2. SCADA security, 2013 Slide 2
24/7 infrastructure availability
• The infrastructure controlled by SCADA
systems and PLCs often has to be
continuously available and must operate as
expected
3. SCADA security, 2013 Slide 3
Continuous operation
• In some cases, it may
be very disruptive to
switch off PLC-
controlled equipment
as it is impossible to
predict when the
system will be required
4. SCADA security, 2013 Slide 4
Critical SCADA systems
• Failure of controlled systems can lead to
direct loss of life due to equipment failure or
indirect losses due to failure of the critical
infrastructure controlled by SCADA systems
• SCADA must therefore be dependable
– Safety and reliability
– Security
5. SCADA security, 2013 Slide 5
SCADA safety and reliability
• SCADA safety and reliability
– Needs specific safety analysis techniques for
PLCs because they are programmed in a
different way (ladder logic)
– SCADA systems are designed with
redundancy and backup, which contributes to
the availability of these systems
7. SCADA security, 2013 Slide 7
SCADA legacy systems
• Security through isolation
– SCADA systems, historically, were unconcerned
with security because they were isolated systems
• Security through obscurity
– Non-standard programming languages and
protocols used.
8. SCADA security, 2013 Slide 8
Security through isolation
• If a system is not connected to the
Internet, then it cannot be penetrated by
attacks from the Internet
• This is the so-called ‘air gap’ between the
SCADA system and the rest of the world
9. SCADA security, 2013 Slide 9
Maroochy Water Breach
• The Maroochy Water Breach (see video) was a
cyberattack on a sewage treatment system in
Australia carried out by an insider
10. SCADA security, 2013 Slide 10
Security through obscurity
• Approach to security that is based on the fact
that information about a system is not widely
known or available so the assumption is that
few people can successfully attack the
system from outside
11. SCADA security, 2013 Slide 11
Security through obscurity
• Susceptible to insider attack from those who
know the information inside the organization
• SCADA systems are sold globally – therefore
information is available to other countries who
may be potentially hostile
• Information on SCADA systems can be stolen
and used by attackers
12. SCADA security, 2013 Slide 12
SCADA connectivity
• 3rd generation SCADA systems are now
reliant on standard IT technologies and
protocols (Microsoft Windows, TCP/IP,
web browsers, organisational wireless
networks, etc.)
• Integrated with older SCADA systems
14. SCADA security, 2013 Slide 14
SCADA legacy systems
• There are a huge number of 2nd generation SCADA
systems that are still in use and are likely to remain in use
for many years
– Infrastructure systems can have a 20+ year lifetime
• However, these are now being ‘updated’ with new
equipment which is network-connected
• These older legacy systems were developed without
security awareness and so are particularly vulnerable to
attack
15. SCADA security, 2013 Slide 15
The myth of the ‘air gap’
• Direct connections to vendors for
maintenance, stock ordering etc.
• Connected to enterprise systems,
which in turn are on the Internet.
16. SCADA security, 2013 Slide 16
The myth of the air gap
• PCs used by operators may be multi-
functional and internet connected
• Operators transfer information using
USB drives
18. SCADA security, 2013 Slide 18
SCADA security vulnerabilities
• Weak passwords
• Open to port scanning to discover SCADA systems
on network
• Lack of input validation –buffer overflow and SQL
poisoning
• Unencrypted network traffic
19. SCADA security, 2013 Slide 19
SCADA security challenges
• SCADA systems and PLC software is normally
developed by engineering companies with very
limited experience of developing secure systems
• The system developers are usually domain experts
(oil and gas engineers, power engineers, etc.) rather
than software engineers.
• They may have had no training in security
techniques.
20. SCADA security, 2013 Slide 20
SCADA security challenges
• Not always possible to use standard security
tools and techniques:
– It may not be possible to install anti-virus
protection on process control systems,
owing to the lack of processor power on
legacy systems, the age of operating
systems or the lack of vendor certification.
21. SCADA security, 2013 Slide 21
SCADA security challenges
• Security testing on process control systems
must also be approached with extreme
caution – security scanning can seriously
affect the operation of many control devices.
• There are sometimes few opportunities to
take the systems off-line for routine testing,
patching and maintenance.
22. SCADA security, 2013 Slide 22
Improving SCADA security
• Government and industry reports to raise
awareness of SCADA security issues
• Establishment of bodies specifically concerned
with infrastructure protection who can advise on
SCADA system security
23. SCADA security, 2013 Slide 23
Improving SCADA security
• Better security education and training for SCADA
developers
• Need for regulators to become involved – security
certification
25. SCADA security, 2013 Slide 25
Summary
• Government organisations are seriously concerned
about the vulnerability of SCADA systems to
cyberattacks and the consequences for our national
infrastructure
• SCADA systems connected to internet so vulnerable to
external attack
• SCADA systems are often old systems that were built
without security concerns – therefore are vulnerable to
external attack