5 SCADA Security Considerations

By: Allan Evora

System security is an important part of SCADA and HMI design philosophy. But many facility owners breeze over its importance. After all, why would an attacker want to access your facility in the first place? There are quite a few reasons.

 

Why hackers hack mission-critical facilities

• Valuable information outside the facility: The hack could have nothing to do with your facility, and everything to do with the big picture. If you’re a hospital central energy plant connected to the hospital network, they could be looking for an easy avenue into that network. Perhaps the hospital network is heavily protected, but maybe the CEP’s avenue into the hospital network isn’t. Protected health information (birthdate, social security number, address, etc.) is one of the most valuable pieces of information to hackers, and it sells for a lot on the black market.
• Valuable information in the facility: Or…it could have everything to do with your facility. How much energy you’re producing, or the amount of environmental contaminates you allow into the atmosphere can also be valuable. Perhaps attackers are looking for insider trading information to sell or are looking to provide information to anti-government or green activist organizations.
• Sabotage: If you’re a mission critical facility, activist hackers (hacktivists) could be looking to sabotage your business practices to send a message. Or, if you contribute to the energy grid, they might be looking for an easy avenue to disrupt the entire grid. You might just happen to be the avenue.
• Exploitation: If your system is important to your daily operation, then you are at risk. A hacker that can gain access to and install ransomware on to your system can significantly impact your business financially until their random demands are met.
• Random, dumb luck. Hackers use network port scanners to find ports that are open across the internet. There are also well-known websites that list IP enabled devices that are discoverable on the Internet. Even when trying lists of commonly used usernames and passwords, they might not know what organization they’re hacking. They’re simply attacking a potential vulnerability. If your ports happen to be open, they’ll get in, find valuable data, install malware to keep tabs on you to see if any new exciting information comes in, and get out.

In general, most hackers just care about the valuable information they find on your network that they can sell on the black market.

 

Locking out cybercriminals

Are you using Windows Remote Desktop? PCAnywhere? GoToMyPC? LogMeIn? TeamViewer? RDP? These remote desktop connections might be putting you at risk. In fact, it’s one of the most common avenues hackers use to access systems. According to SecurityMetrics, 80% of organizations are attacked through insecure remote access programs and applications.

If a hacker can hack remote access, he doesn’t have to worry about complex firewall configurations or other perimeter protections. It’s an easy street into your network.

As I explained above, hackers scan the internet for open remote access ports with port scan tools and exploit common vulnerabilities (like a Microsoft vulnerability) by using online password lists to brute force credentials. For example, if the hacker sees that port 3389 is open, he’ll know Windows Remote Desktop is configured. Because he has a list of default passwords and username for Windows Remote Desktop, he’ll try those first.

If the credentials are successful, that attacker can gain complete access to your system. While inside, he/she can download malware and use it to keep an open door into your system.

So how can you secure your SCADA system to lock out potential issues, whether internal or external, to your facility? Here are five considerations to keep in mind.

 

1. Limit those who can access the system through role-based access

Secure your system by limiting those who can access the system in-house, and remotely. Restrict system access to only authorized users and assign levels of access to employees according to the information they need access to for their job function. This includes vendors. Limiting access helps keeps data safe from remote access attacks.

As a related side note, don’t allow guest/default accounts. Many applications and computers come pre-installed with guest accounts, accessible through default passwords. Attackers can easily research default passwords for certain applications with guest accounts to enter your system.

 

2. Change your password

Googling “password list” results in more than a million results. Cybercriminals have algorithms that capture these lists and try hundreds of thousands of these passwords per second.

I’m sure this sounds like a broken record but updating your SCADA password (and other application passwords connected to that SCADA system) every 60-90 days is one of the best things you can do for security. FYI – longer passwords (10-15 characters) are more difficult to crack.

3. Stop letting users use the same password and username (or system defaults)

Sharing credentials is a bad idea. Users that enter the same set of credentials to login to the remote desktop, network, or the SCADA system means you have no visibility into each user’s actions. Each user should have unique credentials.

Don’t rely on the default password or username that comes with the system. Like I said before, most default passwords for any device are easily googled. Default credentials like “Admin”, “Password”, “Admin123”, “User1”, and “Password123” are some of the first hackers check.

To further secure your login screen, limit the number of login attempts. After many unsuccessful logins, your system can be configured to kick the person off.

 

4. Two factor authentication

Two factor authentication is one of the best ways to keep remote desktop applications secure from brute force password attacks…because they require more than just a username and password.

Two factor authentication requires two of the three following things:

• Something the user knows (like a password)
• Something the user has access to (like a code sent to a cell phone)
• Something the user is (like a biometric fingerprint)

For example: after we input our credentials in one of our CEP customer’s remote access systems, they require us to call in for additional authentication. The customer on the phone recognizes our engineer’s voice, verifies it is him, and then allows us to access the system.

 

5. Configure your firewalls properly

Firewalls protect your facility from the outside world. The best way to configure a firewall is to establish access control lists which dictate rules to the firewall on who you trust into your network, and what you trust leaving it. Basically, you’re whitelisting or blacklisting IP addresses.

If you don’t have access control lists, anything and everything is allowed into or outside of the network. Go with the safe route: restrict as much traffic as possible.

Set up virtual private networks (VPNs) for those who require remote access (like your control system integrator). A VPN acts as a sealed pipe between one computer and another and is the most secure method of remote access.

 

Vulnerabilities will keep coming

If you think cyberthreats are bad now, they will only continue to get worse. With the emergence of IIoT, the amount of data collected by corporations to improve and enhance data analytics and optimization models will only increase. The amount of connected applications will increase. And with the increase in connection, there is an increase in potential vulnerability.

The worst thing you can do is assume no hacker would want to gain access to your facility. You might have data that’s valuable to them, or they might just want to take control to cause chaos. Make sure your system integrator is working security into the backbone of your SCADA system during the design, build, and implementation processes to protect your facility from cyberattack.