SCADA systems are used to control and monitor physical processes, examples of which are transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of modern society.
The security of these SCADA systems is important because compromise or destruction of these systems would impact multiple areas of society far removed from the original compromise. For example, a blackout caused by a compromised electrical SCADA system would cause financial losses to all the customers that received electricity from that source. How security will affect legacy SCADA and new deployments remains to be seen.
A number of types of security challenges to which SCADA systems may be vulnerable are recognized in the industry.
The list includes:
an authorized user performing functions beyond his level of authority.
gleaning unauthorized information by listening to unprotected communications.
authorized users sharing information with unauthorized parties.
an attacker inserting himself (either logically or physically) into a data connection and then intercepting and modifying messages for his own purposes.
an intruder pretending to be an authorized entity and thereby gaining access to a system.
an intruder recording a legitimate message and replaying it back at an inopportune time. An often-quoted example is recording the radio transmission used to activate public safety warning sirens during a test transmission and then replaying the message sometime later.
An attack of this type does not require more than very rudimentary understanding of the communication protocol.
DENIAL OF SERVICE ATTACK
an intruder attacking a system by consuming a critical system resource such that legitimate users are never or infrequently serviced.
Security by Obscurity
The electric utility industry frequently believes that the multiplicity and obscurity of its SCADA communication protocols make them immune to malicious interference. While this argument may have some (small) merit, it is not considered a valid assumption when security is required.
In the same way that the operation of door locks is well understood but the particular key is kept private on a key ring, it is better to have well-documented and tested approaches to security in which there is broad understanding of the mechanisms but in which the keys themselves are kept private.
Security techniques discussed in this section are effective against several of the attacks discussed above, including eavesdropping, intercept/alter, and masquerade (“spoofing”). They can also be effective against replay if they are designed with a key that changes based upon some independent entity such as packet sequence number or time.
The OSI reference model separates the function of data-link integrity checking (checking for transmission errors) from the function of protecting against malicious attacks to the message contents. Protection from transmission errors is best done as close to the physical medium as possible (data-link layer), while protection from message content alteration is best done as close to the application layer as possible (network layer or above). An example of this approach is the IP Security Protocol (ipsec), which is inserted at the IP (Internet Protocol) level in the protocol stack of an Internet-type network.
For those instances where packet routing is not required, it is possible to combine error checking and encryption in the physical or data-link layer. Commercial products are being built to intercept the data stream at the physical (or sometimes data link) layer, add encryption and error detection to the message, and send it to a matching unit at the other end of the physical connection, where it is unwrapped and passed to the end terminal equipment. This approach is particularly useful in those situations where it is required to add information security to existing legacy systems. If such devices are employed in a network where message addressing must be visible, they must be intelligent enough to encrypt only the message payload while keeping the address information in the clear.
For systems in which the packets must be routed through a wide-area network, the addition of a physical-layer device that does not recognize the packet structure is unusable. In this case, it is more appropriate to employ network-layer or above security protection to the message.
This can be accomplished using either proprietary (e.g., many virtual-private-network schemes) or standards-based (e.g., the IP Security Protocol [ipsec]) protection schemes that operate at the network layer or above in the OSI model.