Until recently, hostile attacks by viruses and Trojans on automation systems was not an issue for infrastructure such as water works, power grids or transportation systems, because the data networks in these infrastructure installations were isolated. However, Ethernet, wireless LAN and Web-based machine services such as remote monitoring, remote administration, remote diagnostics and remote maintenance have changed the landscape.
IT security — a non-issue many years ago — is nowadays a major concern and should be part of the business strategy of every critical infrastructure facility. With the increasing networking of all kinds of SCADA systems over the Internet and/or public networks, any device with an IP address is globally accessible.
This means deploying classic security measures, such as virus scanners and firewalls, as the recent Stuxnet scare taught IT security professionals in this sector.
Stuxnet: The First Wave
Stuxnet is a Microsoft Windows computer worm discovered in July 2010 that targets industrial software and equipment. While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit. It was designed to target only Siemens Supervisory Control And Data Acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.
By the end of April 2011, Siemens had registered 24 infections of industrial computer systems around the globe. No damage occurred anywhere and the Trojan could be removed in every case without interrupting operations or production. Just a few days after the malware became public, Siemens was able to offer a solution which could detect and neutralize the trojan. This involved changing the settings in the Simatic WinCC visualization system to protect it from further attacks. “Now that Microsoft has closed its security loopholes with the patches (MS10-046, MS10-061, MS08-067), no further infections have been reported to us,” Siemens spokesperson Wieland Simon says.
Although Stuxnet did not apparently cause any damage for the majority of the world of automation, it did reveal potential vulnerabilities.
First, in theory, hackers could manipulate automation and control systems by directly entering the facilities themselves and “infecting” the Simatic system; therefore, as long as the systems are running under normal conditions in a secure environment, it should be safe from these types of attack. That means deploying sound access control plans for each facility.
“So far, no attacks via Profibus (an Ethernet standard for automation systems) are known,” Simon says. This may be simply because of the limited number of participants in this field.” He adds that Siemens has already deployed countermeasures for its Ethernet-based systems.
In all, critical infrastructure facilities need a well-structured security concept and strict organizational rules, coupled with continuous surveillance of all communications systems, clearly defined access, and the ongoing education and training of individual employees.
Strict Requirements for Automation Components
In addition to changed rules of behavior, the automation components also have to meet more stringent IT security requirements. One of the first protective measures for individual automation components is to restrict the scope of network and internet communication to a specified “safe” level.
Automation components can be grouped logically or by communications technology and segregated from the rest of the network by firewalls and other security components. The automation components should be equipped with defined communication mechanisms so that the device executes its program as usual even in extreme situations, such as denial-of-service attacks or attacks targeted on individual communication services — also referred to as “network ruggedness.”