Once upon a time, industrial control systems and critical infrastructures leveraging supervisory control and data acquisition (SCADA) networks were “just” focusing on the control process itself. Widely different proprietary technologies were employed for the various scenarios, ranging from industrial control processes, pipelines, power generation, nuclear plants, water distribution, ambient control, and so on. Crucial in SCADA implementation was the design and specification of a robust and reliable handling of alarms generated by the control system monitors and sensors, and the relevant triggering of reactions and mitigation actions.
Security, in its meaning of defense against cyber-attacks and threats, was considered not to be a prominent issue. It was indeed believed that the proprietary nature of the technologies and protocols deployed, along with its niche application and the inherent security by obscurity, was a sufficient countermeasure to thwart cyber-attackers, especially considering the additional physical isolation of the SCADA network from the Internet, and the physical access protection systems set forth.
In the last decade, many boundary conditions have dramatically changed. On one side, for obvious cost and market reasons, industrial control processes and SCADA systems have made a significant move towards the progressive adoption of common low cost equipment (Windows/Linux PCs and servers, embedded systems, commercial switches, etc.). Moreover, the massive deployment of cheap and flexible Internet of Things technologies is deemed to profoundly impact industrial processes and critical infrastructures to an unprecedented extent. Such devices and technologies rely on the same standard Internet protocols (e.g. TCP/IP, HTTP, etc.) and ICT solutions and systems (Service oriented architectures, web-based systems, etc.) used in ordinary networks and systems. As such, they are already extensively scrutinized and challenged by attackers, who may bring into the SCADA networks the same vulnerabilities and attacks extensively exploited in the Internet at large. Attacks which, in many cases, are largely documented over manuals and Internet videos, and require very little technical skills besides the ability to press a tool’s button.
On the other side, increased connectivity and integration with office and enterprise systems, as well as the commixture of devices, including personal ones owned by employees, have opened the door towards several infiltration paths, from direct connections to the Internet to more subtle and stealthy exploitation of side penetration channels. For a notable example, the famous Stuxnet virus was believed to be injected in an Iranian nuclear plant via a USB key infected when connected to the personal computer of an employee.
And, finally, business (and in some cases, perhaps even governmental) interests make such that industrial processes and critical infrastructures have become key targets for intrusion and espionage, as well as for disruptive attacks.
A needed change of pace
This wave of change has not been adequately followed by a consistent rethinking on how SCADA systems and critical infrastructures in general should be secured. Although it might seem incredible, an all but marginal number of deployments still lacks any cryptographic protection in the internal network. According to a 2013 claim by the Danish security company Secunia, “SCADA software today is at the stage mainstream software was 10 years ago… Many vulnerabilities remain unpatched for longer than one month in SCADA software.” At the end of 2011, the well-known security researchers Terry McCorkle and Billy Rios showcased very alarming findings about the state of SCADA systems’ security. Some quotes from their talk: “Ultimately, what we found is the state of ICS security is kind of laughable“, with bugs being “straight out of the ’90s“, and in most cases “blatantly obvious” ones, such as SQL vulnerabilities, buffer overflow issues, VB scripts opening command shells, and so on.
Moreover, as time elapses, the security situation of industrial control systems and critical infrastructures seems still at stake, if not even worsening. Indeed, a research from NSS Lab reports that ICS/SCADA vulnerability disclosures increased more than 600% from 2010 to 2012, and almost doubled from 72 in 2011 to 124 in 2012. These 124 vulnerabilities affect the products of 49 vendors, including many prominent ones.