This week, Charlie discusses the effects a cyber attack can have on an organisation’s process control and SCADA systems.
For the last three weeks, I have been working for a power and water company in the Caribbean with my wife, Kim. We delivered a programme to improve their response to a wide range of incidents and started by looking at their hurricane response, one of their greatest threats. Then we moved on to looking at how they would provide power and water if their production equipment became damaged. As part of the review, we started to look at other threats, including cyber attacks. While I was there, the ransomware attack on the Colonial Pipeline in the USA stopped fuel transportation on the East Coast. It provided a timely reminder of the threat to an organisation’s operations whose process controls and SCADA systems manage the plant and equipment. I was also interested in understanding whether a ransomware attack could ‘lock out’ operational systems, as this is the major threat of this time. I understand the cyber threats to ‘normal IT’ but was unsure of the danger to a water and power company’s infrastructure. This bulletin is the result of some research I undertook, and today I will share what I have learnt with you. Hopefully, this will get you thinking and review the threats to your own processes.
What is Process Control and SCADA? Where do I find them?
Process control at its simplest is a mechanism that uses control systems to manage a process. They can achieve consistency, economy and safety, which cannot be achieved purely by a human taking manual control. A simple example of this is the thermostat on a domestic radiator. SCADA is a control system for the whole process, managing a complex system such as controlling a power plant. Some sensors control the operation throughout the plant and send signals/alarms to an operator if the system goes outside its limits or if something breaks down.
A SCADA system allows one person to monitor many different systems and is located separately from their controlling site. Often SCADA will enable the operator to make adjustments, open and close valves, stop and close machinery and reconfigure the system if there is a breakdown or failure. There can be external access from either a laptop, tablet or even a phone. Depending on the system configuration, all of the tasks carried out by the controller can be done remotely. The SCADA sensors and controllers will often control the plant, machinery or process, and the plant’s operation, which is not possible manually.
A SCADA system can be found in an extensive range of industries, including:
- Nuclear Reactor
- Energy Sector
- Civil and Chemical Engineering
- Water Plant
What is the impact of the loss of SCADA or process control systems?
The impact of an attack on the SCADA and process control system could be huge; this may include financial loss, production loss, environmental damage or even loss of life. Suppose a hacker gains control of a nuclear power plant’s systems and knows its operations. In that case, they could potentially cause a nuclear explosion or a core meltdown with a subsequent radiation leak. There have been several cyber attacks to date on SCADA systems that have caused a wide array of impacts, none that I found caused human death.
Table 1: A list of important attacks between 1982-2016 (Yadav & Paul, 2021)
You can see from Table 1 that there is a wide variety of different industries, processes attacked, countries affected, methodologies used for the attack. I was surprised by the variety of the attacks.
Table 2: A list of incidents in the water industry (Ten, Liu & Manimaran, 2008)
What I think is interesting about the list above is the details of who conducted the attack. The list included hackers, cybercriminals and hacktivists, and also a large number of ex-employees.
What are the threats to SCADA and process controls?
- Physical Security – Some systems may be secure within the plant. However, they can also be remote or unmanned, giving the attacker plenty of time to access the system and plant malware. For example, the malware installed in Tehama-Colusa Canal (Table 2) and the Maroochy Shire attack (Table 2) resulted in 800,000 litres of sewage released into the local aquatic environment.
- Access Vulnerabilities – Often, passwords are shared due to the installer changing it for additional users or manufacture default passwords are not changed.
- Remote Access – As systems are often widely dispersed, remote access is more vulnerable to unauthorised access. Managers or controllers may want remote access to the control room, but this can lead to vulnerabilities. Hackers can either physically gain access to the devices or gain access to the system without alerting anyone else.
- Wireless – Access to remote systems is often through wireless links. These links can be intercepted and are vulnerable to attack.
- Defences & Access via IT System – The SCADA system was initially devised as a closed system, therefore there was minimal security built into them. As systems have become more connected, IT networks are now carrying SCADA traffic. This means that if a hacker gains access to the IT systems, they can then use it to access the SCADA system and alter the organisations’ processes. The organisation may not be using firewalls to protect the SCADA traffic from IT network intrusions and may not separate access from one system to the other.
- Lack of Skills – I have seen many cases where the process engineers in an organisation don’t consider security as their problem, but believe it to be the responsibility of the IT department who runs the network. The academic literature on SCADA and cyber appears to be an emerging discipline, but I haven’t seen cyber companies specialising in this area.
- Legacy Software – In most cases, the SCADA software was written a long time ago when security was not an issue.
- Operator Interfaces – The controller often views the system and receives the Microsoft Windows based system’s alarms. This part of the system is vulnerable to any Windows system. Processes or particular bits of equipment may have Window controllers to receive and send information. One reason why the WannaCry virus had such a significant impact on the NHS was because it cloaked the control system to NHS equipment such as CAT Scanners. They had Windows operation systems. These systems are often ancient versions of Windows because the machines have to be extensively recalibrated and tested if their operation system is changed. This might be similar within the SCADA system, where human interfaces of the plant and equipment may operate on old and vulnerable systems.
Is ransomware a threat?
As ransomware is a very prolific threat at the moment, I was interested to find out whether a ransomware attack on an organisation’s IT systems could lock out their SCADA and process controls. It was the ransomware attack on Colonial Pipeline, which caused them to shut down their pipeline. My understanding of the threat is that ransomware cannot affect process controls and SCADA systems. However, it could attack and lock out their operator and equipment interfaces. I listened to a webinar by Immersive Labs this week and asked a question on the Colonial attack. They told me that the ransomware didn’t affect their operations, but they closed down the pipeline as a precaution just in case. For me, this echoes the WannaCry attack on the NHS, where 50% of the impact of the attack on managers closing down their systems as a precaution, is often against the advice of their IT manager, causing the same impact as the ransomware. Most of the attack on SCADA systems are people gaining access to systems and then manipulating them to cause damage or installing malware that had a similar effect.
There have been major cyber attacks on SCADA systems, the biggest of which is the Ukraine Power outage of 2015, leaving more than 230,000 people without power. Without power or water, life for more than a day or two for most people becomes intolerable. We have seen that an attack on the infrastructure can lead to a mass release of sewage. An attack on a nuclear power station could lead to a situation similar to Chernobyl or Fukushima. I think the cybersecurity associated with SCADA systems and process control is still in its infancy, but if your organisation has these systems, you may want to take an interest in looking at their security to see if they are in breach, as the impact can be huge.
TEN, C., LIU, C. & MANIMARAN, G., 2008. Vulnerability assessment of cybersecurity for SCADA systems. IEEE Transactions on Power Systems. 23(4), pp.1836-1846.
YADAV, G. & PAUL, K., 2021. Architecture and security of SCADA systems: A review. International Journal of Critical Infrastructure Protection, pp.100433.