Infrastructure Under Attack: The Importance Of Securing SCADA Systems
As the popularity of supervisory control and data acquisition (SCADA) systems continues to rise, companies across the globe are seeking how to effectively manage any changes within the organisation with seamless upgrades.
Alongside optimising the SCADA system, firms need to ensure that threats to it are countered with advanced security measures – the importance of which was recently highlighted by a global attack by a worm known as Stuxnet.
The worm is a new form of security threat which represents a potential risk to critical infrastructure and has already made waves by affecting Iran's weapons programme and causing chaos by slowing down internal processes.
This worm was recently brought under the spotlight by Tom Parker, director of Security Consulting Services at security vendor Securicon, who attempted to uncover the risks it poses to SCADA and other control systems and how to defend against them.
He analysed the code complexity of the virus, and told InternetNews.com:"One of the analysis mechanisms I've written looks for amateurish mistakes in code like heavily nested conditional statements. Typically, a more advanced programmer will be aware of efficiency issues in code and heavily nested statements is a fairly typical mistake among people that are just learning how to program."
However, he said Stuxnet also has some very advanced components and is not entirely uniform as there are at least four versions, two of which have significant differences.
He noted that Stuxnet did not have many of the Microsoft vulnerabilities in it that later versions exploited, while another vulnerability was a link shortcut file issue.
Mr Parker said that Stuxnet is a worm with its crosshairs "targeted" on SCADA control systems, particularly for infrastructure such as power plants.
"Control systems are designed around having the minimum required functionality - they're designed to be efficient and reliable. A lot of these systems are reliant on other infrastructure to protect them, and many don't even have password access as they've been operating in closed environments," he told eSecurityPlanet.
The expert noted that SCADA systems are not used to being exposed to the same types of threats that are common on the internet and it will therefore be some time until they can "stand alone" against modern attacks.
Organisations currently utilising SCADA systems are exploring how they can standardise security for these systems and protocols and establishing secure systems in an integrated environment, as well as implementing methods to counter security risks.
However, Mr Parker said it is important to realise that fixing these systems will not happen overnight, so putting "compensating" measures in place such as additional layers of firewalls will be important.
The expert Parker added that, in the case of Stuxnet, it was written so that people could effectively use an infected USB key to walk into a controlled environment and infect the SCADA system.
"There really isn't a lot you can do about that from a technological standpoint. That's more of a process issue, he said, suggesting to the website that regulations and processes are required to make sure people make "good decisions".
"In the case of Stuxnet it's important that the devices that are being used to program critical SCADA devices are never contaminated by lesser networks like a corporate LAN," the expert explained.
Also, from a regulatory point of view, countries such as the US already have standards in place to help mitigate the likes of Stuxnet risk, with the North American Energy Reliability Corporation Critical Infrastructure Protection standards including specifications to reduce this danger.
Where such regulations do not exist, it is clear that companies utilising SCADA systems will need to ensure that they are secure and as up to date as possible in the months ahead as they look to minimise a very real risk to their operations.