Critical Infrastructure Risks and Vulnerabilities

BSS/482

December 14, 2015

Introduction

 

SCADA

Supervisory control and data acquisition (SCADA) systems are systems used to control many different things that can be scattered miles across land or water. The collection of data and the control of these assets are crucial to ensure the stability of the infrastructure. The SCADA system is used in distribution systems such as oil and gas, wastewater, and water distribution. The SCADA system will monitor the systems for even electrical distribution and the transportation systems. SCADA watches over these systems to ensure that they are performing correctly and at top performance. If anything goes wrong with one of the systems that SCADA looks at it will send out alarms so that they can be repaired. SCADA is a system that watches over all other systems that may be scattered out over long distances and collects data in a centralized location.

Attacks on SCADA

Since SCADA watches out over all systems that are crucial to the nation’s infrastructure any type of an attack on the system can be devastating. The attack could interrupt reports on these assets and the distribution of the material being received or put out. The wastewater system is monitored by SCADA and if anything malfunctions SCADA will report that and have the issues corrected immediately. If an attack on SCADA interrupted this report of the wastewater system, then it may lead to having wastewater mix with the distribution of good healthy water. This in return contaminating water and leading to an even bigger health issue.

SCADA Vulnerabilities

Every computer system in the world has vulnerabilities. SCADA systems are no exception, and because many older SCADA systems do not have security features, they are more vulnerable to attacks than newer systems (Department of Energy, n.d.). Finding vulnerabilities can be challenging. It takes several analyzations of the separate parts of a system to figure out what those vulnerabilities are. Scanning the SCADA, evaluating the host, analyzing network devices, and testing passwords are just a few ways to search for SCADA vulnerabilities. According to Wiles et al (2007) “the majority of security vulnerabilities found in the technical systems are a result of system configuration issues or lack of up-to-date patching.” This means that most of the vulnerabilities of a SCADA system come from programing issues. Other vulnerabilities can include physical security such as contracted cleaning services, employee discussions in non-work locations, and building layout configurations.

The detection of vulnerabilities leads to the acceptance that there may be a threat to the system as a whole. External threats can be as simple as industrial espionage or as complicated as international espionage. SCADA systems connected to networks are exceptionally vulnerable to international attacks. Servers connected to the network may not have the necessary programming to stop things such as computer worms or viruses. In 2015, Hilary Clinton was investigated by the Federal Bureau of Investigation for using a private server to send and receive emails containing classified government information. During the investigation it was found that Hilary’s server was connected to the internet and was scanned by an anonymous hacker from Serbia (Associated Press, 2015). Not only was Hilary’s server vulnerable to be scanned, but also controlled. Any hacker with enough brains to get in to the server could have controlled it from afar without ever having to change out of their pajamas. Given the fact that Hilary was the Secretary of State for the nation during this time period, it becomes relevant that she potentially put the country’s infrastructure in great danger.

Tools and techniques used to protect against a global attack on SCADA.

An SCADA firewall can be used to protect against a global attack on SCADA. However, the firewall must provide protection from all cyber-attacks and hackers that may be released from the internet, inside the business network or other networks under WiFi. Also, the firewall must be able to identify and inform probes, attacks, and abnormalities. It should have the ability to control and manage changes to the policies (Grau, 2012). There are some vulnerabilities that are identified for the control systems that are increased exposure, interconnectivity, common computing technologies, and increased automation. Pierluigi (2012), “Increased Exposure, which communication networks linking smart grid devices and systems will create many more access points to these devices, resulting in increased exposure to potential attacks. When it comes to interconnectivity, the communication networks will be more interconnected, further exposing the system to possible failures and attacks. Common computing technologies are smart grid systems that will increasingly use common, commercially available computing technologies and will be subject to their weaknesses. Lastly, increased automation that communication networks will generate, gather and use data in new and innovative ways as smart grid technologies will automate many functions. Improper use of this data presents new risks to national security and our economy” (para 24).

Describe how resilience should be incorporated into SCADA systems.

According to “Increasing the Resilience of Critical SCADA Systems Using” (2010), “To achieve increased SCADA system resilience against cyber threats in large-scale systems, a minimally intrusive and low cost communication overlay onto legacy SCADA systems using Peer-to-Peer (P2P) technologies which shows our approach efficiently prevents data loss due to node crashes, and detects and remedies data integrity attacks. Path redundancy refers to multiple paths between pairs of peers; data replication implies distributed and redundant data storage across the network” (para 4).

Conclusion

 

 

Purpose and History Paper 1

 

Critical Infrastructure Risks and Vulnerabilities 2

 

 

References

Associated Press. (2015, October 13). Private server used by Hilary Clinton while secretary of state was vulnerable to hacking: report. New York Daily News. Retrieved from http://www.nydailynews.com/news/politics/clinton-private-server-vulnerable-hacking-report-article-1.2396187

Department of Energy. (n.d.). 21 Steps to Improve Cyber Security of SCADA Networks

Grau, A. (2012). Protecting SCADA devices from threats and hackers. Retrieved from http://www.embedded.com/design/safety-and-security/4397214/Protecting-SCADA-devices-from-threats-and-hackers-

Increasing the Resilience of Critical SCADA Systems Using. (2010). Retrieved from http://www.researchgate.net/publication/262251133

Pierluigi, P. (2012). The importance of security requirements in design of SCADA systems. Retrieved from http://securityaffairs.co/wordpress/7314/security/the-importance-of-security-requirements-in-design-of-scada-systems.html

Stouffer, K., Falco, J., Kent, K. (2006, September). Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security. National Institute of Standards and Technology. Retrieved from https://www.dhs.gov/sites/default/files/publications/csd-nist-guidetosupervisoryanddataccquisition-scadaandindustrialcontrolsystemssecurity-2007.pdf

Wiles, J., Claypoole, T., Drake, P., Henry, P., Johnson Jr., L., Lowther, S., Windle, J. (2007). Techno Security Guide to Securing SCADA. Burlington, MA: Elsevier, Inc.