How safe is Industrial IoT for SCADA?

1 Introduction

Extensive use of Information Technology (IT) by the industry in every aspect of businesses, including exploration, production, supply chain, transportation, logistics, etc., has allowed the industry to take on the competition and save on cost. The IT technology is getting upgraded at a swift pace and is bringing innovations in the industry by bringing automation and reducing human intervention.  The industry is moving towards a concept called Industry 4, which involves maximum automation in manufacturing using robotics and computer control. The use of intelligent and autonomous systems along with the Internet of Things (IoT) and cloud computing will make Industry 4.0 a reality.

SCADA systems have been used for many decades to monitor and control large distributed systems such as oil & gas pipelines, power lines, mining, etc. SCADA systems are being continuously upgraded to embrace newer technologies. Industrial IoT (IIoT) is one such technology that can take over SCADA function or work and an existing system to bring innovations to the system. The use of IIoT devices for SCADA can improve reliability, safety and bring energy efficiency. Using IoT with the large number of devices connected using an open network provides new attack surfaces to attackers and makes them vulnerable to cyber threats.

Due to their use in the critical system, any breach in the security of the SCADA system can be devastating and can lead to grave consequences. The exponential use of new technology in an industrial environment and its integration with the old system has increased efficiencies but raised concerns from a security point of view. This has led the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security (DHS) to issue advisory to the American industry to reduce vulnerabilities in their system.

This article looks into the vulnerabilities in IIoT for SCADA systems for oil and gas facilities and ways to tackle the issues.

2 SCADA Systems attacks and Vulnerabilities

SCADA applications are limited to industrial units and are used mainly by Oil & Gas industry, power sector, railways, mining, and other utilities. Due to the stand-alone nature, with limited functionality and isolation from the corporate network, the security of the SCADA system was not a significant concern in the past. But after 1990, the attacks on SCADA and industrial control systems started, and the number increased slowly, raising concern in the industry and need arose for providing adequate security for such systems. A report by Trend Micro found 467 known vulnerabilities in the SCADA system in 2018 and 277 in 2019. Most of the attacks on SCADA systems have been using malware.

Some of the prominent attacks on the SCADA system include:

• Attack on Siemen’s S-7 SCADA system in Iran using a malware called Stuxnet in 2010 was the first known attack on the SCADA system. An infected USB drive injected malware code into the PLC, modifying its logic. The modified software in PLC sent the wrong information to HMI without the operator knowing that something was wrong. Stuxnet loaded itself to only certain specific devices.
• In 2012, Saudi Aramco, one of the largest energy producers and Qatari natural gas company, RasGas were attacked by malware named Shamoon, an information-stealing malware. The malware replaced files with random data. In the case of Saudi Aramco, it displayed an image of a burning American flag on almost 30,000 computers.
• A virus, called “Sobig”, infected CSX Corporation’s computers in Jacksonville, Fla, and led to disruption in dispatching, signalling, and other systems. This outage affected the complete CSX system covering 23 states and led to delays and the cancellation of many trains.
• A German steel mills system was attacked in 2014. The attacker entered the production system via the business network and then shut down the blast furnace in an uncontrolled manner leading to extensive damage to the system. The attack showed that attackers were well versed in IoT systems and steel manufacturing process
• In 2015, attackers used the BlackEnergy 3 malware version on the power grid SCADA system of Ukraine. The attack led to shutting down 30 power stations and cut power to 230,000 citizens for about 6 hrs. Ukraine’s system was attacked again in 2016 using more sophisticated malware CRASH OVERRIDE, leading to the shutting down of 30 substations⁷. The BlackEnergy malware has infected many SCADA systems.
• A cyber-attack on the SCADA system of an undisclosed water company in 2016 manipulated the PLCs application software to alter several chemicals entering water leading to an increase in recovery time of water supply. It could have been more serious. It was a sensitive case involving public safety, so the company’s name was therefore kept secret⁷.

These incidents show that the impact of an attack on the Industrial system can be devastating, and the SCADA system’s security needs to be taken very seriously.

The security of the SCADA system depends on the security of technologies and devices used by the system. The use of open-source technologies and protocol make SCADA systems vulnerable to a loophole in these systems.

3 IIoT system and Vulnerabilities.

The IIoT constitutes a network of devices, sensors, and actuators with embedded electronics, software setup, and an integrated network interface. Industrial IoT uses smart/intelligent devices to collect information and smart actuator for controlling systems.  It allows the connected devices to be monitored and controlled remotely. This improves performance, accuracy, efficiency and reduces human intervention. These intelligent devices analyse data collected in real-time and collaborate with other connected devices to automate industrial and manufacturing processes. The IIoT combines data analytics with machine-to-machine communication to provide efficient solutions for the industry across varying network infrastructures by not only analysing the data collected but also generating business information and long-term data storage. The information collected is available anywhere via the cloud environment can be used for predictive maintenance and optimising business processes using innovative business models. However, the use of a wireless interface for communication simplified the implementation and increased security concerns. The wireless interface provides adversary new ways to exploit the network by eavesdropping and manipulating the system if proper security measures are implemented.

The security of IIoT devices is a critical concern in their adoption which cannot be ignored due to the advantage they provide. A report on the security of industrial control systems by Waterfall security solutions indicates that the top threat is from ICS insiders while the second-largest threat is from IT insiders. The threat from Common Ransomware, Targeted Ransomware, and Zero-Day Ransomware comes at 3^rd, 4^th, and 5^th numbers. Other threats in order or priority include Ukrainian Attack, Market Manipulation, Cell-phone Wi-Fi, Hijacked Two-Factor, IIoT Pivot, Malicious Outsourcing, Compromised Vendor Website/ Remote site, Vendor Back Door, Stuxnet, Hardware Supply Chain, Nation-State Crypto Compromise, and Sophisticated Credentialed ICS Insider, etc. The report further says that in a typical setup it is challenging to defeat threats from ICS insider, Sophisticated Credentialed ICS Insider, Hardware Supply Chain, Cell-phone Wi-Fi, and Stuxnet as there involve stealing the credentials to launch the attack.

The Open Web Application Security Project (OWASP) for IoT security helps all the stakeholders in understanding security issues while using, building, or assessing IoT technology. OWASP has come out with the list top 10 vulnerabilities in IoT.

1. Weak Passwords: This makes it easy for attackers to break into the system.
2. Insecure and unneeded Network Services running on devices exposed to the Internet make the system vulnerable to DoS attacks.
3. Insecure Ecosystem Interfaces: Insufficient Authentication/Authorisation and weak encryption allow the system to be compromised. With the use of the cloud, the authentication and authorisation mechanism play an essential role in securing the system as the cloud can be accessed from anywhere.
4. Lack of Secure Update Mechanism: The security updates to all devices require using the encrypted protocol to ensure security.
5. Use of Insecure or Outdated Components: All the hardware and software components must be sourced from a secured supply chain and vendors.
6. Insufficient Privacy Protection: The personal data stored in the device or the system mustn’t be used by anyone without requisite permission.
7. Insecure Data Transfer and Storage: The data while in transit, storage, and processing must be secured using encryption and access control mechanisms.
8. Lack of Device Management: The devices used in the system and asset management do not follow secure monitoring and decommissioning processes.
9. Insecure Default Settings: One of the biggest threats in security is default settings that an attacker can exploit.
10. Lack of Physical Hardening: This allows an attacker to access sensitive information that can be used to take local control of the device or launch an attack remotely.

In addition to the above vulnerabilities, the IIoT system uses machine-to-machine (M2M) communications using new communication technologies such as Wi-Fi 6, 5G, and Time-Sensitive Networking (TSN), exposing the IIoT system threats faced by these technologies. The lack of security control and standardisation in IIoT devices leaves them vulnerable to threats and data security vulnerabilities.

4 Security challenges for IIoT in SCADA Systems

The IIoT system can be integrated with the SCADA system to provide the best of both technologies. The IIoT system can also replace the SCADA system and provide much more functionalities and flexibility to monitor and control the scattered industrial system.

SCADA networks are spread over extensive areas with thousands of data points, especially in oil and gas sectors and power distribution systems. The use of IIoT enabled devices and gateways for this distributed system will have many embedded devices with a long lifespan. These devices will collect live data and communicate using a machine-to-machine protocol and take necessary control at the edge level. At any point in such an overall system, the security breach can be used to penetrate the whole network. Maintaining the security of embedded devices is a big challenge as these cannot be updated like other software systems to mitigate evolving attacks. The oil and gas network system needs to be resilient to attacks, the effects of the attack are required to be minimised, and recovery from attacks should be quick with the restoration of security.

The security challenges for Industrial IoT for SCADA system other than in case of general IoT implementation include:

• The engineers designing SCADA systems do not have a deep understanding of IoT security principles. On the other hand, the IT persons involved are not very familiar with the industrial environment making it difficult to prepare a comprehensive risk mitigation strategy. The system design should be done in close collaboration with SCADA system engineers and IT personnel.
• The IIoT devices are not designed with security in mind due to their limited battery and processing power, making them prone to attacks.
• Unavailability of tools for adequate monitoring exploitation of endpoint devices.
• Nonavailability of downtime for security updates leaving field devices leaves them without security patching.
• A typical SCADA system uses protocols such as Modbus/TCP, IEC 40, and DNP3, which have not been designed with security in mind and lack protection.

The attacks on the IIoT based SCADA system can be at many levels and are detailed below:

1. Attacks on field devices such as sensors, actuators, embedded devices, transmitters. The types of attack can be malware, Eavesdropping, Brute force attacks, injection of crafted packets, reverse engineering.
2. Attack on Gateways or PLCs. The possible attacks are sniffing, Man-in-middle attack, Password guessing, replay attack, Wireless device attack,

• attacks on SCADA control, HMI, and operator stations include malware, data manipulation, data sniffing, and IP spoofing.

Other than above, the attacks on corporate networks and cloud networks are well known and will not be discussed here.

5 Protection Strategies

The biggest threat to IIoT based SCADA system is direct internet connectivity to the cloud of edge devices. However, in most modern oil and gas systems, a fibre optic cable is laid along with the pipeline for communication. Thus, for this type of network, the way forward is to use IIoT devices to collect data from the field and pass it on to an edge device that uses this optical cable to transport information to the main control centre and then to the cloud. This methodology can take care of the insecure connection between devices and the cloud, a significant security hurdle. However, this only partly tackles the security issue.

No single system can provide total protection. The Anti-virus software cannot reliably stop malware attacks. The security updates are created only after loopholes are known and cannot stop any new threats. The use of an intrusion detection system can detect attacks but cannot prevent them reliably as there may be a delay between detection and actions taken for prevention. Securing the system requires multiprong strategies.

For a typical oil and gas network or power grid network that uses fibre optic cable as a backbone, the system can be made secure and reduce the risk considerably using the following guidelines over and above the use of traditional security tools such as antivirus, firewalls, and IDS system:

• Security must be taken into consideration at the design stage itself involving operational as well as IT engineers.
• Defence in-depth strategy is required for the total system with hardening of the system and adequate physical security and monitoring of all the devices and equipment.
• The use of two-factor authentication using a physical security device can prevent phishing attacks for theft of password
• Careful management of authorisation and user accounts. System access should be given to users strictly on a need basis. Regular monitoring and assessment of who should be given access can prevent physical as well as cyber threats.
• Use of secure communication links with encryption and secure key distribution
• Network segmentation: It can prevent the spread of malware and contain attacks to a particular segment. It also reduces the risk of sensitive information exposure.
• Strict endpoint security implementation on workstations and devices used in the SCADA system can prevent perimeter threats.
• A strict policy on unauthorised use and connectivity of devices such as USB drives etc., to SCADA systems, can prevent entry points for potential attacks. These devices have been used in many instances for injecting malware into the system.
• Virtual patching: The updated and patches to the system should be done using virtual patching. Virtual patching allows the management of vulnerabilities and prevents exploits in case of delay in routine patch implementation.
• Network traffic monitoring and log analysis are required to ensure that no unwanted activities are taking place. The pattern analysis can be used to detect malicious activities. This is essential to prevent attacks such as advance persistence threats (APT). Apart from the above, file integrity monitoring and memory dump analysis can aid in detecting complex malicious attacks.
• The SCADA system control section should be isolated from the corporate network using adequate security measures such as firewalls to prevent lateral movement of attack from one side to another. Unidirectional gateways can reliably prevent the entry of attackers from the corporate network to SCADA network and Internet.
• The transitory SCADA node should be single-purpose so that the chances of exploitation or unauthorised access to these nodes is reduced.
• The use of trusted platform modules (TPMs) can prevent encryption key scrapping.

6 Conclusion

Due to their use in the critical system, any breach in the security of the SCADA system can be devastating and can lead to grave consequences. The use of IIoT devices for SCADA can improve reliability, safety, and energy efficiency. Despite security concerns, the IIoT has not been ignored by the industry due to the immense benefits it can provide. Using IoT with many devices connected using an open network provides new attack surfaces to attackers and makes them vulnerable to cyber threats. However, fibre optic cable laid along with the pipeline or power lines can significantly reduce this risk for oil and gas systems. The various challenges exclusive to IIoT based SCADA system has been briefly discussed and guidelines to make the system secure and risk-averse.

The security of the industrial system using IIoT must be taken into consideration at the design stage itself. A defence-in-depth strategy needs to be adopted with authentication for all users, devices, applications, using encryption for data storage and transport.  Implementation of network segmentation, endpoint security methodology for all devices is essential, along with adequately securing the cloud environment for this type of project. The system should be designed for end-to-end security to make the system secure.