Newsflash: Most networks utilized for Supervisory Control and Data Acquisition (SCADA) were not designed to be secure. Yes, you read that correctly. Kind of a scary thought, especially when your municipal water utility is reliant on this network to ensure the availability and safety of the drinking water supply!
This is why the management company for a municipal water utility with a SCADA system that controls a large pump station which maintains the transportation and distribution of 330 million gallons of water per day, enlisted the services of DirectDefense to perform a comprehensive security assessment test of the water utility’s SCADA environment. What we found was a completely flat network with no segmentation (which is not uncommon in industrial control networks that have been historically designed without security considerations) leaving them particularly susceptible to attack.
Breakdown of a SCADA System
Before we dive into how you can secure your SCADA network, first a little background on how these networks typically operate. The primary purpose of these industrial control networks and their associated devices are most commonly high reliability and resilience to maintain their associated business operations (valves, breakers, actuators, conveyors, elevators, scanners, etc.). This is done with the following three system components:
- The Human Machine Interface (HMI) provides the capability for the operator to monitor and make changes to the conditions and functions of the devices in the network.
- The Programmable Logic Controllers (PLCs) control the function of the devices acting as the interface between the computer commands of the HMI and the mechanical functions of the breakers/valves, conveyors, elevators, scales, etc.
- The sensors and field devices such as temperature, pressure, flow, altitude, attitude, breaker/valve state and scanner barcode or measurement data, monitor and control the process conditions and are connected to the PLCs. These devices operate based on the logic contained in the PLCs which uses the process data to make operational decisions.
It would seem obvious that at the very least this SCADA system trifecta should be segmented, but for most systems of this type (implemented more than 10 years ago), segmentation was not considered at the point of design.
A Flat Network is a Vulnerable Network
Lack of segmentation is one of the primary risks to any SCADA system and should be considered a top priority for remediation. This was the case at the water pump station that we tested. A flat network enables a vulnerability on one part of the network to be utilized as an attack point for other parts of the network. This lack of network segmentation leaves the environment at an unnecessarily higher risk to attack due to an increased attack surface. What could this mean to a public-servicing water utility, such as this one? Someone with ill-intent could get in and mess with the water pressure that controls the water supply. This could result in the utility not being able to provide needed water, and that the water utility has to issue the dreaded boil-water advisory. No municipal utility wants to suffer the reputational and financial damage that will come when having to issue a boil-water advisory. However, that is exactly what they would be required to do if someone else had control of the water supply for any period of time – even if they didn’t do anything to make the water unsafe to drink.
You can learn more about that here: Tales From the Road: Water Utilities Take Warning!
In addition to controlling utilities, municipalities have come to rely more and more on metrics and data extracted from these SCADA networks in order to provide business intelligence for continuity of operations and efficiency. With the water pump house SCADA network feeding data to a number of business servers necessary to support the water distribution business model, it is important to update and secure the network.
The Solution: SCADA Segmentation
Industrial control networks are particularly susceptible to attack as they cannot be secured using methods normally used to secure typical network environments. The systems involved have longer patch cycles, cannot always run anti-virus software and utilize legacy communications protocols that are more difficult to protect.
Networks are designed to be segmented behind some form of perimeter security and prevented from accessing or being accessed by untrusted networks such as the Internet or other business networks. Therefore, addressing the segmentation issue in order to permit controls between networks is the primary recommendation that DirectDefense had for the water pump station.
From Flat to Fat: Three Ways to Segment Your SCADA Network
It’s time to beef up your network! DirectDefense recommends, at a minimum, the pump station SCADA network be segmented into three sections with firewall access controls between them:
- The first segment would house the Human Machine Interface (HMI)/Control system computers.
- The second segment would house the Programmable Logic Controllers (PLC).
- The third segment would house the sensors and field devices.
Segmentation is necessary to permit the use of compensating controls when vulnerabilities are identified in networks. This also permits a much higher level of traffic examination for in-depth defense purposes, particularly when third party vendors use VPNs to access the network for maintenance and troubleshooting.
During our physical penetration test, we discovered that in addition to the lack of segmentation in the Water SCADA network, there was also an unpatched application server sitting in a DMZ and not being managed by anyone. Apparently, it had been put in as a proof-of-concept and was never maintained, posing several threats:
First, it bridged the gap between the corporate network and the SCADA network using a DMZ. More concerning, it was running remote access software to allow a third party to access data from the SCADA system and the computer firewall was turned off. This means a determined adversary could utilize this mechanism to compromise the computer and gain entry to the SCADA HMI (which in its unsegmented would mean access to the entire network).
Additionally, the computer was using a weak password, and if that didn’t make it easy enough to hack into, the password was written on a notepad adjacent to the computer in question.
So, while segmentation is the best place to start, the use of weak and/or shared passwords, having devices and servers with unnecessary services enabled and/or missing patches all need to be addressed to have a secure SCADA network.
Password advice can be found here.
The Bottom Line: Most SCADA systems were implemented at a time when security was not a design consideration, and segmentation was dismissed as adding unnecessary complexity. As the cybersecurity threat landscape has evolved, so has the necessity to re-examine the design of industrial control systems in order to protect them from evolving threats.
Team Up with DirectDefense
Let the SCADA security consultants at DirectDefense help you to thoroughly secure and implement a maintenance program that is commensurate with your critical business system.