Welcome to this installment of Security Sessions, a regular feature focused on security-related issues, policies and procedures. Computer-based industrial automation systems, including both SCADA and DCS varieties, entered the market in the 1970s and there have been several subsequent evolutionary step-changes in the technology base since. Unlike the world of office automation and IT the systems put into operation in industrial facilities have always been expected to have extremely long lifetimes; in the range of 20 to 30 years. That means that you could expect to find members of the last few generations still busily blinking their LEDs and monitoring and controlling processes even today. In fact in the last few years I have come across examples of the first generation of such systems still in operation. When we speak of industrial automation cyber security very few individuals actually make the distinction between those older systems and the ones being sold today. So I thought it might be useful to do so – Tim.
William T. (Tim) Shaw
PhD, CISSP
When you hear most cyber security experts discussing how to achieve adequate cyber security and the threats and vulnerabilities that have to be addressed, you come away with two basic impressions: First, that they are focused on typical corporate IT systems and not concerned with – or even aware of – the differences between those systems and the ‘typical’ (if there is such a thing) process/plant automation systems; and second, that they expect all computer systems to be of a recent, current vintage and technology. Nobody ever seems to talk about the ‘old’ systems because they assume such systems would have been upgraded or replaced long ago.
Even when people do acknowledge these older legacy systems it is as if they are not just old but actually ancient, and ancient doesn’t have to be considered for cyber security since those systems were obviously built with vacuum tubes, transistors the size of golf balls and electromechanical relays, so they can’t be doing anything important – even if they are still in operation. Well, that may be partially true, but the more complete truth is that the world of automation – and a lot of our industrial plants – are still making use of systems that were commissioned in a year that was one, two, three, or possibly even four decades ago. And surprisingly, those legacy systems may actually be monitoring and/or controlling something quite critical. So, maybe we DO need to think about them from a cyber security standpoint after all. Ah, I feel better much for having gotten that off my chest, so now we can move on…
Let’s start by reviewing our recent ‘ancient’ history. In the 1970s supervisory control systems, including both in-plant and geographically-distributed systems, became much more prevalent due to the introduction of (relatively) low-cost, 16-bit minicomputers from companies like Digital Equipment Corporation, Hewlett-Packard, Varian, Xerox, Data General and others. Those systems tended to be centralized and mostly used for in-plant data acquisition and supervisory control, which would later become known as SCADA – supervisory control data acquisition. Those systems comprise what I would call the first wave of computer-based automation, many of which remain in service today.
These older systems are not likely to be attacked in the conventional manner we fear today – i.e., attacks coming across the Internet from a malicious nation state – because they did not support TCP/ IP networking. On the other hand, a lot of them supported dial-in telephone modem connections that would permit an external attack if such telephone connections were still operational. Believe it or not, hackers still look for phone line connectivity and modems that answer when dialed. If they occasionally stumble across one of these older systems they might not know what they had found, but just by trying a lot of commands and typing random key sequences they might be able to cause a system lockup or failure.
The next generation of computer-based automation systems came to the forefront in the 1980s with the introduction of 32-bit super-minicomputers as well as the growing use of 8- and 16-bit microprocessors as components in remote terminal units (RTUs) and in-plant data acquisition and control units, which were increasingly becoming programmable logic controllers (PLCs). These systems may well have employed Ethernet I – so called ‘DIX’ Ethernet – as a local area network and may have supported some level of networking (such as Digital’s DECnet or IBM’s SNA.) Again, I’ve seen these systems in operation as recently as this past year. And, as with the prior generation, these systems were likely to have supported dial-in telephone modem connections, which would permit an external attack for as long as the telephone connections remained operational.
If a malicious individual found one of these systems it is quite probable that they would have some level of success communicating with the operating system as by this time operating system command line interpreters (think Microsoft’s DOS) were getting more commonplace and standardized. Depending on the computer manufacturer (and age of the hacker), they might even recognize the operating system by its responses, which could readily lead to a more serious compromise than merely shutting the system down or causing it to crash.
The third generation of computer-based automation made its debut in the 1990s and made use of TCP/IP networking, Ethernet II (usually at 10 Mbps speeds) and early versions of Microsoft Windows running on microprocessor-based PCs as well as RISC-based workstations running UNIX operating systems. This range of systems might have had a direct connection to a corporate network for data exchange with business applications (and thus, eventually to the Internet) and/or they may have supported remote dial-in (using SLIP or PPP connectivity) with X-Window access so that the plant engineering staff could access the systems remotely and make adjustments without having to physically travel to the plant. At that time, it was also becoming much more common to support connectivity over the Internet for remote vendor support and maintenance.
Systems like these might also be susceptible to discovery and attack using either/both telephone or Internet pathways. Moreover, their operating systems would be familiar to most hackers. Hijacking an X-Window session would allow an attacker to see the same operational graphic screens as the plant operators, which offers a range of dangerous actions. Again, these systems are still in extensive use and are definitely at risk of cyber attack, particularly since none of them were ever built with any deliberate cyber defenses. Worse yet, their vendor support probably dried up a while back, so patches or updates are probably no longer forthcoming, putting these systems increasingly at risk.
The fourth (and current) generation of computer-based automation came out between the last decade of the last century and first few years of the 21st. These systems make extensive use of Microsoft Windows-based PCs and servers with X86 microprocessor architectures, using switched high-speed (100 or 1000 Mbps) Ethernet-TCP/IP networking, employ well known IP-based protocols, incorporate a diversity of commercial software and database products, and may even apply various web technologies to their operator HMIs. Most of these systems are probably still actively supported by their vendors, may (or may not) be patched and updated as security vulnerabilities are discovered, and are almost always attached to networks that eventually lead to the Internet.
These contemporary (i.e., 4th generation and beyond) systems are the ones that most cyber security professionals are thinking about when they discuss industrial automation vulnerabilities and are are the easiest for a modern cyber attacker to understand and attack because they are built on the technologies (i.e., hardware platforms, networking architectures, operating systems, etc.) that hackers are most likely to recognize. It is assumed that these systems have the greatest vulnerability to cyber attack, unless adequately defended with a full range of both technical and administrative countermeasures.
I would agree that in general, the oldest computer-based automation systems (first and second generation) are fewer in number and are actually relatively easy to defend, which is something that good operational and maintenance procedures can easily address – provided you keep those phone lines disconnected, of course! Just don’t presume that you don’t have any systems of that vintage or that, if you did, there is no way to attack them. In performing plant security assessments and vulnerability assessments over the past few years time and time again I come across old computer-based systems sitting in a back room, or locked in a cabinet that hasn’t been opened in years, and find active phone lines or network connections that aren’t even documented.
In most cases these old systems are chugging along, and no one touches them for fear of causing them to fail because finding someone who how to fix them or where to find spare parts can be quite problematic. Even so, it is assumed that they must be doing something useful or they would have been turned off and tossed out years ago. And yet, because of their vintage, no one thinks about their vulnerability very much. When I ask, I often get responses like: “…what, that old system? No one could/would want to attack that old thing…” Unfortunately, that kind of response usually means that it’s off their cyber security radar – a hackers dream!
The not-quite-so-old computer automation systems of the 1990s present a bigger challenge since they might have network connectivity and use TCP/ IP protocol, and/or phone line connectivity. It is highly unlikely that anything can be done directly to improve their cyber security of these systems due to the absence of vendor support. However, they can still be wrapped in a protective ‘cyber cocoon’ of operational and maintenance procedures and technical countermeasures, such as firewalls and intrusion-prevention systems. That doesn’t often require physical modifications, and fixes can usually be administered without disrupting or impacting system operation. (But again, there are those phone lines, which must all be properly accounted for and secured.
In conclusion, here’s the take-away from all of this: Cyber security tends to be focused on obvious communications channels such as LAN and WAN network connections and the fastest growing connectivity of choice, wireless. People tend to forget about phone lines and ‘sneakerNet’ because they aren’t high-tech. Don’t forget that sneakerNet was the primary delivery vector used in the Stuxnet attack on Iran’s enrichment facilities; probably precisely because people DO tend to forget about defending that pathway.
Remember that older computer-based automation systems are most accessible via these low-tech avenues. If you still have legacy computer systems that you depend upon, you really need to think about protecting them from potential cyber attackers just as you would any new systems you install. In fact, protecting those older systems is actually much easier than protecting a modern one in most cases. But that will have to be the topic for a future column… Tim.
About the Author
Dr. Shaw is a Certified Information Systems Security Professional (CISSP) and has been active in industrial automation for more than 35 years. He is the author of Computer Control of BATCH Processes and CYBERSECURITY for SCADA Systems. Shaw is a prolific writer of papers and articles on a wide range of technical topics, has contributed to several other books, and teaches several courses for the ISA. He is currently Principal & Senior Consultant for Cyber SECurity Consulting, a consultancy practice focused on industrial automation security and technologies. Inquiries, comments or questions regarding the contents of this column and/or other security-related topics can be emailed to tim@electricenergyonline.com.