Over the last few months, discussions on cyberweapons targeting critical infrastructure have increased. Most of the discussions have centered around attacks to Industrial Control Systems (ICS) such as SCADA (Supervisory Control and Data Acquisition) systems.
First a little something about Industrial Control Systems and SCADA as they are used quite interchangeably. Industrial Control Systems are the control systems used in manufacturing processes for industries such as electrical, water, oil, and gas. They encompass supervisory and control data acquisition systems like SCADA, Distributed Control Systems (DCS) and Programmable Logic Controllers (PLCs). In a SCADA solution, PLCs will provide rudimentary control actions that are communicated back to the SCADA system as required. PLCs perform a single task while DCS is a network of PLCs that perform a set of tasks with intelligence distributed within each of them.
Attacks to these systems are of course, not new. According to the U.S. Department of Homeland Security, in 2011, the number of attacks aimed at Industrial Control Systems grew five-fold. The most well known SCADA attack is probably Stuxnet, a malware that launched a sophisticated attack on an Iranian nuclear facility back in 2010, described in detail in Wade’s blog. Most recently, security researchers reported the Flame modern malware originated from Stuxnet suggesting both were cyberweapons with different objectives (espionage versus sabotage).
What's new to these discussions is the emerging threat vector for data centers – via SCADA systems. While the risks from cyberattacks to critical government infrastructure are significant, the risks to SCADA systems running in thousands of enterprises worldwide are even more substantial. This is because of the pervasiveness of these systems in enterprise data center environments for various monitoring tasks, from temperature and humidity to air flow and UPS losses.
While SCADA has been receiving much more attention from the security community, the protection of SCADA systems have largely been lacking because of some misconceptions. First, is the assumption that the SCADA systems and the communication protocols used by those systems are not as well known, and therefore few attackers understand how to write malware targeting them. Second, because SCADA systems have been isolated and not been connected to the Internet, they have been assumed to be immune to network attacks. The third has been the assumption that SCADA attacks do not yield as great a benefit to attackers.
All these assumptions are of course no longer true. Malware targeting SCADA systems have already shown the vast amounts of knowledge attackers have on these proprietary control systems, and are now available to other attackers to leverage. The new threat landscape has shown an attack can occur from internal networks, not necessarily from the Internet directly. SCADA systems that are connected to the Internet are easily discovered using common tools, as proven by research from Eireann Leverett and Ruben Santamarta in 2010 and 2011 respectively. Finally, SCADA attacks now yield more financial incentives to attackers as they are utilized more frequently in data center environments.
Compounding the risk factor is the fact that SCADA systems are not easily patched. Because there have been very few attacks in the past, there is no concept of Patch Tuesday for SCADA. Additionally, for uptime reasons or operational reasons, these SCADA systems may be impractical to upgrade. Often times, they are also running on very outdated versions of the operating system.
Note that SCADA attacks in data center environments are similar to denial-of-service attacks in nature as the intent is typically to disrupt services to intended users. In a more menacing scenario, because it is attacking the very control systems used in the data center, it has the potential to bring the data center down for days. Therefore, planning for potential catastrophic failures due to SCADA in data center disaster recovery plans will be critical.
The good news if you deploy Palo Alto Networks next-generation firewalls is that our firewalls have support for SCADA and we continue to enhance IPS signature coverage for this. Many updates were added in IPS content update version 299 (shipped on 3/27/2012). In addition to IPS coverage for SCADA vulnerabilities, there is App-ID coverage for various SCADA applications such as Modbus, DNP3 and ICCP. For more information, check out details in Applipedia. In addition, data center security best practices still hold true, in particular having visibility and control of all applications in the data center, enforcing access control, and implementing proper segmentation of the SCADA network from the rest of the data center network.