he need to secure DCS and SCADA systems essential to running the critical infrastructure has been well-documented in industry publications (see Securing Control Systems: What You Need to Know, Feb. 04, p43) and recently published GAO reports. So why hasnt this problem been solved?
One major reason is appropriate security solutions are not available. Inadequacies exist in hardware and software solutions as well as the protocols and underlying architectures that are commonly deployed. Realizing the need for new solutions, the Department of Homeland Security (DHS) issued a solicitation seeking innovative ideas to protect SCADA systems from attack under the Small Business Innovation Research (SBIR) program. The solicitation also requested proposals to secure DCS, and the term SCADA is used to refer to SCADA, DCS, and other process control systems in this article.
DHS believes that improving the security of distributed control and SCADA systems is an important part of our overall effort to improve the security of the countrys critical infrastructure, said Dr. Peter Miller, program manager in the Science and Technology Directorate of DHS. Congress confirmed the importance of this effort with the release in March 2004 of the GAO report âCritical Infrastructure Protection: Challenges and Efforts to Secure Control Systems. Through the SBIR awards, HSARPA [Homeland Security Advanced Research Projects Agency] is supporting innovative research in areas such as authentication and intrusion detection that offer the possibility of significantly advancing the state-of-the-art in the area of distributed control and SCADA systems security.
Thirteen small businesses were awarded Phase I contracts under the SBIR program. Limited to $100,000 in funding, Phase I programs have a 6-month duration. During Phase I the researchers create a formal design of the proposed concept and present the results in a preliminary design review with the DHS.
Interestingly, many of the funded projects are trying to solve the same problem with very different technical approaches. This demonstrates these programs are research and it is unclear which approach or combination of approaches will be the best solution to each security problem.
Securing Field Communications
The protocols used in control center-to-PLC/RTU communications are highly insecure because encryption, authentication, and other security measures were not designed into the protocols. An adversary could exploit this flaw by inserting false commands and responses or modifying legitimate communication. This problem will be around for a long time given the life span of field devices is measured in decades, so security solutions are required for both legacy systems and new deployments.
KEEP THE LIGHTS ON
While most of the Department of Homeland Securitys Small Business Innovation Research (SBIR) programs apply to SCADA systems in general, three of the research projects are focused solely on electric power systems.
Many existing field devices use 8-bit microprocessors with limited computing power. Asier Technology Corp. has developed encryption algorithms for low power, 8-bit microprocessors and will attempt to integrate their software code into currently available PLCs and RTUs. If successful, this would provide an inexpensive upgrade path for secure field communications as opposed to wholesale replacement.
Dunti LLC will combine network interface technology with encryption and other security protection to create a secure network interface card or module for PLCs. This solution would eliminate any impact of security on PLC microprocessors, memory, and other components. Remote management will enable upgrades as security algorithms and standards change. The initial solution will include a separate box at each PLC, but the end goal would be to integrate a card or module into the PLC.
Middleware vendor Starthis, Inc.s software allows an IBM, BEA, Oracle or any other application server that uses the Java 2 Platform Enterprise Edition (J2EE) environment, to communicate with industrial controllers. During its research project Starthis plans to add encryption and other security protection to this communication by leveraging the security capabilities in J2EE. A small encryption box is likely to be required at the PLC in the projects initial phase, however the software could also be integrated into a PLC.
Field Communication Encryption
The Right Stuff of Tahoe, Inc. will also investigate adding encryption to field communications in a small box for legacy systems and directly into an RTU for new systems. While replacing RTUs can be expensive, having secure RTU solutions available for new systems is an important step to eventually securing field communications. Initial efforts will include support for the American Gas Association security standard effort (AGA 12-1) for low-speed serial links and existing industry standard security protocols for higher-speed IP connections.
Encryption algorithms require a crypto key. These keys can be manually delivered and injected into encryption devices, but as a practical and security matter, an automated and centrally managed solution is required for even a medium-size SCADA system.
TecSec, Inc. will apply their experience in developing key management solutions for other sensitive sectors to the SCADA environment in the prototype design of a Secure Crypto Management System (SCMS). The SCMS would cover the entire lifecycle of a crypto key including generation, allocation, distribution, use and destruction. The SCMS could be used in a variety of SCADA encryption solutions, potentially even some of the other DHS-sponsored projects previously described.
In a perfect world, security prevention measures would stop all attacks. Unfortunately, the world is not perfect and that means detection is required. Take for example, a bank. Banks have locks on the doors, bars on the windows and a vault, but the bank still deploys detection in the form of security guards, cameras and motion detectors. In the cyber world detection is provided by intrusion detection systems (IDS).
"Relying on passwords for user authentication is almost always a mistake. Users usually select easy-to-remember and therefore easy-to-guess passwords and often share them with other users."
One of the most popular IDSs is the open -source Snort program that currently detects attacks on common protocols, operating systems, and applications. Digital Bonds research project will build on the Snort code and add SCADA protocol and system-specific intrusion detection signatures. Additionally, Digital Bond will work with SCADA application vendors and managed security service providers (MSSPs) to integrate the security events in SCADA application logs into the MSSPs service. The results of this project will be open source.
Expert Microsystems, Inc. is working to improve SCADA security information management for intrusion detection. That companys focus will be on anomaly detection techniques that identify new attacks. An interesting element of this project is the addition of artificial intelligence algorithms that allow the software to learn and to customize the detection engine for each SCADA system. In theory, a learning system would lower the number of false positives and be more accurate in setting the threat level of an incident.
SNVC, L.C. has teamed with Mykotronx in a third research project in the IDS area. Very little additional information on this project is publicly available at this time. Mykotronxs background in providing hardware security modules and chips for the U.S. Government may provide some clues on the projects direction.
Relying on passwords for user authentication is almost always a mistake. Users usually select easy-to-remember and therefore easy-to-guess passwords and often share them with other users. Even when security policies force users to select strong passwords and change them frequently, people will write the passwords down and leave them in plain sight by taping them to desks or monitors.
Today many SCADA applications offer strong authentication that includes at least two of the following three factors:
1. Something you know (password , PIN)
2. Something you have (token, smart card)
3. Something you are (fingerprint, iris scan)
Digital Authentication Technologies (DAT) offers fourth and fifth authentication factors: Where you are now and Where have you been. For example, the DAT system can determine if a user is in an authorized location to login to the network. The technology goes well beyond the radio-frequency identification (RFID) proximity cards that are easily exploited and includes a variety of complex algorithms that prevent spoofing and other attacks. Digital Authentication Technologies research project will focus on applying their existing technology to the authenticating of users and systems in SCADA networks.
While most of the projects apply to any SCADA system, three of the research projects are focused solely on electric power systems.
Architecture Technology Corporation in Ithaca, New York is developing a system to intelligently restrict commands sent from a SCADA control center based on the state of the electrical grid and a set of inputs such as identity and security policy. This sophisticated access control technology will be implemented via a new access control language and software architecture developed in this project. The system would prevent adversaries who have penetrated the control center from issuing harmful commands.
EnerNex Corp. will begin their project by analyzing the cyber security of the recently published IEC 61850Communication Networks and Systems in Substations international standard. After identifying security deficiencies in the standard, EnerNex will implement a variety of readily available, low-cost cryptographic technologies and evaluate their performance in an electric power system.
Stan Klein Associates, LLC. is developing an open-source toolkit for constructing secure, next-generation SCADA systems and substation security appliances. In addition to basic SCADA and control center components, building blocks will be developed for many aspects of the utility security problem including a trusted computer platform, end-to-end protection, network protocol and communication components, user management, role-based access control and intrusion detection.
Little detail is available on the final research project from FieldMetrics titled Affordable, Covert Power Grid Monitoring System due to patent and security issues. Their published proposal abstract indicates the project will include a power grid monitoring system that communicates via a secure wireless network. This wireless network could also provide backup in the event the primary network was unavailable.
These thirteen projects are truly research projects and some of the ideas may undergo substantial revision or never work when the dust settles. In fact, the primary purpose of Phase I funding is to determine the feasibility of the ideas.
If the ideas have merit, DHS can continue funding the project in Phase II. Phase II funding is typically $750,000, covers up to two years of work, and is expected to produce a prototype suitable for testing on a real SCADA system. After Phase II, the vendors are expected to bring the products to market with private funding sources.
Dale Peterson, CISSP leads the Network Security Consulting Practice at Digital Bond, Inc. He may be contacted at firstname.lastname@example.org.