SCADA Industrial Controls – The Next Cyber Defense Frontier
A rolling blackout of the entire U.S. East Coast, a multi-mile gas pipeline explosion, the next Three Mile Island nuclear reactor meltdown—all of these disasters can be created by a hacker exploiting vulnerabilities in industrial SCADA systems.
What is SCADA? SCADA is an acronym for Supervisory Control and Data Acquisition. It generally refers to industrial control systems used in power, oil and gas, and Defense industries. With advances in computing and networking, traditional physical industrial systems have been refined with new capabilities that enable these augmented systems—called cyber-physical systems—to measure and control the physical world.
Examples of cyber-physical systems include complex machines such as aircrafts or robots, building automation systems, smart cities and smart grids, railways and agricultural systems, medical devices and industrial infrastructures. All of these systems present potential vulnerabilities that can be exploited by malicious actors with catastrophic consequences, not just to the industrial system, but to human society as a whole.
So what damage can actually be done with an attack on a SCADA system? Generally, attacks fall into three categories, as show in the table below.
This class of attacks aims for physical damage of equipment or infrastructure (e.g., pipes and valves). Equipment damage can be achieved in two ways:
- Overstress of equipment. Every piece of equipment wears out or breaks at the end of its expected life cycle. Prolonged overstress of equipment can accelerate this process. An example would be wear-off attacks on valves due to unstable process control. This type of attack was implemented in the second version of the Stuxnet worm against Iran’s nuclear program.
- Violation of safety limits. Another way to cause damage is to violate safety limits, ideally in some smart way. To demonstrate this, researchers at Idaho National Labs remotely destroyed a power generator. This type of attack was also realized in the first version of Stuxnet.
Instead of breaking equipment, an attacker can go after the production process to spoil the product or make production more expensive. Attacks on production can be divided into three groups.
- Product quality and production rate. Every product has its specification and market prices for a specific quality. The attacker may turn the product unusable or reduce its value. For example, acetaminophen (used in Tylenol) at 98 percent purity costs $1 per kilogram. However, 100 percent pure acetaminophen goes for $8,000 per kilogram. So NOT achieving the desired product quality can be very expensive.
- Operating costs. After the process is tuned, the operator’s primary task is to keep the process as close as possible to the economically optimal operating conditions. Every plant has an objective cost function consisting of several components that impact the operating costs. It may be loss of raw materials in the purge, premature deactivation of the catalyst, or increased energy usage.
- Maintenance efforts. The attacker can impact a production process by increasing the maintenance workload. Maintenance refers to troubleshooting process disturbances and equipment malfunction. For example, rapid operation of a flow valve causes a damaging cavitation process—the formation of vapor cavities in a liquid. Cavitation eventually wears the valve and leads to leaks (requiring valve replacement). Also, bubbling of a liquid substantially complicates process control.
Industrial sectors tend to be strongly regulated to ensure safety and protect the environment. Non-compliance can attract fines and bad publicity, unlike attacks whose effect can be kept internal to a company.
- Safety. Most damaging would be attacks on occupational and environmental safety as they may result in lethal accidents and serious environmental damage. This type of attack in most cases will yield collateral damage.
- Environmental Pollution. These are attacks causing regulatory pollution limits to be exceeded. This can relate to the concentration and volume of gaseous emissions, water or soil contamination and For example, if effluent from an industrial facility fails to meet local regulatory standards, the plant can be fined, and recurrent offenses can lead to plant shutdown. Negative impact on reputation may be a further consequence.
- Contractual agreements. Typically, this refers to production schedules. For example, missing schedules on vaccine production and delivery may cause contractual sanctions and bad publicity. Reactions to outbreaks of a disease often lead to political and public pressure.
As you can see, there are many ways to exploit SCADA system vulnerabilities. These attacks happen more often than people realize. However, the majority of attacks on operational control systems over the last 20 years have not been made public, due to laws and policies limiting data sharing, as well as to companies trying to protect their reputations by keeping such attacks quiet. This makes it difficult to assemble a catalogue of SCADA attacks. What we do know from bits of information floating about is that hundreds of millions of dollars, possibly more, have been extorted from victimized organizations. It’s difficult to know, because companies pay to keep it a secret. This kind of extortion is the biggest untold story of the cybercrime industry.
Luckily, a few security startups are addressing the challenge of securing SCADA. One such company is NexDefense. In a follow up blog we will discuss how NexDefense counters the SCADA threats presented here.