Skip links

Securing ICS security and SCADA: A Guide to Cyber Resilience

Jump To Section

Securing industrial control systems and SCADA

In today’s interconnected world, Securing Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) play a pivotal role in managing several critical infrastructures, including water supply systems, oil pipelines, transportation, and electricity. It accomplishes essential functions, such as monitoring data from pumps, valves, and transmitters.

However, the increasing inter-connectivity brings forth vulnerabilities that Malicious actors, attackers, and hackers could exploit and cause harm through virtual or physical means to systems. These attacks can cause serious harm to individuals or even whole communities by destroying water purification systems, disabling power plants, and prolonging critical system outages. 

ICS and SCADA systems face various vulnerabilities, from implementation errors to security misconfigurations and weak authentication practices. These vulnerabilities, if left unaddressed, could lead to severe consequences, including system outages and physical damage.

Some of the causes of vulnerabilities are listed below:

1. Implementation issues 

The vulnerabilities are caused due to implementation errors in design and architecture. A programmer does not validate inputs because they believe an attacker cannot modify them. For example, a programmer assumes that the cookies in a web browser cannot be modified. However, any hidden form in a web browser can be altered using a proxy or figure shows the relationships between the vulnerabilities. Each subsection is a cause that leads to another cause. For example, insufficient input validation (cause) leads to a buffer overflow (another cause), which, in turn, leads to a denial of service and remote code execution.

2. Lack of input validation 

This type of weakness occurs when SCADA software receives inputs from other components but does not validate that those inputs are correct and safe. This vulnerability can cause other vulnerabilities, such as Path traversal, Command injection, OS injection, Cross-site scripting (XSS), SQL injection.

3. Improper validation of array index 

This type of vulnerability occurs due to insufficient input validation. The software does not validate the index references when it receives inputs from the upstream components.

4. Untrusted search path 

The program looks for critical resources using an untrusted search path that can refer to resources that are not under the direct control of the application. A successful exploit leads to data link library (DLL) hijacking.

5. Improper limitation of memory buffer 

This type occurs due to the lack of input validation when the software reads from and writes to the memory buffer outside of the intended limits. It can lead to Buffer overflow and off by one error.

6. Improper control flow management

During execution, the code does not effectively manage its flow, which can unexpectedly modify the execution logic. It can lead to Race conditions, Time-of-check time-of-use, Server-side request forgery, Hidden functionality errors.

7. Security misconfiguration issues 

The vulnerabilities that occur due to the implementation of weak security techniques are Lack of encryption, Inadequate encryption strength, Insufficient random values, Insufficient verification of data authenticity.

8. Weak password requirement 

The software does not force a strong password. A successful exploit leads to privilege escalation.

9. Improper access control 

The software improperly restricts or allows access to critical resources. Access control includes the AAA protection mechanism: authorization, which ensures that critical resources are accessible by authorised actors; authentication, which identifies the actors; and accountability, which tracks the activities of the actors.

10. Improper authentication 

It occurs when the software does not or improperly validate the identity of a user. Different variants of improper authentication exist: Bypass authentication, Use of hard-coded credentials, Authentication bypass by capture-replay, Lack of certificate validation, Default password configuration, Improper restriction of invalid authentication attempts, Improper authorisation, Unsalted hash value.

Types of attacks against ICS and SCADA

      The Figure Shows Classifications based on types of attacks against ICS and SCADA.

Mitigation Strategies:

Securing these systems demands a multi-faceted approach. Implementing asset management, conducting vulnerability assessments, ensuring integrity checks, employing robust access controls, and utilizing intrusion detection/prevention systems are critical measures to fortify ICS and SCADA against cyber threats.

Some of the Control and Mitigation mechanisms which should be implemented are listed below:

Assets management:

Asset inventory can help discover unauthorised devices connected to a SCADA network. The use of active asset inventory can be challenging in the context of a SCADA system. However, passive asset inventory can be applicable to a control system because it avoids generating additional traffic as it travels along the network without interrupting critical processes. Passive asset discovery can be accomplished using non-intrusive methods, including MAC-ARP tables, DNS, or ICS-specific tools. Real-time asset inventory saves time, increases accuracy, and detects unauthorised devices connected to a network. 

Industrial Defender Automation Systems Manager (ASM)

ASM collects information on software and hardware versions across a SCADA network. It can scan IP and non-IP devices. If an unknown driver is attached to the network, the ARP watch generates an alert by comparing IP and MAC addresses with the presented IP and MAC addresses in the ASM system.

Vulnerability assessment and management:

Although asset inventory can help an organisation identify its attack surface, vulnerability assessment can help determine several entries that attackers may use. On the one hand, in several ICS organisations, the field devices are vulnerable to malware attacks due to weaknesses in the structural design. It is crucial to conduct risk assessment on a routine basis. On the other hand, automated scanning tools are used to manage and patch vulnerabilities in IT networks. System upgrades can be installed according to scan reports. However, this approach is not practical for assessing SCADA vulnerabilities because it halts the system’s primary functions and services. Passive vulnerability assessment can help manage organisational risks. 

Integrity checks:

Integrity checks in field devices can prevent fuzzy attempts to crash a SCADA server or network by DoS and DDoS attacks.

Input validation: 

SCADA designers should consider all the possible entries where attackers can input data. A whitelist approach should account for all data types, the amounts of data and the structure of the data integrated into the SCADA application or software. Adopting input validation techniques that validate user inputs against predefined rules, including range, length, divide by zero and format check, can mitigate SQL, XSS and command injection attacks. Administrators should also use parametrised or stored statements to process SQL queries. These statements are parsed by the database server separately from any parameters.

Output encoding:

Output encoding involves the direct transformation of a user’s inputs into a safe form in which the inputs cannot be interpreted as code in an HTML browser. Adopting HTML, URL, JavaScript, and CSS encoding can prevent or mitigate XSS attacks. URL encoding should only be applied to the parameter values in a URL. 

Privilege access management: 

Privilege management refers to managing privileged users to access critical assets in a control system. To prevent privilege escalation of an unauthorised user, System installations should not be run in privileged mode. There should be rule-based access control for SCADA field devices. The principle of least privilege should be considered because it prevents malicious behaviour and allows users only with necessary privileges to perform their tasks. Implement gateways to manage remote access to a SCADA network. Physical tokens should be considered for accessing physical areas. 

Credential management: 

It plays a vital role in improving cybersecurity in an industrial SCADA system. Administrators should avoid using default password configurations. All user passwords should be hashed and salted to reduce rainbow table attacks. MFA should be used for privileged account logins. 

Intrusion detection, prevention, and prediction systems: 

An IDS should be in use to detect known attack patterns by signature matching, and it provides security professionals with a better understanding of their network’s security posture and the types of threats. IDS is required for proactively identifying and responding to security threats, it is an essential component of a robust cybersecurity strategy.

Conclusion:

ICS and SCADA are increasingly exposed to the same cyber threats as IT. At the forefront of cybersecurity, our team at Altimetrik Security is dedicated to safeguarding ICS and SCADA systems. By leveraging our expertise, we swiftly identify vulnerabilities, aid in remediation, and strengthen these systems against evolving threats. Our proactive approach aligns with industry best practices, ensuring a resilient defence against cyber threats.

Picture of Nikhil Badsheshi

Nikhil Badsheshi

Suggested Reading

Ready to Unlock Your Enterprise's Full Potential?

Michael Woodall

Chief Growth Officer of Financial Services

Michael Woodall, as the Chief Growth Officer of Financial Services at Altimetrik, spearheads the identification of new growth avenues and revenue streams within the financial services sector. With a robust background and extensive expertise, Michael brings invaluable insights to his role.

Previously, Michael served as the Chief of Operations and President of the Trust Company at Putnam Investments, where he orchestrated strategic developments and continuous operational enhancements. Leveraging strategic partnerships and data analytics, he revolutionized capabilities across investments, retail and institutional distribution, and client services. Under his leadership, Putnam received numerous accolades, including the DALBAR Mutual Fund Service Award for over 30 consecutive years.

Michael’s dedication to industry evolution is evident through his involvement with prestigious organizations such as the DTCC Senior Wealth Advisory Board, ICI Operations Committee, and NICSA, where he served as Chairman and now holds the position of Director Emeritus. Widely recognized as an industry luminary, Michael frequently shares his expertise with various divisions of the SEC, solidifying his reputation as a seasoned presenter.

At Altimetrik, Michael plays a pivotal role in driving expansion within financial services, leveraging his expertise and Altimetrik’s Digital Business Methodology to ensure clients navigate their digital journey seamlessly, achieving tangible outcomes and exponential growth.

Beyond his corporate roles, Michael serves as Chair of the Boston Water & Sewer Commission, appointed by the Mayor of Boston, and is actively involved in various philanthropic endeavors, including serving on the board of the nonprofit Inspire Arts & Music.

Michael holds a distinguished business degree from Northeastern University, graduating with distinction as a member of the Sigma Epsilon Rho Honor Society.

Anguraj Kumar Arumugam

Chief Digital Business Officer for the U.S. West region

Anguraj is an accomplished business executive with an extensive leadership experience in the services industry and strong background across digital transformation, engineering services, data and analytics, cloud and consulting.

Prior to joining Altimetrik, Anguraj has served in various positions and roles at Globant, GlobalLogic, Wipro and TechMahindra. Over his 25 years career, he has led many strategic and large-scale digital engineering and transformation programs for some of world’s best-known brands. His clients represent a range of industry sectors including Automotive, Technology and Software Platforms. Anguraj has built and guided all-star teams throughout his tenure, bringing together the best of the techno-functional capabilities to address critical client challenges and deliver value.

Anguraj holds a bachelor’s degree in mechanical engineering from Anna University and a master’s degree in software systems from Birla Institute of Technology, Pilani.

In his spare time, he enjoys long walks, hiking, gardening, and listening to music.

Vikas Krishan

Chief Digital Business Officer and Head of the EMEA region

Vikas (Vik) Krishan serves as the Chief Digital Business Officer and Head of the EMEA region for Altimetrik. He is responsible for leading and growing the company’s presence across new and existing client relationships within the region.

Vik is a seasoned executive and brings over 25 years of global experience in Financial Services, Digital, Management Consulting, Pre- and Post-deal services and large/ strategic transformational programmes, gained in a variety of senior global leadership roles at firms such as Globant, HCL, Wipro, Logica and EDS and started his career within Investment Banking. He has developed significant cross industry experience across a wide variety of verticals, with a particular focus on working with and advising the C-Suite of Financial Institutions, Private Equity firms and FinTech’s on strategy and growth, operational excellence, performance improvement and digital adoption.

He has served as the engagement lead on multiple global transactions to enable the orchestration of business, technology, and operational change to drive growth and client retention.

Vik, who is based in London, serves as a trustee for the Burma Star Memorial Fund, is a keen photographer and an avid sportsman.

Megan Farrell Herrmanns

Chief Digital Officer, US Central

Megan is a senior business executive with a passion for empowering customers to reach their highest potential. She has depth and breadth of experience working across large enterprise and commercial customers, and across technical and industry domains. With a track record of driving measurable results, she develops trusted relationships with client executives to drive organizational growth, unlock business value, and internalize the use of digital business as a differentiator.

At Altimetrik, Megan is responsible for expanding client relationships and developing new business opportunities in the US Central region. Her focus is on digital business and utilizing her experience to create high growth opportunities for clients. Moreover, she leads the company’s efforts in cultivating and enhancing our partnership with Salesforce, strategically positioning our business to capitalize on new business opportunities.

Prior to Altimetrik, Megan spent 10 years leading Customer Success at Salesforce, helping customers maximize the value of their investments across their technology stack. Prior to Salesforce, Megan spent over 15 years with Accenture, leading large transformational projects for enterprise customers.

Megan earned a Bachelor of Science in Mechanical Engineering from Marquette University. Beyond work, Megan enjoys playing sand volleyball, traveling, watching her kids soccer games, and is actively involved in a philanthropy (Advisory Council for Cradles to Crayons).

Adaptive Clinical Trial Designs: Modify trials based on interim results for faster identification of effective drugs.Identify effective drugs faster with data analytics and machine learning algorithms to analyze interim trial results and modify.
Real-World Evidence (RWE) Integration: Supplement trial data with real-world insights for drug effectiveness and safety.Supplement trial data with real-world insights for drug effectiveness and safety.
Biomarker Identification and Validation: Validate biomarkers predicting treatment response for targeted therapies.Utilize bioinformatics and computational biology to validate biomarkers predicting treatment response for targeted therapies.
Collaborative Clinical Research Networks: Establish networks for better patient recruitment and data sharing.Leverage cloud-based platforms and collaborative software to establish networks for better patient recruitment and data sharing.
Master Protocols and Basket Trials: Evaluate multiple drugs in one trial for efficient drug development.Implement electronic data capture systems and digital platforms to efficiently manage and evaluate multiple drugs or drug combinations within a single trial, enabling more streamlined drug development
Remote and Decentralized Trials: Embrace virtual trials for broader patient participation.Embrace telemedicine, virtual monitoring, and digital health tools to conduct remote and decentralized trials, allowing patients to participate from home and reducing the need for frequent in-person visits
Patient-Centric Trials: Design trials with patient needs in mind for better recruitment and retention.Develop patient-centric mobile apps and web portals that provide trial information, virtual support groups, and patient-reported outcome tracking to enhance patient engagement, recruitment, and retention
Regulatory Engagement and Expedited Review Pathways: Engage regulators early for faster approvals.Utilize digital communication tools to engage regulatory agencies early in the drug development process, enabling faster feedback and exploration of expedited review pathways for accelerated approvals
Companion Diagnostics Development: Develop diagnostics for targeted recruitment and personalized treatment.Implement bioinformatics and genomics technologies to develop companion diagnostics that can identify patient subpopulations likely to benefit from the drug, aiding in targeted recruitment and personalized treatment
Data Standardization and Interoperability: Ensure seamless data exchange among research sites.Utilize interoperable electronic health record systems and health data standards to ensure seamless data exchange among different research sites, promoting efficient data aggregation and analysis
Use of AI and Predictive Analytics: Apply AI for drug candidate identification and data analysis.Leverage AI algorithms and predictive analytics to analyze large datasets, identify potential drug candidates, optimize trial designs, and predict treatment outcomes, accelerating the drug development process
R&D Investments: Improve the drug or expand indicationsUtilize computational modelling and simulation techniques to accelerate drug discovery and optimize drug development processes