Oil and Gas Industry
SCADA systems have common and unique threats compared with traditional IT Systems. The following is a description of SCADA system vulnerabilities with an emphasis on those that are either unique to SCADA systems or are exacerbated by SCADA system peculiarities:
- Staff Experience – SCADA system staff are familiar with keeping control systems running. The normal goals are reliability and can initially feel in conflict with security efforts. With a bent for engineering and technical solutions to problems, the important role of developing security policies can be a foreign concept to typical SCADA staff. Furthermore SCADA staff may not be receptive to IT staff ecommendations.
- Operating System Vulnerabilities – The whole host of normal IT operating system vulnerabilities are present in SCADA systems. The difference from an IT shop is that patching may be performed less rigorously. The SCADA system operator has a running system that is expect to perform without interruptions. A test bed is unusual and reports of patch induced problems that cause systems to crash or take severe performance hits creates reluctance.
- Authentication – It is not uncommon for SCADA systems to have shared passwords. This creates convenience for the staff but eliminates any sense of authentication and accountability. In some cases moving to two-factor authentication is limited by work conditions that may impede iris scans or fingerprint scans because of dirty hands or the wearing of safety goggles. Confidentiality of authentication is often compromised by the use of clear text transmissions.
- Remote access – Because of the economics of staffing control centers around the clock it is not uncommon for SCADA systems to be configured with remote access. This can include dial-up access or VPN access over the Internet.
- Interconnections – The more connections the more exposure and vulnerability a SCADA system has. Economic and enterprise pressures often result in internal connections between the SCADA network and the business network.
- Monitoring and Defenses – The use of Intrusion Detection Software (IDS) is not common. Firewalls and antivirus software are not universal. Given staff cut backs and drives for higher efficiency there is often little time to review logs. The potential for zero-day worms is always present.
- Wireless – SCADA systems often use microwave, data radios and cellular packet services for communications. Depending on the implementation, these forms of communication can be vulnerable to certain types of attacks.
- Remote Processors – Certain classes of remote processors have recognized security vulnerabilities. Here the difficulty is two fold. First the computation power and memory resources of the processors are modest and not suitable for security upgrades. Secondly, once they are installed they typically stay in place for ten years or more. The result is vulnerable equipment that stays vulnerable for a long time.
- SCADA Software – The SCADA application software has modest security features and other design weaknesses.
- Public Information – It is not unusual for SCADA system owners to have published papers on the design of their system at a time when security was not a priority. This can expose system vulnerabilities. It is also fairly common for consultants or contractors to advertise their experience and reveal information about past clients.
- Physical security – SCADA systems are usually distributed over large distances with multiple unstaffed locations. The physical protection of SCADA devices becomes important. But because pin tumbler locks, master keys and cylinder locks all have reported weaknesses it is important to be realistic about the level of protection they provide. In some cases economics and vendor promotion have brought closed circuit TV and intrusion contacts into the SCADA system. While convenient and cost effective, this weakens the reinforcing nature of separate physical security and SCADA systems.