Securing ICS security and SCADA: A Guide to Cyber Resilience
In today’s interconnected world, Securing Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) play a pivotal role in managing several critical infrastructures, including water supply systems, oil pipelines, transportation, and electricity. It accomplishes essential functions, such as monitoring data from pumps, valves, and transmitters.
However, the increasing inter-connectivity brings forth vulnerabilities that Malicious actors, attackers, and hackers could exploit and cause harm through virtual or physical means to systems. These attacks can cause serious harm to individuals or even whole communities by destroying water purification systems, disabling power plants, and prolonging critical system outages.
ICS and SCADA systems face various vulnerabilities, from implementation errors to security misconfigurations and weak authentication practices. These vulnerabilities, if left unaddressed, could lead to severe consequences, including system outages and physical damage.
Some of the causes of vulnerabilities are listed below:
1. Implementation issues
The vulnerabilities are caused due to implementation errors in design and architecture. A programmer does not validate inputs because they believe an attacker cannot modify them. For example, a programmer assumes that the cookies in a web browser cannot be modified. However, any hidden form in a web browser can be altered using a proxy or figure shows the relationships between the vulnerabilities. Each subsection is a cause that leads to another cause. For example, insufficient input validation (cause) leads to a buffer overflow (another cause), which, in turn, leads to a denial of service and remote code execution.
2. Lack of input validation
This type of weakness occurs when SCADA software receives inputs from other components but does not validate that those inputs are correct and safe. This vulnerability can cause other vulnerabilities, such as Path traversal, Command injection, OS injection, Cross-site scripting (XSS), SQL injection.
3. Improper validation of array index
This type of vulnerability occurs due to insufficient input validation. The software does not validate the index references when it receives inputs from the upstream components.
4. Untrusted search path
The program looks for critical resources using an untrusted search path that can refer to resources that are not under the direct control of the application. A successful exploit leads to data link library (DLL) hijacking.
5. Improper limitation of memory buffer
This type occurs due to the lack of input validation when the software reads from and writes to the memory buffer outside of the intended limits. It can lead to Buffer overflow and off by one error.
6. Improper control flow management
During execution, the code does not effectively manage its flow, which can unexpectedly modify the execution logic. It can lead to Race conditions, Time-of-check time-of-use, Server-side request forgery, Hidden functionality errors.
7. Security misconfiguration issues
The vulnerabilities that occur due to the implementation of weak security techniques are Lack of encryption, Inadequate encryption strength, Insufficient random values, Insufficient verification of data authenticity.
8. Weak password requirement
The software does not force a strong password. A successful exploit leads to privilege escalation.
9. Improper access control
The software improperly restricts or allows access to critical resources. Access control includes the AAA protection mechanism: authorization, which ensures that critical resources are accessible by authorised actors; authentication, which identifies the actors; and accountability, which tracks the activities of the actors.
10. Improper authentication
It occurs when the software does not or improperly validate the identity of a user. Different variants of improper authentication exist: Bypass authentication, Use of hard-coded credentials, Authentication bypass by capture-replay, Lack of certificate validation, Default password configuration, Improper restriction of invalid authentication attempts, Improper authorisation, Unsalted hash value.
The Figure Shows Classifications based on types of attacks against ICS and SCADA.
Securing these systems demands a multi-faceted approach. Implementing asset management, conducting vulnerability assessments, ensuring integrity checks, employing robust access controls, and utilizing intrusion detection/prevention systems are critical measures to fortify ICS and SCADA against cyber threats.
Some of the Control and Mitigation mechanisms which should be implemented are listed below:
Asset inventory can help discover unauthorised devices connected to a SCADA network. The use of active asset inventory can be challenging in the context of a SCADA system. However, passive asset inventory can be applicable to a control system because it avoids generating additional traffic as it travels along the network without interrupting critical processes. Passive asset discovery can be accomplished using non-intrusive methods, including MAC-ARP tables, DNS, or ICS-specific tools. Real-time asset inventory saves time, increases accuracy, and detects unauthorised devices connected to a network.
Industrial Defender Automation Systems Manager (ASM):
ASM collects information on software and hardware versions across a SCADA network. It can scan IP and non-IP devices. If an unknown driver is attached to the network, the ARP watch generates an alert by comparing IP and MAC addresses with the presented IP and MAC addresses in the ASM system.
Vulnerability assessment and management:
Although asset inventory can help an organisation identify its attack surface, vulnerability assessment can help determine several entries that attackers may use. On the one hand, in several ICS organisations, the field devices are vulnerable to malware attacks due to weaknesses in the structural design. It is crucial to conduct risk assessment on a routine basis. On the other hand, automated scanning tools are used to manage and patch vulnerabilities in IT networks. System upgrades can be installed according to scan reports. However, this approach is not practical for assessing SCADA vulnerabilities because it halts the system’s primary functions and services. Passive vulnerability assessment can help manage organisational risks.
Integrity checks in field devices can prevent fuzzy attempts to crash a SCADA server or network by DoS and DDoS attacks.
SCADA designers should consider all the possible entries where attackers can input data. A whitelist approach should account for all data types, the amounts of data and the structure of the data integrated into the SCADA application or software. Adopting input validation techniques that validate user inputs against predefined rules, including range, length, divide by zero and format check, can mitigate SQL, XSS and command injection attacks. Administrators should also use parametrised or stored statements to process SQL queries. These statements are parsed by the database server separately from any parameters.
Privilege access management:
Privilege management refers to managing privileged users to access critical assets in a control system. To prevent privilege escalation of an unauthorised user, System installations should not be run in privileged mode. There should be rule-based access control for SCADA field devices. The principle of least privilege should be considered because it prevents malicious behaviour and allows users only with necessary privileges to perform their tasks. Implement gateways to manage remote access to a SCADA network. Physical tokens should be considered for accessing physical areas.
It plays a vital role in improving cybersecurity in an industrial SCADA system. Administrators should avoid using default password configurations. All user passwords should be hashed and salted to reduce rainbow table attacks. MFA should be used for privileged account logins.
Intrusion detection, prevention, and prediction systems:
An IDS should be in use to detect known attack patterns by signature matching, and it provides security professionals with a better understanding of their network’s security posture and the types of threats. IDS is required for proactively identifying and responding to security threats, it is an essential component of a robust cybersecurity strategy.
ICS and SCADA are increasingly exposed to the same cyber threats as IT. At the forefront of cybersecurity, our team at Altimetrik Security is dedicated to safeguarding ICS and SCADA systems. By leveraging our expertise, we swiftly identify vulnerabilities, aid in remediation, and strengthen these systems against evolving threats. Our proactive approach aligns with industry best practices, ensuring a resilient defence against cyber threats.