Ashwin K. Chaudary, CISA, CISM, CGEIT, CRISC, CISSP, PMP
Stuxnet, a computer virus that attacked a widely used industrial system in Iran, woke up the world of supervisory control and data acquisition (SCADA)1 professionals and IT security professionals. Many SCADA professionals were until then evidencing a notion of security by obscurity, and many IT security professionals were either not interested or were not allowed to talk about SCADA security. The context of Stuxnet, which was first reported in June 2010, and its sophistication have been well discussed and there are many resources on the Internet for those who are interested in the details.2
Flame, one of the most complex threats ever, discovered in May 2012, is 20 times more powerful than Stuxnet, “the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010.”3 Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that behind Flame there could be other than common cybercriminals—marking it as yet another tool in the growing arsenal of cyberweaponry.
The term “business network (or systems)” is used here in the context of the IT systems network used for processing day-to-day general business transactions via enterprise resource planning (ERP) or other applications, databases, and the entire organization’s network connecting all users. As opposed to this, SCADA networks (or systems) are used for controlling the production of goods or services that may involve manufacturing, controlling, managing or monitoring. SCADA systems run many day-to-day utilities and service requirements, such as airports, railways, power, water, sewage plants, and oil and gas plants. To allow for better decision making, enterprises are feeling the need to have real-time updates for accurate production or related information on existing business networks. Therefore, the integration or connection of SCADA networks to business networks is more necessary than ever before.
The availability of technology and proliferation of the Internet have made it easier for SCADA vendors to integrate SCADA networks with business networks. Many process control industries, including public utilities, now take advantage of the ubiquity offered by public networks. Internet connectivity offers many conveniences, including remote access and control of systems; process efficiencies through integrated supply chains and outsourcing; centralization of database information; and interconnection of various private and public networks to create grids.
The size and scale of the enterprise side of operations have also grown, due to increased regulatory and reporting requirements and expanded use of commercial off-the-shelf (COTS) software for administration. Often, applications such as email, ERP and accounting now share SCADA network resources and use external network access for collaboration and updates.
These administrative, communication and third-party interfaces present a risk for which process control and SCADA networks were not designed, so new cybersecurity mitigations should be mandatory. More and more zero-day vulnerabilities are being found every day. Many SCADA professionals are not IT security experts and, therefore, need the services of IT security professionals to integrate the two networks securely. The integration design given by some SCADA vendors often needs to be improved or customized by IT security professionals. For implementing the security requirements, additional budgets may have to be allocated, as security solutions may not be part of the initial budgetary estimate given by SCADA vendors. There are limited IT professionals who do understand the depth of security issues for a SCADA network.
Risk for SCADA systems is more severe and can have a greater impact than business systems; hence, the need for greater attention to security issues required for integration of SCADA networks with business networks. A compromise of a SCADA network can result in loss of lives, production, assets, monies and/or reputation. Attacks on SCADA systems may also occur for purposes of extortion and, in some cases, terrorism. Since SCADA systems run day-to-day utilities and service requirements, they are regarded as critical national infrastructure.
Figure 1 summarizes the major differences between old and new SCADA systems.
For traditional business systems, the paradigm of confidentiality, integrity and availability (CIA) defines the technologies needed to secure the systems (figure 2). In contrast, the critical elements for SCADA systems are availability and message integrity. The typical SCADA system operates on a philosophy of “seven nines” of availability (99.99999 percent uptime). This leads to potentially different technological and security solutions. Typical tasks such as updating antivirus signatures or applying security patches can cause significant outages to these SCADA systems.
Figure 3 provides a summary of some of the major differences between business and SCADA systems.
In September 2009, the Center for Strategic and International Studies (CSIS) conducted a survey of 600 security professionals worldwide. Their anonymous responses were relayed statistically in a McAfee report.4 This report was updated in November 2010 subsequent to Stuxnet.5 The charts in figures 4 and 5 provide statistics from the 2009 (pre-Stuxnet) report. Figure 4 presents responses to the question: “How long before you expect a major incident affecting critical infrastructure in your country?” The average response for “within next 12 months” was as high as 40 percent. Figure 5 shows the percentage who reported extortion using a network attack or the threat of it in the past two years. “One in five critical infrastructure entities reported being the victim of extortion through cyberattack or threatened cyberattack within the past two years. This striking rate was consistent with the anecdotal accounts of experts from several different countries and sectors; indeed, some suggested the real figure might be even higher.”6 Most such cases go unpublicized, if not unreported, the McAfee report says, because of reputation and other concerns by the victim company.7
Figures 6 and 7 indicate responses from the 2010 report, i.e., post-Stuxnet, pertaining to questions on interaction with government on cybersecurity and government audits for SCADA systems. The report reveals that 25 percent of critical infrastructure companies do not interact with the government on cybersecurity and network defense matters. For example, on the question of whether their security plans were audited by government, 100 percent of Japanese respondents reported undergoing such audits. This is a significant increase for Japan over 2009, when China led in security audits. In 2010, China ranked second in auditing, with seven of 10 respondents reporting undergoing such audits. The lowest audit rates occurred in the UK, Spain and the US, which all scored below 20 percent.
Looking at these statistics, it seems that governments may have to play a more focused role on regulation, compliance and audits for SCADA networks. More industry and government collaboration may be required to secure critical national infrastructure.
In view of the critical nature of such services, periodic audits of SCADA networks are necessary. As with audits of a business network, which are conducted periodically, SCADA networks must be audited irrespective of regulatory requirements. Though the basic audit methodology remains the same, the focus on SCADA network audits should be different from the foxus on business networks. For business networks, the priority is on securing the perimeter network and protecting the database holding confidential or personal data, such as credit card numbers. The highest priority for SCADA networks is to sustain operations and to secure human lives.
The following describe the major differences between audits for business and SCADA networks:
Some of the audit methodologies common to business and SCADA networks include:
Protecting SCADA networks that form critical national infrastructure is important, as shown by the points addressed in this article. IT security professionals should view it as their duty to collaborate with government and industry in the interest of protecting national assets from bad elements.
1 The term “SCADA” is used here to denote the industrial control systems (ICS) as a whole, including ICS, process control networks (PCNs), DMZ for SCADA networks, plant distributed control systems (DCS), programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices (IEDs), intelligent field devices and drives, smart meters, control systems for emergency shutdown (ESD), control systems for fire and gas (F&G) and other safety processes, and other embedded industrial control and monitoring systems and devices.2 YouTube, “Stuxnet (Hungry Beast),” www.youtube.com/user/abchungrybeast?feature=watch#p/u/13/7g0pi4J8auQ3 Zetter, Kim; “Meet Flame, The Massive Spy Malware Infiltrating Iranian Computers,” Wired, 2012, www.wired.com/threatlevel/2012/05/flame/4 Baker, Stewart; Shaun Waterman; George Ivanov; “In the Crossfire: Critical Infrastructure in the Age of Cyber War,” McAfee, 2009, www.mcafee.com/us/resources/reports/rp-in-crossfire-critical-infrastructure-cyber-war.pdf5 Baker, Stewart; Natalia Filipiak; Katrina Timlin; “In the Dark: Critical Industries Confront Cyberattacks,” McAfee and Center for Strategic and International Studies, November 2010, www.mcafee.com/us/resources/reports/rp-critical-infrastructure-protection.pdf6 Ibid., p.87 Ibid.8 Stouffer, Keith; Joe Falco; Karen Scarfone; National Institute of Standards and Technology (NIST), SP 800-82, June 2011, http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf9 North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP), www.nerc.com/page.php?cid=6|6910 International Society for Automation (ISA), ISA99, Industrial Automation and Control Systems Security, www.isa.org/isa99
Ashwin K. Chaudary, CISA, CISM, CGEIT, CRISC, CISSP, PMP, has worked with SCADA security in the oil and gas sector. Chaudary has also worked on projects for compliance requirements such as the US Sarbanes-Oxley Act, ISO 27001, PCI DSS and SAS 70 (SSAE 16) and for the implementation of governance/risk frameworks. He can be reached at firstname.lastname@example.org.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.