Authentication is the software process of identifying a user who is authorized to access the SCADA system. Authorization is the process of defining access permissions on the SCADA system and allowing users with permissions to access respective areas of the system. Authentication and authorization are the mechanisms for single point of control for identifying and allowing only authorized users to access the SCADA system, therefore ensuring a high level of control over the system’s security.
To provide effective authentication the system must require each user to enter a unique user name and password. A shared user name implies a lack of responsibility for the protection of the password and any actions completed by that user.
It must be possible for user names to be created, edited and deleted within the system while the system is active to ensure individual passwords can be maintained. In addition it is highly recommended that password aging be implemented. Password aging ensures that operators change their passwords over a controlled time period, such as every week, month, or so on.
To provide authorization the system must be able to control access to every component of the control system. The system must not provide a “back door” by which to bypass the levels of authentication specified in the application.
Critical data pertaining to a SCADA system must be securely stored and communicated. It is essential that critical data like a password be stored using an encryption algorithm. Similarly, remote login processes should use VPNs or encryption to communicate the user name and password over the network.
Critical data like user name and password must be persisted in a secured data repository and access rights monitored and managed using secured mechanisms like Windows authentication and role-based security. It has become common practice for SCADA systems operating in the Windows environment to utilize Windows Domain security to maintain user profiles. This is a recommended approach as it centralizes security and administration while providing an acceptable audit trail of user actions./pAudit Trails
It is recommended that Audit trails on critical activities like user logins, changes to operational parameters or changes to system access permissions be tracked and monitored at regular intervals. Securing your SCADA application may make it more challenging for external hackers to gain control of the system; however it will not prevent internal sabotage. Regularly tracking and monitoring audit trails on critical areas of your SCADA system will help identify suspicious activities and consequently allow the necessary corrective actions.
Wireless Networks
The two most common ways of gaining unauthorized access to a wireless network are by using an unauthorized wireless client, such as a laptop or PDA, or by creating a clone of a wireless access point. If no measures have been taken to secure the wireless network then either of these methods can provide full access to the wireless network.
Many commercial wireless networks are available, which range in price, complexity and level of security provided. When implementing a wireless network, a couple of standard security measures can minimize the chance of an attacker gaining access to the wireless network.
• Approved clients – The access points in the wireless network contain a configurable list of all MAC addresses of the authorized clients that are permitted access to the wireless network. A client not listed in an access point cannot access the wireless network.
• Server Set ID (SSID) – This is an identification string that can be configured on all clients and access points in your wireless network. Any client or access point participating on the wireless network must have the same SSID configured. The SSID is, however, transmitted as a readable text string over the network. Therefore, an SSID alone is not sufficient to secure the wireless network.
• Wired Equivalent Privacy (WEP) – All clients and access points should have a configurable static WEP. This is a 40, 64 or 128-bit encryption string that is entered in all clients and access points. Without a correct WEP string, no access can be gained to the wireless network. The SSID is also encrypted using this string. In most cases, using an SSID and a WEP provides a secure solution.
• 802.1X EAP (Extensible Authentication Protocol) – WEP is the minimum level of security recommended for wireless client access. The disadvantage with WEP is the management of the network strings. It is possible to decode these, and updating to new keys is a manual process. EAP is a relatively new standard that dynamically alters keys while providing built-in authentication requirements. It is recommended where possible EAP authentication is enabled for wireless devices.
• VPN (described earlier) was developed to provide secure connections through the Internet to internal corporate networks. A VPN simplistically creates a secure tunnel through open networks such as the Internet or a wireless network. Data transmitted through the tunnel is encrypted on the client then decrypted and validated in a VPN gateway inside the wireless access point. VPN is a single solution providing security both for the wireless and wired network, thus reducing implementation and maintenance costs.
Intrusion Detection
Firewalls and other simple boundary devices currently available lack some degree of intelligence when it comes to observing, recognizing and identifying attack signatures that may be present in the traffic they monitor and the log files they collect. This deficiency explains why intrusion detection systems (IDS) are becoming increasingly important in helping to maintain network security.
In a nutshell, an IDS is a specialized tool that reads and interprets the contents of log files from routers, firewalls, servers and other network devices. Furthermore, an IDS often stores a database of known attack signatures to compare patterns of activity, traffic or behavior it identifies in the logs it monitors against those signatures. There are various types of IDS monitoring approaches:
• Network-based IDS characteristics – A network-based IDS monitors an entire, large network with only a few well-situated nodes or devices and impose little overhead on a network.
• Host-based IDS characteristics – A host-based IDS analyzes activities on the host it monitors at a high level of detail. It can often determine which processes and/or users are involved in suspicious activities.
• Application-based IDS characteristics – An application-based IDS concentrates on events occurring within a specific application. They often detect attacks through the analysis of application log files and can usually identify many types of attack or suspicious activities.
In practice, most utilities use a combination of network, host and/or application-based IDS systems for observing network activity while also monitoring key hosts and applications more closely.
Redundant Control Centers
For both physical disaster recovery and IT intrusion and isolation purposes most utility companies are now adopting SCADA solutions that incorporate at least one off site control center. In some utility sectors this is now mandatory. This should be seriously considered as part of the overall security assessment of the IT infrastructure. For a redundant off-site center to operate effectively the following items need to be considered as part of the infrastructure requirements:
• Automatic failover of all controller-based communications
• Full historical data replication between each of the servers deployed within the system.
Redundant Control Centers/pAdditional Resources
This discussion is intended as an overview of the security measures to protect an integrated SCADA network. In no way is it fully comprehensive or intended as the sole source for network security. Listed below are some agencies that publish current standards and security measures that can aid you in your security planning.
The Instrumentation, Systems and Automation Society (ISA)
www.isa.org
National Institute of Standards and Technology (NIST)
www.csrc.nist.gov
North American Electric Reliability Council (NERC)
www.nerc.com
United States Department of Energy (DOE)
www.energy.gov
U.S. Department of Homeland Security
www.nipc.gov
Sandia National Laboratories – The Center for SCADA Security
www.sandia.gov/scada/home.htm
About the Author:
Scott Wooldridge holds degrees in electrical and mechanical engineering as well as an M.B.A. He has over 15 years experience providing production improvement engineering, IT, Project Management and Consultancy services to a variety of industrial, process, food and mining customers including: Rio Tinto, BHP Billiton, ALCOA, PG & E, Mitsubishi, Caterpillar and GM.
ScottWooldridge@citect.com
Citect
30000 Mill Creek Ave Suite 300
Alpharetta, GA 30022
770 521 7511
Sources:
The Instrumentation, Systems and Automation Society (ISA). 2004. Integrating Electronic Security into the Manufacturing and Control Systems Environment.
North American Electric Reliability Council (NERC). 2004. Implementation Plan – Renewal of Urgent Action Cyber Security Standard.
To provide effective authentication the system must require each user to enter a unique user name and password. A shared user name implies a lack of responsibility for the protection of the password and any actions completed by that user.
It must be possible for user names to be created, edited and deleted within the system while the system is active to ensure individual passwords can be maintained. In addition it is highly recommended that password aging be implemented. Password aging ensures that operators change their passwords over a controlled time period, such as every week, month, or so on.
To provide authorization the system must be able to control access to every component of the control system. The system must not provide a “back door” by which to bypass the levels of authentication specified in the application.
Critical data pertaining to a SCADA system must be securely stored and communicated. It is essential that critical data like a password be stored using an encryption algorithm. Similarly, remote login processes should use VPNs or encryption to communicate the user name and password over the network.
Critical data like user name and password must be persisted in a secured data repository and access rights monitored and managed using secured mechanisms like Windows authentication and role-based security. It has become common practice for SCADA systems operating in the Windows environment to utilize Windows Domain security to maintain user profiles. This is a recommended approach as it centralizes security and administration while providing an acceptable audit trail of user actions./pAudit Trails
It is recommended that Audit trails on critical activities like user logins, changes to operational parameters or changes to system access permissions be tracked and monitored at regular intervals. Securing your SCADA application may make it more challenging for external hackers to gain control of the system; however it will not prevent internal sabotage. Regularly tracking and monitoring audit trails on critical areas of your SCADA system will help identify suspicious activities and consequently allow the necessary corrective actions.
Wireless Networks
The two most common ways of gaining unauthorized access to a wireless network are by using an unauthorized wireless client, such as a laptop or PDA, or by creating a clone of a wireless access point. If no measures have been taken to secure the wireless network then either of these methods can provide full access to the wireless network.
Many commercial wireless networks are available, which range in price, complexity and level of security provided. When implementing a wireless network, a couple of standard security measures can minimize the chance of an attacker gaining access to the wireless network.
• Approved clients – The access points in the wireless network contain a configurable list of all MAC addresses of the authorized clients that are permitted access to the wireless network. A client not listed in an access point cannot access the wireless network.
• Server Set ID (SSID) – This is an identification string that can be configured on all clients and access points in your wireless network. Any client or access point participating on the wireless network must have the same SSID configured. The SSID is, however, transmitted as a readable text string over the network. Therefore, an SSID alone is not sufficient to secure the wireless network.
• Wired Equivalent Privacy (WEP) – All clients and access points should have a configurable static WEP. This is a 40, 64 or 128-bit encryption string that is entered in all clients and access points. Without a correct WEP string, no access can be gained to the wireless network. The SSID is also encrypted using this string. In most cases, using an SSID and a WEP provides a secure solution.
• 802.1X EAP (Extensible Authentication Protocol) – WEP is the minimum level of security recommended for wireless client access. The disadvantage with WEP is the management of the network strings. It is possible to decode these, and updating to new keys is a manual process. EAP is a relatively new standard that dynamically alters keys while providing built-in authentication requirements. It is recommended where possible EAP authentication is enabled for wireless devices.
• VPN (described earlier) was developed to provide secure connections through the Internet to internal corporate networks. A VPN simplistically creates a secure tunnel through open networks such as the Internet or a wireless network. Data transmitted through the tunnel is encrypted on the client then decrypted and validated in a VPN gateway inside the wireless access point. VPN is a single solution providing security both for the wireless and wired network, thus reducing implementation and maintenance costs.
Intrusion Detection
Firewalls and other simple boundary devices currently available lack some degree of intelligence when it comes to observing, recognizing and identifying attack signatures that may be present in the traffic they monitor and the log files they collect. This deficiency explains why intrusion detection systems (IDS) are becoming increasingly important in helping to maintain network security.
In a nutshell, an IDS is a specialized tool that reads and interprets the contents of log files from routers, firewalls, servers and other network devices. Furthermore, an IDS often stores a database of known attack signatures to compare patterns of activity, traffic or behavior it identifies in the logs it monitors against those signatures. There are various types of IDS monitoring approaches:
• Network-based IDS characteristics – A network-based IDS monitors an entire, large network with only a few well-situated nodes or devices and impose little overhead on a network.
• Host-based IDS characteristics – A host-based IDS analyzes activities on the host it monitors at a high level of detail. It can often determine which processes and/or users are involved in suspicious activities.
• Application-based IDS characteristics – An application-based IDS concentrates on events occurring within a specific application. They often detect attacks through the analysis of application log files and can usually identify many types of attack or suspicious activities.
In practice, most utilities use a combination of network, host and/or application-based IDS systems for observing network activity while also monitoring key hosts and applications more closely.
Redundant Control Centers
For both physical disaster recovery and IT intrusion and isolation purposes most utility companies are now adopting SCADA solutions that incorporate at least one off site control center. In some utility sectors this is now mandatory. This should be seriously considered as part of the overall security assessment of the IT infrastructure. For a redundant off-site center to operate effectively the following items need to be considered as part of the infrastructure requirements:
• Automatic failover of all controller-based communications
• Full historical data replication between each of the servers deployed within the system.
Redundant Control Centers/pAdditional Resources
This discussion is intended as an overview of the security measures to protect an integrated SCADA network. In no way is it fully comprehensive or intended as the sole source for network security. Listed below are some agencies that publish current standards and security measures that can aid you in your security planning.
The Instrumentation, Systems and Automation Society (ISA)
www.isa.org
National Institute of Standards and Technology (NIST)
www.csrc.nist.gov
North American Electric Reliability Council (NERC)
www.nerc.com
United States Department of Energy (DOE)
www.energy.gov
U.S. Department of Homeland Security
www.nipc.gov
Sandia National Laboratories – The Center for SCADA Security
www.sandia.gov/scada/home.htm
About the Author:
Scott Wooldridge holds degrees in electrical and mechanical engineering as well as an M.B.A. He has over 15 years experience providing production improvement engineering, IT, Project Management and Consultancy services to a variety of industrial, process, food and mining customers including: Rio Tinto, BHP Billiton, ALCOA, PG & E, Mitsubishi, Caterpillar and GM.
ScottWooldridge@citect.com
Citect
30000 Mill Creek Ave Suite 300
Alpharetta, GA 30022
770 521 7511
Sources:
The Instrumentation, Systems and Automation Society (ISA). 2004. Integrating Electronic Security into the Manufacturing and Control Systems Environment.
North American Electric Reliability Council (NERC). 2004. Implementation Plan – Renewal of Urgent Action Cyber Security Standard.
