- Email: [email protected]
Reducing security vulnerabilities for critical infrastructure
Journal of Loss Prevention in the Process Industries 22 (2009) 1020–1024
Contents lists available at ScienceDirect
Journal of Loss Prevention in the Process Industries journal homepage: www.elsevier.com/locate/jlp
Reducing security vulnerabilities for critical infrastructure Dae Hyun Ryu, HyungJun Kim*, Keehong Um Division of Information Technology, Hansei University, Republic of Korea
a r t i c l e i n f o
a b s t r a c t
Article history: Received 11 September 2007 Received in revised form 27 July 2009 Accepted 28 July 2009
In this paper, we show the need for improved Process Control System (PCS) security, and describe some of the promising research areas in PCS security. One implementation of PCS in critical infrastructure and factory automation is a supervisory, control, and data acquisition (SCADA) system, a real-time industrial process control system which centrally monitors and controls remote and/or local processes utilizing plant, equipment, or devices (such as switches, valves, pumps, relays, etc.) while collecting and logging field data. Current SCADA systems are distributed, networked, and dependent on open protocols for the internet, which are exposed to remote cyber terrorism. They are particularly vulnerable to unauthorized access. We give some examples of SCADA processes with natural gas control systems in USA and the Ubiquitous Sensor Network (USN) in Korea. We also examine a representative vulnerability and corresponding measures for security, and present an example of concrete measures for the security of mass transportation as a critical infrastructure. Ó 2009 Elsevier Ltd. All rights reserved.
Keywords: Security Vulnerability Distributed Control System (DCS) Supervisory Control and Data Acquisition (SCADA) system Process Control System (PCS) Ubiquitous Sensor Network (USN)
1. Introduction With the implementation of state-of-the-art information technology, control systems of large-scale facilities for producing and distributing electricity and gas, operating dams, and managing water resources have gradually become more open and standardized (http:// www.nisa.or.kr/trends.php). Accordingly, information protection problems in the areas in which only physical security has been emphasized up to now are on the rise. The protection of critical infrastructure is a hotly debated topic. The very label ‘‘critical infrastructure’’ implies that these systems are important, and they support our everyday lives, from the water and food in our homes to our physical and financial welfare. They also support industry and government operations. The systems that control these facilities, which include petrochemical plants, large-scale plants and factory automation facilities, are referred to as SCADA (Supervisory Control and Data Acquisition). Industrial plant-scale SCADA is also called DCS (Distributed Control System) and PCS (Process Control System), and as a whole, Control Systems. The SCADA system is a remote control and monitoring system for transmitting and receiving information or data through wire or wireless media. This system accurately monitors information from the plant or the processing equipment using sensors such as hydraulic pressure gauges and voltmeters. It executes process work using remote commands through such control devices as valves, * Corresponding author at: Hansei University, Division of Information Technology, 604-5 Dangjung-dong, Gunpo-si, Kyunggi-do 435-742, Republic of Korea. Tel.: þ82 11 9911 4123; fax: þ82 31 450 5172. E-mail address: [email protected] (HyungJun Kim). 0950-4230/$ – see front matter Ó 2009 Elsevier Ltd. All rights reserved. doi:10.1016/j.jlp.2009.07.015
motors and relays. Although DCS is a term generally used more often than SCADA in the factory automation area, SCADA is the term used for systems which are scattered over large areas, with various communication lines and protocols being used (I3P, 2005). A control system refers to a computer based facility – system and equipment which is used to remotely monitor and control sensitive processes and physical functions. It collects and processes measured values and operational data in the field of facilities and conveys control commands to local or remote equipment. These control systems play the role of a central nervous system for energy-based facilities. If a control system were to undergo cyber attack from the outside, there could be negative consequences for public health and safety. These control systems have been regarded as safe from external threats of cyber attack up to now, due to their use of leased lines and proprietary operating systems of vendors. However, considering the cases of attacks recently reported abroad and the trend of openness and standardization of SCADA facilities, we cannot be sure about their safety from such cyber threats as hacking and cyber terror because of the potential threats posed by specific groups. This paper explores the recent evolution of PCSs and their environments, it further explains the need for improved security in these systems, and describes some of the emerging research areas in PCS security that offer promise for the future. 2. Related topics A SCADA system is a computer system to monitor and control switches and valves, to control temperature and pressure
D.H. Ryu et al. / Journal of Loss Prevention in the Process Industries 22 (2009) 1020–1024
conditions, and to collect and log field data. Industrial plant-scale SCADA is often called Distributed Control System (DCS). A SCADA system can continuously record and report pressure data. For example, if an alarm is registered, the control room operator can respond to the alarm and use the system to investigate other parts of the infrastructure. SCADA systems also monitor pipelines for total volumetric rate in order to provide yield data. Additionally, these systems can sample the produced fluids for specific gravity, gas composition, and other physical parameters as required. SCADA systems typically monitor and report these values to control room operators. Some examples of processes are generation and transmission of electricity, chemical plant processes, oil and gas pipelines, constructing equipment, water purification, water and waste control, energy, and distribution infrastructure, power generators, traffic signals, water and gas pipelines, and dams. Natural gas needs to be gathered, transmitted, and compressed before being piped into a home. A transmission system (pipeline), composed of high-strength steel pipes ranging from 20 inches to 42 inches in diameter, moves large amounts of natural gas thousands of miles. The pressure of gas ranges from 200 pounds to 1500 pounds per square inch. Compressor stations boost the pressure that is lost through friction of the natural gas moving through the steel pipes. When the gas reaches a local gas utility, it normally passes through a ‘‘gate station’’ to reach distribution pressure (ranging from a quarter of a pound to 200 pounds). From the gate station, natural gas moves into distribution lines or ‘‘mains’’ that range from 2 inches to more than 24 inches in diameter. Natural gas runs from the main into a home or business in what is called a service line. A central SCADA system controls and monitors moisture, quantity, pressure and temperature of the network of pipelines (http://www.aga.org/Kc/aboutnaturalgas/ consumerinfo/NGDeliverySystem.htm). For these reasons the automatic emergency shut down of critical system parts is an important function for ensuring safety. A wireless sensor network (WSN) is a wireless network consisting of spatially distributed autonomous devices using sensors to cooperatively monitor physical or environmental conditions, such as temperature, sound, vibration, pressure, motion or pollutant at different locations (Ro¨mer & Friedemann, 2004; Haenselmann, 2004). It is called Ubiquitous Sensor Network (USN) in Korea – a network of intelligent sensors that could become ubiquitous. Wireless sensor networks now have used in many industrial and civilian applications, including industrial process monitoring and control, machine-based health monitoring, environment and habitat monitoring, home automation and traffic control (Ro¨mer & Friedemann, 2004; Hadim & Mohamed, 2006). After recognizing surrounding people and objects, identifying location information, the network can be utilized in digital homes and military applications. The sensors can also be utilized in the automatic ventilation of an intelligent building, unmanned guard systems, the ventilation and opening and shutting devices inside the workshop of a factory with polluting materials, vehicle moving devices and home thermostats, toys, game devices, home electrical appliances and PC peripherals. However, despite these applications of USN, it is easily exposed to forgery and alteration of data such as the tapping of sensor information, the circulation of abnormal packets, the reuse of messages and to service rejection which can paralyze the whole network. The utilization of a sensor network in a digital home requires the protection of personal privacy. Secure functionality is even more essential when utilized for the public or military purposes including alarming sensors for earthquakes and fire. In this paper, we have analyzed security vulnerabilities of SCADA or DCS to suggest appropriate security measures. Data in SCADA and/or DCS are transmitted and received using the Internet. Since the protocol
1021
is based on the open protocol without much security content, vulnerability assessment shows the permission of unauthenticated access to SCADA, DCS and other systems. As the control networks of SCADA or DCS are being integrated with company networks, hacker attacks against the control systems was found to be possible with these two systems. Since they are interconnected with networks, there have been several signs and cases found of cyber intrusions into control systems which constitute the central nervous system of energy infrastructure. There have been numerous SCADA attacks, two examples are as follows. (1) In May 2007, Estonia was struck by cyber attacks targeting the websites of the parliament, banks, newspapers, and government ministries. The attacks effectively paralyzed life in Estonia, which has one of the highest levels of Internet penetration in Eastern and Central Europe and prides itself on its ‘‘paper-free’’ economy. Estonian officials, who for weeks had been embroiled in a bitter diplomatic dispute with Moscow in the aftermath of the removal of a Soviet-era monument, were quick to blame the Kremlin for the attacks – a claim the Russians denied (http://www.rferl.org/content/Russian_ Groups_Claims_Reopen_Debate_On_Estonian_Cyberattacks_/ 1564694.html). (2) August 2003, the ‘‘Slammer’’ internet computer worm penetrated the SCADA control systems at the Davis-Besse nuclear power plant in Ohio. It was possible for the worm to attack the plant because the network of the plant had multiple connections to the Internet that bypassed the control room firewall (CRS Report RL32114, 2008).
3. A representative vulnerability and security threat to SCADA systems SCADA systems were designed when there was little concern about information security in 1960s. In those days, the systems operated in a relatively isolated environment and relied mainly on proprietary software, hardware and communication technology. Today millions of SCADA systems are used. Nowadays the distinctions between SCADA and DCS have largely faded since each has adopted the strengths of the other as the networking infrastructure with higher capacity is available. The necessity of interconnections of the control systems, linked to related enterprise systems such as Energy Management Systems (EMS), Distribution Management Systems (DMS), Manufacturing Execution Systems (MES) and Substation Automation (SA) is being emphasized. Also emphasized is the necessity of interworking between the control systems and MIS, as well as the interoperability for linkage among control systems. As a result, standard operating systems such as Windows and UNIX, public networks such as the Internet and general communication technology such as wire and wireless networks are widely used (Control System Security Program Outline). Fig. 1 shows an architecture diagram of today’s typical control system. The primary factors that lead to serious security problems in today’s SCADA systems are increased number of connections in the systems, increased system complexity, increased interdependence between infrastructures, increased reliance on outsourcing and foreign products, market restructuring, and the extended use of general operating systems and platforms. There have been several cases found of cyber intrusions into control systems which constitute the central part of energy infrastructure. Occurrences of cyber intrusion in energy infrastructure cause an operational paralysis of the control systems by delaying and blocking information flows through control networks or by
1022
D.H. Ryu et al. / Journal of Loss Prevention in the Process Industries 22 (2009) 1020–1024
changing the software of the control systems, resulting in an unexpected outcome. As vulnerabilities of the control systems have been exposed, many institutions have showed their concern. According to a Gartner report in 2003, the risk of cyber threats is getting higher in the world because of the interface vulnerabilities of main infrastructure including dams, railroads, electricity networks and power plants, and the development of IP (Internet Protocol) technology (Government Accountability Office, 2004; Ryu, Kim, Shin, & Nahm, 2007). In the past when SCADA systems were vendor-controlled and independent systems with no connections to other systems, and when the network protocol was proprietary, only few people, including makers and hackers, knew about SCADA installations. However, the current SCADA systems are distributed and networked. Since the systems are dependent on open protocols for the internet, they are vulnerable to remote cyber terrorism. Among the main vulnerabilities in existence, the following is a list of representative vulnerabilities of a SCADA system (CRS Report RL32114, 2008; Ryu et al., 2007). C
C
C
C
C
C
Diversity of vendors: Different characteristics of each vendor’s SCADA work process and various protocols and operating systems. Widening of networks: Difficulty of network management due to the facilities being scattered over a large area. Aging of equipment: When most installed equipment has aged, only a minor correction causes system trouble. Data simplicity: Since the data in the network is for the purpose of control, commands are simple and sequential. Real-time processing: Difficulty of inserting alarms for security to minimize the response time. Linkage with information systems (intra-network): Planning an integration of networks for the streamlining of management.
PLC Platform network
Satellite
PLC
Satellite modem
Satellite modem
Programmable Logic Controller (PLC) Remote Terminal Unit (RTU)
Communication server
Microwave modem Microwave modem
PLC
Distributed Control System (DCS) SCADA Workstation
Company network
SCADA server Fig. 1. SCADA system for a typical control system.
C
C
C
C
C
C
C C
Generalization of equipment: Linux and Windows have begun to be installed on the equipment and the TCP/IP protocol is being used. Ubiquitous user: The ubiquitous web evolves around the expectations of users who want to interact with information and services from anywhere. The ubiquitous web: The web delivers and integrates information, services, and user data. The ubiquitous user agent: Running on a wide range of devices such as desktop computers. Botnets opportunistically scan the internet to attack poorly configured or absence of security patches. Zero-day exploit: updated software and the newest security patches may still have vulnerabilities. The insider attack: employees with access to the system. Errors in new software products.
Due to those vulnerabilities, there may be security threats as follows (Pollet, 2002). (1) Possibility of an intrusion incident when the MIS (management information system) is linked to a control system. The situation is similar in banks, securities firms and insurance companies. Private IP is used to protect the transaction systems of a bank, the asset management system of a securities firm, the customer management server and the servers for the management of accounting and production information and cables are used for safe communication. There have been many intrusion incidents by insiders. Internet connection channels need better equipment to serve the increase of importance and utilization of CRM (Customer Relation Management), CIM (Computer Integrated Manufacturing) systems. For instance, when customers use the internet for banking or making inquiries about their insurance policy or the production information though a Web server, it is essential for the Web server to be connected with the protected internal systems. The internal systems may be under attack through the servers being exposed to the outside. The internal control systems and main systems may be under attack by viruses and hacking through partially exposed MIS servers or PCs. Even though IDS or firewall or virus vaccine programs can protect the unknown attacks, they are of no use in blocking new intrusion methods and patterns, so we are still exposed to a high risk of vulnerabilities (Control System Security Program Outline). (2) Possibility of remote intrusion into the control systems using utilities and tools. When attacks are made remotely using utilities and tools made to be connected with the programs developed for the operation of SCADA and DCS, the control system may lose control power. As is shown in intrusion cases, when utilities are used to directly control the control systems, it would be hard for IDS and firewalls to detect and block the intrusions and also difficult for the operators to notice them. When wireless terminals are used to check and control the servers, as they are generally used nowadays, the servers are regarded as exposed to the risk outside. Remote control functions using cell phones will be more evolved and sophisticated with additional services while the risk of intrusions will increase if the utilities and tools installed in the wireless terminals should be taken by someone outside. (3) Intrusion by the vendors of the control systems due to the connection of services or ports for remote access and support.
D.H. Ryu et al. / Journal of Loss Prevention in the Process Industries 22 (2009) 1020–1024
There is a possibility of including backdoor and Trojan horse software. When connected through a specific port, and a manager has the power to control the communication with a specific service, there is a possibility of intrusion. After the control system has been constructed and delivered, sometimes, the remote access for its maintenance by the vendor remains enabled. In this case, intrusion incidents may occur. (4) Possibility of intrusion when trying to control the control system by insiders using a remote management tool. Nowadays, servers are managed after placing them in IDC (Internet Data Center) or a certain secure location. Most managers do not work in front of their systems and instead, they use remote management tools to manage and control their systems. Most companies manage their servers after placing them in IDC and the trend will continue. PC Anyware, Terminal Server and VNC (Virtual Network Computing) are some of the most used remote management tools. When SCADA and DCS systems are controlled by a remote management tool, the target system for remote access usually can make a detour of ACL (Access Control List) network implemented two or threefold and can be the subject of a direct attack. The target system can also be expected to be effectively used as a means to avoid the intrusion detection and the intrusion blocking system. In the future, the volume of attacks from international sources via the internet will continue to increase. These are some of the security threats as follows (http://www.net-security.org/secworld. php?id¼6845). 1. Malicious insiders: an insider as anyone in an organization with approved access, privilege, or knowledge of information systems, information services, and missions. A malicious insider (MI) is one motivated to adversely impact an organization’s mission through a range of actions that compromise information confidentiality, integrity, and/or availability (http://nrrc.mitre.org/NRRC/ana_det_malicious_insiders.htm). Employees with malicious intent have had a devastating effect on their organizations. 2. Malware: malware, short for malicious software, is software designed to infiltrate or damage a computer system without the owner’s informed consent. Malware software can include computer viruses, worms, Trojan horses, rootkits, backdoors, spyware, botnets, keystroke loggers, and dialers. 3. Exploited vulnerabilities: some unethical hackers find a weakness to trespass another’s computer in order to exploit it for their own advantage. 4. Social engineering: social engineering techniques are based on specific attributes of human decision- making known as cognitive biases. With social engineering (such as pretexting, phishing, Interactive Voice Response (IVR) or phone phishing, baiting), one can deceive a person by tricking him/her into supplying personal information and passwords. Any method of communication can be used to perpetrate this fraud. Using viruses or downloading files which have Backdoor or Trojan horses within, if the user of a remote management tool has been infected or tries to place the backdoor or Trojan horse which executes tasks similar to Back Orifice, Net bus, Netcat and Key Logger, in most cases, those become shut-off by a virus vaccine or security tool. However, new types of these cannot be blocked. That is, there are not many means of defense if perpetrators try to make an attack with new viruses and hacking patterns after setting a target. It would not be difficult to acquire information about access codes and passwords using Backdoor or a Trojan horse. If things have already progressed up to this point, the control power
1023
of the control system will be handed over to the organizations or users with malicious purposes. 4. Measures to secure of SCADA systems The war in the future will have an aspect of the cyber war in which a lot of investment is expected to be made to develop tools to detect threat and vulnerabilities for making attacks. Accordingly, new security management methodology should be established and various kinds of security solutions need to be installed. To achieve this, new areas different from the existing information systems need to be identified and the security measures for survival should be established. First of all, SCADA systems are different from general information systems in terms of security management. In the risk/security management of general information systems, after analyzing the asset, threat and vulnerability of information systems and calculating the degrees of a risk, security measures are prioritized for calculating the remaining risk. On the contrary, for SCADA systems, the analysis of the assets is performed not from a viewpoint of the systems, but from a viewpoint of the target facilities managed and operated. That is, the main assets of the SCADA system managing nuclear power and petroleum plants are not the servers but the nuclear power plants and petroleum plants themselves. Because the value of the assets cannot be calculated, it would be impossible to quantify the value of damages. So it would not really be possible to establish security measures after the calculation of cost-benefit analysis. Accordingly, a systematic security framework which, in addition to the existing security services (confidentiality, integrity, availability), provides security solutions in terms of protection, survival and reconnaissance could be proposed. First, with ‘‘protection’’, there is an objective to construct a system of protection for safe systems to cope with attacks which can paralyze SCADA systems. The technology of detection, analysis and response should be enhanced to cope with system paralyzing attack by a virus/worm, electromagnetic waves and physical attack. Second, in survival, various threats and attacks can be effectively blocked while the blocking of mutated information and grading and categorizing of information are performed to enable real-time operation based on the reliability channel. Third, in reconnaissance, recent malicious vulnerabilities are analyzed and the technology of controlling and analysis/investigation is applied to establish an environment to cope with the outflow of important information. Through this security framework, total security management of SCADA can be realized. In addition, security measures in terms of policy can be presented as follows: C C
C C
C
C
C
C
C
Government security regulations Establishment of a national organization for infrastructure protection to cope with cyber terror or cyber war Future research on the viruses and hacking Minimization, strict management, and implementation of a security policy for external connection points to the infrastructure Strict management of connection points or the parts of the infrastructure providing information to outsiders Establishment of a policy which prohibits direct and remote access of the infrastructure control system Completion of contingency plans for viruses and hackings against internal PCs and servers connected with infrastructure Reinforcement of security training and security organization for internal users Minimization of remote support by the companies which developed the infrastructure system
1024 C
C
C
D.H. Ryu et al. / Journal of Loss Prevention in the Process Industries 22 (2009) 1020–1024
Making a decision whether to allow remote access to the infrastructure control system Prohibition of the outflow of information about the infrastructure control system Thorough review of the security measures for the renewal of solutions
Security measures in terms of technology can be presented as follows: C
C
C
C
C C
C
Strict limitations and authority control are needed for external connections Reinforced security for the systems in the DMZ as well as for the internal network is recommended Enhancing security using VPN (Virtual Private Network) as well as the integrity tools of servers Minimization of access paths to the internal network and enhanced concentration of monitoring are recommended Encryption of emails and locking of files and directories Regular and thorough inspection of the security and vulnerability Developing control and monitoring method to cope with any abnormal situation in SCADA equipment.
As an example of concrete measures for a critical infrastructure, we examine the security of mass transportation. We can classify three kinds of security measures against system failure, natural disasters, terrorism, or vandalism: 1. Security measures against technology. C All external connection should be encrypted or disconnected if possible C All gateway devices with external connections should be separated from SCADA devices on the PCN (Personal Communications Network) C Illegal access should be detected by applying IDS products, transaction logging or traffic monitoring C Firewalls or VPNs should be applied C On-line monitoring 2. Security measures against natural disasters: fire or flood. C Modeling of flood/fire in the specific areas C Monitoring by off-line rescue forces C Integrated transport vector map as a geographical database C On-line monitoring 3. Security measures against terrorism: terrorists or activists. C Active checking
C C C C
Surveillance video monitoring Spatial visual monitoring Diagnostic methods Enclosed place air condition detection
5. Conclusions The above trend in the advanced countries is very instructive to us. We should study and develop security technology to reinforce the security of control systems and make an effort to remove cyber threat which can happen in the future or may be happening now. Encryption algorithms for the control system and intrusion blocking systems for PLC (Programmable Logic Controller) need to be developed. Also, user authentication for the control system and encrypted communication protocols and risk analysis tool for the control system should be studied and developed. It is time to develop a testing suite to analyze the vulnerability of PLC, the core facility of a control system, and to invest in the cyber threat control technology for the control system. Up until now, there have been only physical security measures in which a SCADA system operates in a closed network and neither cyber security organization nor manpower. There have been few security measures to cope with the diversity and complexity of SCADA protocols. Accordingly, we should research and study security management methods at national security policy level from now on in order to identify and remove various vulnerabilities and threats to SCADA systems which manage and operate such national infrastructures such as nuclear power plants, petroleum and gas facilities, transportation, aviation facilities, satellites, etc. References Control System Security Program Outline, http://controlsystemssecurity.inl.gov/ pressroom/reports/cssc_program_summary.ppt. CRS Report RL32114, Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, Jan. 2008. Government Accountability Office. (2004). Critical infrastructure protection: Challenges and efforts to secure control systems (GAO-04–354). Washington, DC: GAO. Hadim, S., & Mohamed, N. (2006). Middleware: middleware challenges and approaches for wireless sensor networks. IEEE Distributed Systems Online, 7(3), 1. Haenselmann, T. (2004). GFDL Wireless sensor network textbook, Sensor networks. I3P, (Oct. 2005). Process Control System Security. National Cyber Infrastructure Bulletin, No.1. Pollet, J. (August 8, 2002). SCADA Security Stratege, PlantData Technologies, http:// www.plantdata.com/ SCADA/Security/Strategy.pdf. Ro¨mer, K., & Friedemann, M. (Dec. 2004). The design space of wireless sensor networks. IEEE Wireless Communications, 11(6), 54–61. Ryu, D., Kim, H., Shin, S., & Nahm, S. (2007). ‘‘Security Vulnerabilities of Critical Infrastructure Systems,’’ World Conference on Safety of Oil and Gas Industry (WCOGI), Gyeongju, Korea, Vol. 2, pp. 218–222.
Contents lists available at ScienceDirect
Journal of Loss Prevention in the Process Industries journal homepage: www.elsevier.com/locate/jlp
Reducing security vulnerabilities for critical infrastructure Dae Hyun Ryu, HyungJun Kim*, Keehong Um Division of Information Technology, Hansei University, Republic of Korea
a r t i c l e i n f o
a b s t r a c t
Article history: Received 11 September 2007 Received in revised form 27 July 2009 Accepted 28 July 2009
In this paper, we show the need for improved Process Control System (PCS) security, and describe some of the promising research areas in PCS security. One implementation of PCS in critical infrastructure and factory automation is a supervisory, control, and data acquisition (SCADA) system, a real-time industrial process control system which centrally monitors and controls remote and/or local processes utilizing plant, equipment, or devices (such as switches, valves, pumps, relays, etc.) while collecting and logging field data. Current SCADA systems are distributed, networked, and dependent on open protocols for the internet, which are exposed to remote cyber terrorism. They are particularly vulnerable to unauthorized access. We give some examples of SCADA processes with natural gas control systems in USA and the Ubiquitous Sensor Network (USN) in Korea. We also examine a representative vulnerability and corresponding measures for security, and present an example of concrete measures for the security of mass transportation as a critical infrastructure. Ó 2009 Elsevier Ltd. All rights reserved.
Keywords: Security Vulnerability Distributed Control System (DCS) Supervisory Control and Data Acquisition (SCADA) system Process Control System (PCS) Ubiquitous Sensor Network (USN)
1. Introduction With the implementation of state-of-the-art information technology, control systems of large-scale facilities for producing and distributing electricity and gas, operating dams, and managing water resources have gradually become more open and standardized (http:// www.nisa.or.kr/trends.php). Accordingly, information protection problems in the areas in which only physical security has been emphasized up to now are on the rise. The protection of critical infrastructure is a hotly debated topic. The very label ‘‘critical infrastructure’’ implies that these systems are important, and they support our everyday lives, from the water and food in our homes to our physical and financial welfare. They also support industry and government operations. The systems that control these facilities, which include petrochemical plants, large-scale plants and factory automation facilities, are referred to as SCADA (Supervisory Control and Data Acquisition). Industrial plant-scale SCADA is also called DCS (Distributed Control System) and PCS (Process Control System), and as a whole, Control Systems. The SCADA system is a remote control and monitoring system for transmitting and receiving information or data through wire or wireless media. This system accurately monitors information from the plant or the processing equipment using sensors such as hydraulic pressure gauges and voltmeters. It executes process work using remote commands through such control devices as valves, * Corresponding author at: Hansei University, Division of Information Technology, 604-5 Dangjung-dong, Gunpo-si, Kyunggi-do 435-742, Republic of Korea. Tel.: þ82 11 9911 4123; fax: þ82 31 450 5172. E-mail address: [email protected] (HyungJun Kim). 0950-4230/$ – see front matter Ó 2009 Elsevier Ltd. All rights reserved. doi:10.1016/j.jlp.2009.07.015
motors and relays. Although DCS is a term generally used more often than SCADA in the factory automation area, SCADA is the term used for systems which are scattered over large areas, with various communication lines and protocols being used (I3P, 2005). A control system refers to a computer based facility – system and equipment which is used to remotely monitor and control sensitive processes and physical functions. It collects and processes measured values and operational data in the field of facilities and conveys control commands to local or remote equipment. These control systems play the role of a central nervous system for energy-based facilities. If a control system were to undergo cyber attack from the outside, there could be negative consequences for public health and safety. These control systems have been regarded as safe from external threats of cyber attack up to now, due to their use of leased lines and proprietary operating systems of vendors. However, considering the cases of attacks recently reported abroad and the trend of openness and standardization of SCADA facilities, we cannot be sure about their safety from such cyber threats as hacking and cyber terror because of the potential threats posed by specific groups. This paper explores the recent evolution of PCSs and their environments, it further explains the need for improved security in these systems, and describes some of the emerging research areas in PCS security that offer promise for the future. 2. Related topics A SCADA system is a computer system to monitor and control switches and valves, to control temperature and pressure
D.H. Ryu et al. / Journal of Loss Prevention in the Process Industries 22 (2009) 1020–1024
conditions, and to collect and log field data. Industrial plant-scale SCADA is often called Distributed Control System (DCS). A SCADA system can continuously record and report pressure data. For example, if an alarm is registered, the control room operator can respond to the alarm and use the system to investigate other parts of the infrastructure. SCADA systems also monitor pipelines for total volumetric rate in order to provide yield data. Additionally, these systems can sample the produced fluids for specific gravity, gas composition, and other physical parameters as required. SCADA systems typically monitor and report these values to control room operators. Some examples of processes are generation and transmission of electricity, chemical plant processes, oil and gas pipelines, constructing equipment, water purification, water and waste control, energy, and distribution infrastructure, power generators, traffic signals, water and gas pipelines, and dams. Natural gas needs to be gathered, transmitted, and compressed before being piped into a home. A transmission system (pipeline), composed of high-strength steel pipes ranging from 20 inches to 42 inches in diameter, moves large amounts of natural gas thousands of miles. The pressure of gas ranges from 200 pounds to 1500 pounds per square inch. Compressor stations boost the pressure that is lost through friction of the natural gas moving through the steel pipes. When the gas reaches a local gas utility, it normally passes through a ‘‘gate station’’ to reach distribution pressure (ranging from a quarter of a pound to 200 pounds). From the gate station, natural gas moves into distribution lines or ‘‘mains’’ that range from 2 inches to more than 24 inches in diameter. Natural gas runs from the main into a home or business in what is called a service line. A central SCADA system controls and monitors moisture, quantity, pressure and temperature of the network of pipelines (http://www.aga.org/Kc/aboutnaturalgas/ consumerinfo/NGDeliverySystem.htm). For these reasons the automatic emergency shut down of critical system parts is an important function for ensuring safety. A wireless sensor network (WSN) is a wireless network consisting of spatially distributed autonomous devices using sensors to cooperatively monitor physical or environmental conditions, such as temperature, sound, vibration, pressure, motion or pollutant at different locations (Ro¨mer & Friedemann, 2004; Haenselmann, 2004). It is called Ubiquitous Sensor Network (USN) in Korea – a network of intelligent sensors that could become ubiquitous. Wireless sensor networks now have used in many industrial and civilian applications, including industrial process monitoring and control, machine-based health monitoring, environment and habitat monitoring, home automation and traffic control (Ro¨mer & Friedemann, 2004; Hadim & Mohamed, 2006). After recognizing surrounding people and objects, identifying location information, the network can be utilized in digital homes and military applications. The sensors can also be utilized in the automatic ventilation of an intelligent building, unmanned guard systems, the ventilation and opening and shutting devices inside the workshop of a factory with polluting materials, vehicle moving devices and home thermostats, toys, game devices, home electrical appliances and PC peripherals. However, despite these applications of USN, it is easily exposed to forgery and alteration of data such as the tapping of sensor information, the circulation of abnormal packets, the reuse of messages and to service rejection which can paralyze the whole network. The utilization of a sensor network in a digital home requires the protection of personal privacy. Secure functionality is even more essential when utilized for the public or military purposes including alarming sensors for earthquakes and fire. In this paper, we have analyzed security vulnerabilities of SCADA or DCS to suggest appropriate security measures. Data in SCADA and/or DCS are transmitted and received using the Internet. Since the protocol
1021
is based on the open protocol without much security content, vulnerability assessment shows the permission of unauthenticated access to SCADA, DCS and other systems. As the control networks of SCADA or DCS are being integrated with company networks, hacker attacks against the control systems was found to be possible with these two systems. Since they are interconnected with networks, there have been several signs and cases found of cyber intrusions into control systems which constitute the central nervous system of energy infrastructure. There have been numerous SCADA attacks, two examples are as follows. (1) In May 2007, Estonia was struck by cyber attacks targeting the websites of the parliament, banks, newspapers, and government ministries. The attacks effectively paralyzed life in Estonia, which has one of the highest levels of Internet penetration in Eastern and Central Europe and prides itself on its ‘‘paper-free’’ economy. Estonian officials, who for weeks had been embroiled in a bitter diplomatic dispute with Moscow in the aftermath of the removal of a Soviet-era monument, were quick to blame the Kremlin for the attacks – a claim the Russians denied (http://www.rferl.org/content/Russian_ Groups_Claims_Reopen_Debate_On_Estonian_Cyberattacks_/ 1564694.html). (2) August 2003, the ‘‘Slammer’’ internet computer worm penetrated the SCADA control systems at the Davis-Besse nuclear power plant in Ohio. It was possible for the worm to attack the plant because the network of the plant had multiple connections to the Internet that bypassed the control room firewall (CRS Report RL32114, 2008).
3. A representative vulnerability and security threat to SCADA systems SCADA systems were designed when there was little concern about information security in 1960s. In those days, the systems operated in a relatively isolated environment and relied mainly on proprietary software, hardware and communication technology. Today millions of SCADA systems are used. Nowadays the distinctions between SCADA and DCS have largely faded since each has adopted the strengths of the other as the networking infrastructure with higher capacity is available. The necessity of interconnections of the control systems, linked to related enterprise systems such as Energy Management Systems (EMS), Distribution Management Systems (DMS), Manufacturing Execution Systems (MES) and Substation Automation (SA) is being emphasized. Also emphasized is the necessity of interworking between the control systems and MIS, as well as the interoperability for linkage among control systems. As a result, standard operating systems such as Windows and UNIX, public networks such as the Internet and general communication technology such as wire and wireless networks are widely used (Control System Security Program Outline). Fig. 1 shows an architecture diagram of today’s typical control system. The primary factors that lead to serious security problems in today’s SCADA systems are increased number of connections in the systems, increased system complexity, increased interdependence between infrastructures, increased reliance on outsourcing and foreign products, market restructuring, and the extended use of general operating systems and platforms. There have been several cases found of cyber intrusions into control systems which constitute the central part of energy infrastructure. Occurrences of cyber intrusion in energy infrastructure cause an operational paralysis of the control systems by delaying and blocking information flows through control networks or by
1022
D.H. Ryu et al. / Journal of Loss Prevention in the Process Industries 22 (2009) 1020–1024
changing the software of the control systems, resulting in an unexpected outcome. As vulnerabilities of the control systems have been exposed, many institutions have showed their concern. According to a Gartner report in 2003, the risk of cyber threats is getting higher in the world because of the interface vulnerabilities of main infrastructure including dams, railroads, electricity networks and power plants, and the development of IP (Internet Protocol) technology (Government Accountability Office, 2004; Ryu, Kim, Shin, & Nahm, 2007). In the past when SCADA systems were vendor-controlled and independent systems with no connections to other systems, and when the network protocol was proprietary, only few people, including makers and hackers, knew about SCADA installations. However, the current SCADA systems are distributed and networked. Since the systems are dependent on open protocols for the internet, they are vulnerable to remote cyber terrorism. Among the main vulnerabilities in existence, the following is a list of representative vulnerabilities of a SCADA system (CRS Report RL32114, 2008; Ryu et al., 2007). C
C
C
C
C
C
Diversity of vendors: Different characteristics of each vendor’s SCADA work process and various protocols and operating systems. Widening of networks: Difficulty of network management due to the facilities being scattered over a large area. Aging of equipment: When most installed equipment has aged, only a minor correction causes system trouble. Data simplicity: Since the data in the network is for the purpose of control, commands are simple and sequential. Real-time processing: Difficulty of inserting alarms for security to minimize the response time. Linkage with information systems (intra-network): Planning an integration of networks for the streamlining of management.
PLC Platform network
Satellite
PLC
Satellite modem
Satellite modem
Programmable Logic Controller (PLC) Remote Terminal Unit (RTU)
Communication server
Microwave modem Microwave modem
PLC
Distributed Control System (DCS) SCADA Workstation
Company network
SCADA server Fig. 1. SCADA system for a typical control system.
C
C
C
C
C
C
C C
Generalization of equipment: Linux and Windows have begun to be installed on the equipment and the TCP/IP protocol is being used. Ubiquitous user: The ubiquitous web evolves around the expectations of users who want to interact with information and services from anywhere. The ubiquitous web: The web delivers and integrates information, services, and user data. The ubiquitous user agent: Running on a wide range of devices such as desktop computers. Botnets opportunistically scan the internet to attack poorly configured or absence of security patches. Zero-day exploit: updated software and the newest security patches may still have vulnerabilities. The insider attack: employees with access to the system. Errors in new software products.
Due to those vulnerabilities, there may be security threats as follows (Pollet, 2002). (1) Possibility of an intrusion incident when the MIS (management information system) is linked to a control system. The situation is similar in banks, securities firms and insurance companies. Private IP is used to protect the transaction systems of a bank, the asset management system of a securities firm, the customer management server and the servers for the management of accounting and production information and cables are used for safe communication. There have been many intrusion incidents by insiders. Internet connection channels need better equipment to serve the increase of importance and utilization of CRM (Customer Relation Management), CIM (Computer Integrated Manufacturing) systems. For instance, when customers use the internet for banking or making inquiries about their insurance policy or the production information though a Web server, it is essential for the Web server to be connected with the protected internal systems. The internal systems may be under attack through the servers being exposed to the outside. The internal control systems and main systems may be under attack by viruses and hacking through partially exposed MIS servers or PCs. Even though IDS or firewall or virus vaccine programs can protect the unknown attacks, they are of no use in blocking new intrusion methods and patterns, so we are still exposed to a high risk of vulnerabilities (Control System Security Program Outline). (2) Possibility of remote intrusion into the control systems using utilities and tools. When attacks are made remotely using utilities and tools made to be connected with the programs developed for the operation of SCADA and DCS, the control system may lose control power. As is shown in intrusion cases, when utilities are used to directly control the control systems, it would be hard for IDS and firewalls to detect and block the intrusions and also difficult for the operators to notice them. When wireless terminals are used to check and control the servers, as they are generally used nowadays, the servers are regarded as exposed to the risk outside. Remote control functions using cell phones will be more evolved and sophisticated with additional services while the risk of intrusions will increase if the utilities and tools installed in the wireless terminals should be taken by someone outside. (3) Intrusion by the vendors of the control systems due to the connection of services or ports for remote access and support.
D.H. Ryu et al. / Journal of Loss Prevention in the Process Industries 22 (2009) 1020–1024
There is a possibility of including backdoor and Trojan horse software. When connected through a specific port, and a manager has the power to control the communication with a specific service, there is a possibility of intrusion. After the control system has been constructed and delivered, sometimes, the remote access for its maintenance by the vendor remains enabled. In this case, intrusion incidents may occur. (4) Possibility of intrusion when trying to control the control system by insiders using a remote management tool. Nowadays, servers are managed after placing them in IDC (Internet Data Center) or a certain secure location. Most managers do not work in front of their systems and instead, they use remote management tools to manage and control their systems. Most companies manage their servers after placing them in IDC and the trend will continue. PC Anyware, Terminal Server and VNC (Virtual Network Computing) are some of the most used remote management tools. When SCADA and DCS systems are controlled by a remote management tool, the target system for remote access usually can make a detour of ACL (Access Control List) network implemented two or threefold and can be the subject of a direct attack. The target system can also be expected to be effectively used as a means to avoid the intrusion detection and the intrusion blocking system. In the future, the volume of attacks from international sources via the internet will continue to increase. These are some of the security threats as follows (http://www.net-security.org/secworld. php?id¼6845). 1. Malicious insiders: an insider as anyone in an organization with approved access, privilege, or knowledge of information systems, information services, and missions. A malicious insider (MI) is one motivated to adversely impact an organization’s mission through a range of actions that compromise information confidentiality, integrity, and/or availability (http://nrrc.mitre.org/NRRC/ana_det_malicious_insiders.htm). Employees with malicious intent have had a devastating effect on their organizations. 2. Malware: malware, short for malicious software, is software designed to infiltrate or damage a computer system without the owner’s informed consent. Malware software can include computer viruses, worms, Trojan horses, rootkits, backdoors, spyware, botnets, keystroke loggers, and dialers. 3. Exploited vulnerabilities: some unethical hackers find a weakness to trespass another’s computer in order to exploit it for their own advantage. 4. Social engineering: social engineering techniques are based on specific attributes of human decision- making known as cognitive biases. With social engineering (such as pretexting, phishing, Interactive Voice Response (IVR) or phone phishing, baiting), one can deceive a person by tricking him/her into supplying personal information and passwords. Any method of communication can be used to perpetrate this fraud. Using viruses or downloading files which have Backdoor or Trojan horses within, if the user of a remote management tool has been infected or tries to place the backdoor or Trojan horse which executes tasks similar to Back Orifice, Net bus, Netcat and Key Logger, in most cases, those become shut-off by a virus vaccine or security tool. However, new types of these cannot be blocked. That is, there are not many means of defense if perpetrators try to make an attack with new viruses and hacking patterns after setting a target. It would not be difficult to acquire information about access codes and passwords using Backdoor or a Trojan horse. If things have already progressed up to this point, the control power
1023
of the control system will be handed over to the organizations or users with malicious purposes. 4. Measures to secure of SCADA systems The war in the future will have an aspect of the cyber war in which a lot of investment is expected to be made to develop tools to detect threat and vulnerabilities for making attacks. Accordingly, new security management methodology should be established and various kinds of security solutions need to be installed. To achieve this, new areas different from the existing information systems need to be identified and the security measures for survival should be established. First of all, SCADA systems are different from general information systems in terms of security management. In the risk/security management of general information systems, after analyzing the asset, threat and vulnerability of information systems and calculating the degrees of a risk, security measures are prioritized for calculating the remaining risk. On the contrary, for SCADA systems, the analysis of the assets is performed not from a viewpoint of the systems, but from a viewpoint of the target facilities managed and operated. That is, the main assets of the SCADA system managing nuclear power and petroleum plants are not the servers but the nuclear power plants and petroleum plants themselves. Because the value of the assets cannot be calculated, it would be impossible to quantify the value of damages. So it would not really be possible to establish security measures after the calculation of cost-benefit analysis. Accordingly, a systematic security framework which, in addition to the existing security services (confidentiality, integrity, availability), provides security solutions in terms of protection, survival and reconnaissance could be proposed. First, with ‘‘protection’’, there is an objective to construct a system of protection for safe systems to cope with attacks which can paralyze SCADA systems. The technology of detection, analysis and response should be enhanced to cope with system paralyzing attack by a virus/worm, electromagnetic waves and physical attack. Second, in survival, various threats and attacks can be effectively blocked while the blocking of mutated information and grading and categorizing of information are performed to enable real-time operation based on the reliability channel. Third, in reconnaissance, recent malicious vulnerabilities are analyzed and the technology of controlling and analysis/investigation is applied to establish an environment to cope with the outflow of important information. Through this security framework, total security management of SCADA can be realized. In addition, security measures in terms of policy can be presented as follows: C C
C C
C
C
C
C
C
Government security regulations Establishment of a national organization for infrastructure protection to cope with cyber terror or cyber war Future research on the viruses and hacking Minimization, strict management, and implementation of a security policy for external connection points to the infrastructure Strict management of connection points or the parts of the infrastructure providing information to outsiders Establishment of a policy which prohibits direct and remote access of the infrastructure control system Completion of contingency plans for viruses and hackings against internal PCs and servers connected with infrastructure Reinforcement of security training and security organization for internal users Minimization of remote support by the companies which developed the infrastructure system
1024 C
C
C
D.H. Ryu et al. / Journal of Loss Prevention in the Process Industries 22 (2009) 1020–1024
Making a decision whether to allow remote access to the infrastructure control system Prohibition of the outflow of information about the infrastructure control system Thorough review of the security measures for the renewal of solutions
Security measures in terms of technology can be presented as follows: C
C
C
C
C C
C
Strict limitations and authority control are needed for external connections Reinforced security for the systems in the DMZ as well as for the internal network is recommended Enhancing security using VPN (Virtual Private Network) as well as the integrity tools of servers Minimization of access paths to the internal network and enhanced concentration of monitoring are recommended Encryption of emails and locking of files and directories Regular and thorough inspection of the security and vulnerability Developing control and monitoring method to cope with any abnormal situation in SCADA equipment.
As an example of concrete measures for a critical infrastructure, we examine the security of mass transportation. We can classify three kinds of security measures against system failure, natural disasters, terrorism, or vandalism: 1. Security measures against technology. C All external connection should be encrypted or disconnected if possible C All gateway devices with external connections should be separated from SCADA devices on the PCN (Personal Communications Network) C Illegal access should be detected by applying IDS products, transaction logging or traffic monitoring C Firewalls or VPNs should be applied C On-line monitoring 2. Security measures against natural disasters: fire or flood. C Modeling of flood/fire in the specific areas C Monitoring by off-line rescue forces C Integrated transport vector map as a geographical database C On-line monitoring 3. Security measures against terrorism: terrorists or activists. C Active checking
C C C C
Surveillance video monitoring Spatial visual monitoring Diagnostic methods Enclosed place air condition detection
5. Conclusions The above trend in the advanced countries is very instructive to us. We should study and develop security technology to reinforce the security of control systems and make an effort to remove cyber threat which can happen in the future or may be happening now. Encryption algorithms for the control system and intrusion blocking systems for PLC (Programmable Logic Controller) need to be developed. Also, user authentication for the control system and encrypted communication protocols and risk analysis tool for the control system should be studied and developed. It is time to develop a testing suite to analyze the vulnerability of PLC, the core facility of a control system, and to invest in the cyber threat control technology for the control system. Up until now, there have been only physical security measures in which a SCADA system operates in a closed network and neither cyber security organization nor manpower. There have been few security measures to cope with the diversity and complexity of SCADA protocols. Accordingly, we should research and study security management methods at national security policy level from now on in order to identify and remove various vulnerabilities and threats to SCADA systems which manage and operate such national infrastructures such as nuclear power plants, petroleum and gas facilities, transportation, aviation facilities, satellites, etc. References Control System Security Program Outline, http://controlsystemssecurity.inl.gov/ pressroom/reports/cssc_program_summary.ppt. CRS Report RL32114, Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, Jan. 2008. Government Accountability Office. (2004). Critical infrastructure protection: Challenges and efforts to secure control systems (GAO-04–354). Washington, DC: GAO. Hadim, S., & Mohamed, N. (2006). Middleware: middleware challenges and approaches for wireless sensor networks. IEEE Distributed Systems Online, 7(3), 1. Haenselmann, T. (2004). GFDL Wireless sensor network textbook, Sensor networks. I3P, (Oct. 2005). Process Control System Security. National Cyber Infrastructure Bulletin, No.1. Pollet, J. (August 8, 2002). SCADA Security Stratege, PlantData Technologies, http:// www.plantdata.com/ SCADA/Security/Strategy.pdf. Ro¨mer, K., & Friedemann, M. (Dec. 2004). The design space of wireless sensor networks. IEEE Wireless Communications, 11(6), 54–61. Ryu, D., Kim, H., Shin, S., & Nahm, S. (2007). ‘‘Security Vulnerabilities of Critical Infrastructure Systems,’’ World Conference on Safety of Oil and Gas Industry (WCOGI), Gyeongju, Korea, Vol. 2, pp. 218–222.