Securing a SCADA network - Part II
by Balaji V, CISSP | Discuss this article »»
In the first part of this article series, we discussed some of the significant security concerns in a SCADA network. In this second part, we will look at some of the key vulnerabilities affecting the SCADA systems and applications, the risk posed by these vulnerabilities and how to mitigate them.
Just like any application and system software available in the industry today, vulnerabilities are being discovered in the applications and systems running on a SCADA network. These vulnerabilities range from denial of service and running arbitrary code to information disclosure.
Key Vulnerabilities Discovered
A buffer overflow vulnerability has been discovered in CitectSCADA system. CitectSCADA system basically collects data and provides an interface to control equipments including Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs) with an integrated Human Machine Interface (HMI). This system uses software that runs on Microsoft Windows Operating systems. This buffer overflow vulnerability is present in the ODBC server service that allows an unauthenticated attacker to force an abrupt termination of the vulnerable software or to execute arbitrary code on the vulnerable systems. This vulnerability can be exploited both locally and remotely.
A denial of service vulnerability has been discovered in Wonderware SuiteLink. Many of the Wonderware products for SCADA and Supervisory HMI (Human-Machine Interface utilize the SuiteLink Service running on Microsoft Windows operating system. This service is used to establish communications between the various components of the system over a proprietary protocol. An unauthenticated remote attacker with access to the SuiteLink service TCP port on the vulnerable system can send a malformed packet to shutdown the service and cause a denial of service condition. Wonderware has published a technical document detailing how to address this issue and is available to registered customers.
A heap overflow vulnerability has been discovered in LiveData Protocol Server. LiveData Protocol Server is a real-time SCADA product from LiveData that can be used to capture and deliver data flows and control functions to remote devices in an Industrial Control System. This LiveData Protocol Server runs a HTTP service with a SOAP interface. The vulnerability exists in the way the LiveData Server handles requests for WSDL files. An attacker can send a specially crafted request with a negative value for the strncpy call to the TCP port 8080, which is interpreted as a large positive value and causes an overflow when attempting to write onto the heap memory. This would allow an attacker to crash the service or potentially run arbitrary code on the vulnerable system.
There is also a denial of service vulnerability discovered in LiveData Servers including Real-Time Integration, Protocol and Maintenance Servers that an attacker may be able to exploit as the user-supplied input is not handled properly by the applications.
All the vendors have released patches for these vulnerabilities that are available upon request. These vendors also recommend additional security measures to reduce the exposure of these vulnerabilities.
Vulnerabilities Common to SCADA and Corporate Networks
Although the above mentioned vulnerabilities affect specific SCADA applications, there are vulnerabilities that affect the SCADA networks just as much as they affect the corporate networks.
The NIST’s Guide to Industrial Control Systems Security classifies the vulnerabilities for SCADA networks into:
- Policy and Procedure Vulnerabilities
- Platform Vulnerabilities
- Network Vulnerabilities
Policy and Procedure Vulnerabilities
Security policies play a critical role in the security of an organization. Effective security policies can help protect an organization from unnecessary exposure and risk. Vulnerabilities may be present when there is lack of or incomplete policies. Most corporate security policies will be applicable to SCADA networks as well. But those alone may not be sufficient. These security policies need to be refined and added to address the additional concerns in a SCADA network. For example, the corporate security policy may allow the unrestricted use of a USB flash drive across the network, but such a policy may pose a risk to the SCADA network and so needs to be modified to restrict the use of the USB flash drives.
Similarly, procedures need to be developed and documented based on the security policies defined for the SCADA network. If appropriate procedures are not available, employees may not understand the priorities and the steps to follow in the event of a malfunction or sabotage.
Conducting security audits is an essential component of securing a network. The lack of audits may itself present a vulnerability of not identifying any potential issues that could have been discovered and addressed. Some of the commercial vulnerability scanners such as Qualys and Nessus provide plugins to detect some of the SCADA specific vulnerabilities. Although it is difficult to carryout periodic and comprehensive audits on a SCADA network as it may cause a disruption to the operations, regular planned audits must be conducted to ensure that the network is resilient against attacks.
Vulnerabilities on a SCADA network can be platform specific including insecure configuration, hardware failure, inadequate physical access control, running unnecessary services, inadequate protection against malware, etc.
Configuration vulnerabilities include system not being updated with latest security patches, patch installation without exhaustive testing, use of default passwords and inadequate access controls. Secure configuration procedures and settings should be established and followed to ensure that the SCADA system is hardened.
Hardware vulnerabilities refer to the failure of anything related to the supervisor stations, control center devices, field device, power units, etc. Any lack of physical, environmental and backup controls would also be considered as hardware vulnerabilities. An insecure remote access connection via a dialup modem would also present a vulnerability to the SCADA network. A modem is usually used in a SCADA network to provide remote access capability to the control engineers and vendors but it may become a point of entry to the attackers if it not properly secured.
Software vulnerabilities are those that affect the applications and operating systems running on the SCADA systems, including the ones discussed above. Software vulnerabilities also include the use of insecure protocols, running of unnecessary services, use of vulnerable proprietary software, inadequate authentication, lack of audit trails, undetected incidents, etc. The lack of protection against malware would also be considered software vulnerability.
These software vulnerabilities can be addressed by establishing patch management procedures, following appropriate procedures on using software, implementing monitoring and logging, and deploying an appropriate malware protection software that detects and removes any malware threats but does not affect normal operations.
Network Vulnerabilities are similar to the platform vulnerabilities except that these pertain to the network devices. In addition to those affecting network devices, network vulnerabilities also exist due to insecure network architecture, poorly configured firewall rules, improper traffic segregation, using services on the corporate network, failure of communication links, etc. Appropriate security measures need to be implemented to ensure that the network vulnerabilities are fixed.
All the vulnerabilities discussed above present some form of risk to the SCADA networks. Learning about how it affects their network and addressing them makes the SCADA network administrators better equipped to handle any incidents.