Dec 09, 2003

Securing Your Water System

Examining the relationship between SCADA systems and water security

In recent times, governments throughout the world have
identified critical infrastructure as potential targets for terrorism. While
physical measures have been taken to secure these infrastructures, one area of
concern remaining is the potential attack on the information and process
control systems belonging to the critical infrastructure.

Many private companies controlling vital public utilities
such as power, gas or water, who never considered they would ever be prone to
cyber attacks are now having to implement measures to improve the security of
their whole organization. The reality is that many companies have become highly
dependent on digital information systems that have been tightly integrated into
their business.

Many SCADA systems that monitor and control critical
infrastructure such as power generation and transmission, water and wastewater
and pipelines over a wide area network, run on industry standard computers and
networks. As such, these systems run a higher risk of being hacked into by
cyber terrorists.

Hypothetically, by hacking into a SCADA network monitoring
water gates in a dam and taking control of the SCADA system, a cyber terrorist
could wreak havoc by opening and closing the gates at will.

While SCADA systems have been around for a few decades,
cyber attacks have only become a prominent threat in recent times. As such,
many SCADA systems, which have been deployed in the past, have little or no
security built in. In addition, SCADA systems are often a part of a company's
engineering division and as a result, are seldom covered by their corporate
security policy.

Securing SCADA networks is relatively easy and should be
considered as part of the company's overall security policy, requiring security
measures and policies to be implemented on multiple levels, including:

1. Defining
a security policy;

2. Securing
the SCADA network and operating environment;

3. Securing
the SCADA application; and

4. Detecting
unauthorized intrusions.

Defining a security policy

Security policies are becoming essential in today's
corporate network. A security policy is a living document that allows an
organization and its management team to draw very clear and understandable
objectives, goals, rules and formal procedures that help to define the overall
security position and architecture.

As a starting point, an organization should have a corporate
security policy and ensure that its SCADA network falls under the jurisdiction
of this policy. Failure to have a security policy not only exposes the company
to cyber attacks but may also lead to legal action.

A security policy should cover the following key components:

* Roles
and responsibility of those affected by the policy;

* What
actions, activities and processes are allowed and which are not?; and

* What
are the consequences of non-compliance?

The following areas of vulnerability should be considered:

* Network
and operating environment security;

* Application

* Intrusion
detection; and

* Regulating
physical access to the SCADA network.

Securing a SCADA network

Corporate networks linked to the Internet or that use
wireless technology may be more easily accessible to cyber terrorists and hackers.
An organization can heighten its level of network security by isolating its
SCADA network thereby restricting channels of external access. In many
organizations, isolating the SCADA network from the Internet or Intranet is
difficult because of requirements such as monitoring plants from a remote

In the latter case, measures can be taken to secure your
network and operating environment from unauthorized access to the SCADA
systems. These include firewalls and virtual private networks (VPN).

Implement a secured firewall

A secured firewall is imperative between the corporate
network and Internet. The single point of traffic into and out of a corporate
network, it can be effectively secured and monitored. A corporate network
should have at least one firewall and a router separating it from the external
network that is not within the company's dominion. When examining the firewall
solution, consider if and how the firewall supports any security services that
you may need. A Microsoft Internet Security and Acceleration Server VPN can be
used to set up the firewall.

On larger sites it is also recommended to protect the
control system from attack from within the SCADA network. This may be
implemented by providing an additional firewall between the corporate and SCADA
network. To maximize access and minimize the configuration required to maintain
this firewall, a terminal server can be used to act as a gateway. Only traffic
from the terminal server can pass into the SCADA network and a secured terminal
server removes the ability for external applications to be used to attack the
control system.

Minimize network access points

A key factor in ensuring a secure network is the number of
contact points. While firewalls have secured access from the Internet, many
existing control systems have modems installed to allow remote users access to
the system for debugging. These modems are often connected directly to
controllers in the substations. The access point, if required, should be
through a single point which is password protected and where user action
logging can be achieved.

Virtual private network

One of the main security issues facing more complex networks
today is remote access. With a VPN, all data paths are secret to a certain
extent, yet open to a limited group of persons, for example, to employees of a
specific company. VPN is a secured way of connecting to remote SCADA networks.

Based on the existing public network infrastructure and
incorporating data encryption and tunneling techniques, it provides a high
level of data security.

Application security

In addition to securing the network, securing access to
SCADA system components will provide a further defense layer.

Authentication and authorization

Authentication is the software process of identifying a user
who is authorized to access the SCADA system. Authorization is the process of
defining access permissions on the SCADA system and allowing users with
permission to access respective areas of the system. Authentication and
authorization are the mechanisms for single point of control for identifying
and allowing only authorized users to access the SCADA system, thereby ensuring
a high level of control over the system's security.

To provide effective authentication the system must require
each user to enter a unique user name and password.

Users must be able to be created, edited and deleted within
the system while the system is active to ensure that individual passwords can
be maintained. In addition it is highly recommended that password aging be
implemented. Password aging ensures that operators change their passwords over
a controlled time period, such as every week, month or so on.

To provide authorization the system must be able to control
access to every component of the control system. The system must not provide a
"back door" with which to bypass the levels of authentication
specified in the application.

Secured data storage and communication

Critical data pertaining to a SCADA system must be securely
persisted and communicated. It is recommended that critical data like a
password be stored using an encryption algorithm. Similarly, remote login
processes should use VPNs or encryption to communicate the user name and
password over the network.

Critical data like user name and password must be persisted
in a secured data repository and access rights monitored and managed using
secured mechanisms like Windows authentication and role based security.

Audit trails

It is recommended that audit trails on critical activities like
user logins or changes to system access permissions be tracked and monitored at
regular intervals. Securing your SCADA application may make it more challenging
for external hackers to gain control of the system, however it won't prevent
internal employees with malicious intent. Regularly tracking and monitoring
audit trails on critical areas of your SCADA system will help identify
unscrupulous activities and consequently take necessary corrective actions.

Intrusion detection

Firewalls and other simple boundary devices currently
available lack some degree of intelligence when it comes to observing,
recognizing and identifying attack signatures that may be present in the
traffic they monitor and the log files they collect. This deficiency explains
why intrusion detection systems (IDS) are becoming increasingly important in
helping to maintain network security.

An IDS is a specialized tool that knows how to read and
interpret the contents of log files from routers, firewalls, servers and other
network devices. Furthermore, an IDS often stores a database of known attack
signatures and can compare patterns of activity, traffic or behavior it
identifies in the logs it's monitoring against those signatures so it can
recognize when a close match between a signature and current or recent behavior

About the author

Abhishek Bhattacharjee was senior technical architect for Citect. Stephen Flannigan and Jens Nasholm are both product marketing managers for Citect. For more information, visit