
an authorized user performing functions beyond his level of authority.
EAVESDROPPING
gleaning unauthorized information by listening to unprotected communications.
INFORMATION LEAKAGE
authorized users sharing information with unauthorized parties.
INTERCEPT/ALTER
an attacker inserting himself (either logically or physically) into a data connection and then intercepting and modifying messages for his own purposes.
MASQUERADE (“SPOOFING”)
an intruder pretending to be an authorized entity and thereby gaining access to a system.
REPLAY
an intruder recording a legitimate message and replaying it back at an inopportune time. An often-quoted example is recording the radio transmission used to activate public safety warning sirens during a test transmission and then replaying the message sometime later.
An attack of this type does not require more than very rudimentary understanding of the communication protocol.
DENIAL OF SERVICE ATTACK
an intruder attacking a system by consuming a critical system resource such that legitimate users are never or infrequently serviced.
Security by Obscurity
The electric utility industry frequently believes that the multiplicity and obscurity of its SCADA communication protocols make them immune to malicious interference. While this argument may have some (small) merit, it is not considered a valid assumption when security is required.
In the same way that the operation of door locks is well understood but the particular key is kept private on a key ring, it is better to have well-documented and tested approaches to security in which there is broad understanding of the mechanisms but in which the keys themselves are kept private.
Encryption
Security techniques discussed in this section are effective against several of the attacks discussed above, including eavesdropping, intercept/alter, and masquerade (“spoofing”). They can also be effective against replay if they are designed with a key that changes based upon some independent entity such as packet sequence number or time.
The OSI reference model separates the function of data-link integrity checking (checking for transmission errors) from the function of protecting against malicious attacks to the message contents. Protection from transmission errors is best done as close to the physical medium as possible (data-link layer), while protection from message content alteration is best done as close to the application layer as possible (network layer or above). An example of this approach is the IP Security Protocol (ipsec), which is inserted at the IP (Internet Protocol) level in the protocol stack of an Internet-type network.
For those instances where packet routing is not required, it is possible to combine error checking and encryption in the physical or data-link layer. Commercial products are being built to intercept the data stream at the physical (or sometimes data link) layer, add encryption and error detection to the message, and send it to a matching unit at the other end of the physical connection, where it is unwrapped and passed to the end terminal equipment. This approach is particularly useful in those situations where it is required to add information security to existing legacy systems. If such devices are employed in a network where message addressing must be visible, they must be intelligent enough to encrypt only the message payload while keeping the address information in the clear.
For systems in which the packets must be routed through a wide-area network, the addition of a physical-layer device that does not recognize the packet structure is unusable. In this case, it is more appropriate to employ network-layer or above security protection to the message.
This can be accomplished using either proprietary (e.g., many virtual-private-network schemes) or standards-based (e.g., the IP Security Protocol [ipsec]) protection schemes that operate at the network layer or above in the OSI model.
Related electrical guides & articles
One of the latest SCADA attacks was in Iran, where computers have been hardest hit by a dangerous computer worm that tries to steal information from industrial control systems.
Part of article published at notanotherconspiracy.com:
The experts say the worm actually looks for very specific Siemens settings — a kind of fingerprint that tells it that it has been installed on a very specific Programmable Logic Controller (PLC) device — and then it injects its own code into that system. Surly in this windows based system, more than one will have this fingerprint. At this point, as far as I’m concerned the SCADA System of one or more industrial systems in the U.S. are the intended target. To flat out say the Stuxnet worm was built to destroy operations at one target, and is targeting Iran and the Bushehr nuclear reactor, seem a little premature to me. Thats where the psywar or psychological warfare comes in.
With any computer exploit comes a fix /patch. Siemens has known of problems in their SCADA software code for over 2 years, and only started to fix it only after a worm exploited it. So it is within reason to say that a patch or fix was pushed out shortly after the worm was found. And if not, the industries who use the Siemens SCADA software are now aware and can do three things. Without patching the system, they can shut it down so further damage can not take place. They can use in house coders and make a patch / work around. Or they can use a different system all together.