Introduction to SCADA security
Supervisory Control and Data Acquisition, or SCADA, is a system used in many industries, including in the nation’s critical infrastructure, to help with maintaining efficiency, data processing and communicating issues for faster resolution. Part of this functionality is undoubtedly due to the injection of proverbial IT DNA into traditional processing systems.
Despite this, SCADA security is markedly different from IT security. This article will provide a high-level introduction to SCADA security and will explore the different types of ICS, ICS components, BPCS and SIS, and industrial control systems (or ICS) strengths and weaknesses from a security perspective.
Types of ICS
There are four main types of ICS:
Supervisory Control and Data Acquisition, or SCADA, is an ICS with data-gathering and processing functionality that can apply appropriate operational controls that span long distances. SCADA was developed to handle the various challenges that can be faced when different information media is used, including phone lines, satellites and microwave transmissions.
SCADA systems are normally used in critical infrastructure, power distribution and transmission, and pipeline systems environments. This type of ICS is shared rather than dedicated.
SCADA systems come with some solid benefits, including:
- SCADA can efficiently process information at both local and remote locations
- Gathering, processing and monitoring data in real-time
- Features human-machine interface that allows for direct interaction with sensors, valves, pumps and other components
- Records information in a useable log file
Programmable Logic Controllers, or PLCs, are solid-state ICSes with programmable memory for storage of instructions that monitors inputs and makes decisions based on its internal program or logic for automation.
Some systems are PLC-based, where multiple PLCs are networked together in order to share information. Arranging a system in this way allows for control capability and centralized monitoring.
PLCs can use both high-speed discrete control and analog control capability. It should be noted that PLCs may be merely a component of ICS, but PLCs can also the control system itself when grouped together.
Distributed Control Systems, or DCSes, are both deployed and controlled in a distributed fashion where processes and control systems are controlled individually. The intelligence of this type of ICS is distributed (sometimes separated by large distances) instead of being in one central location, unlike other ICSes.
DCSes are typically proprietary, meaning that replacement hardware, software and other replacement parts need to be ordered from the manufacturer (or original vendor).
Industrial Automation and Control Systems (IACSes) use safe infrastructure to facilitate information communication and transfers and smart device communication to collect information. An IACS leverages the ability of automation to improve the production or industrial process by providing a faster production time, smarter and faster information collection and an increase in scalability and flexibility. These benefits lead to a more optimized production or industrial floor.
There is a handful of components that are typically involved in ICS (including SCADA). A list of the components with a brief description is presented below.
- PLC: Can sometimes be merely a component of an ICS, as explored above
- RTU: Remote terminal units, convert sensor signals to usable data. With the use of telemetry, RTUs communicate with the supervisory system
- Data acquisition servers: Software services that uses protocols to connect services by using RTUs, PLCs and other devices. This data can be accessed by these devices by using standard protocols
- HMI: Human-machine interface. This presents data in a useable form to the human operator
- Historian software: Collects time-stamped data, alarms and Boolean events. This data is used to create graphic trends viewable in HMI. This data is stored in the data acquisition server
- Supervisory system: Gathers data on multiple processes and sends commands to SCADA
BPCS & SIS
Basic Process Control Systems, or BPCS, takes inputs from sensors and instruments and provide outputs that are in accordance with the design control strategy of the facility. Some of the functions of a BPCS are:
- Controlling process subject to pre-set operating conditions
- Optimizing plant operation
- Managing process variables
- Provide alarm and event logging
- Provide interface for monitoring and control through HMI
BPCS does have some built-in security functionality; however, this can be problematic, as there is no guarantee that the security feature will work with 100% certainty. As a point of reference, BCPS is the first layer of prevention in protection analysis. In other words, it’s the weakest.
Safety Instrumented Systems, or SIS, are systems responsible for facility operating safety and ensuring emergency stop actions occur within safe limits. SIS reduces risk of the facility by using Safety Instrumented Functions. For example, when a tank overfills, the SIF is triggered, and the SIS responds by filling the tank to a level predetermined as safe.
ICS strengths and weaknesses from a security perspective
ICS is really a mixed bag when it comes to security. Below is a rundown of the strengths and weaknesses of ICS, in particular SCADA.
- Isolation: Also known as the air-gap approach. An isolated network is less likely to be attacked (in theory)
- Use of proprietary protocols narrows down the population of hackers that know the protocol, so there is less probability of the success of a hack or attack
- Availability: One of the three tenets of cybersecurity, SCADA values availability of information over all else
- Not security-focused: SCADA was not created with SCADA in mind, which is possibly SCADA’s biggest weakness
- Legacy equipment: Use of legacy equipment weakens security because it may not have been engineered in a time with adequate security, thereby putting the whole network at risk
- Connectivity: ICS does not exist in a bubble. As time goes on, more and more devices are being manufactured with better TCP/IP connectivity capability. With this comes a higher probability of attack, as it opens up the system to the internet at large
- Air-gap myth: For a long time, using an air-gap approach to SCADA security was enough. This has been shown to be not as airtight as originally thought, as attacks have occurred on air-gapped networks by an infected device being joined to the air-gapped network
- Availability: SCADA prizes availability over the other tenets of cybersecurity, making both confidentiality and integrity take a back seat
Security for ICS, and SCADA systems in particular, is not what many think it is. While some basic principles of IT security apply to ICS/SCADA systems, these systems are their own unique animal in this regard, with their own unique needs.
- SCADA security and understanding the risk impacts, CSO
- Guide to Industrial Control Systems (ICS) Security, NIST
- What is SCADA?, Inductive Automation
- 5 reasons SCADA security is fragile, CSO
- What is SCADA Security, Forcepoint