Avishai Wool
Avishai Wool

SCADA systems automate the control of industrial systems, such as oil and gas pipelines, wind turbines and nuclear power plants. The Stuxnet virus raised the profile of SCADA systems by infecting the programmable logic controllers (PLC) in an Iranian nuclear power plant.

SCADA systems were developed with an isolated network assumption. The network operates with a simple Modbus communication protocol over serial lines. As a result, the simple “request – response” protocols leave these systems vulnerable since they cannot differentiate between legitimate requests from a human-machine interface or malicious requests from infected systems.

The isolated network assumption provided a degree of security through obscurity, as attack vectors had to breach physical security and required knowledge of how the systems work. However, Stuxnet demonstrated that even isolated physical networks could be hacked.

The days of the isolated network are gone and they are not coming back. The economic forces are too compelling. SCADA networks and IT networks are no longer physically separate. At best they are “logically” separate with traffic filters between them. But what policies are these filters implementing?

Hacking SCADA systems no longer requires physical access, just a network connection, a way to route packets to the PLC and a means to bypass the traffic filters, which are all activities that hackers understand. The Modbus transmission control protocol (TCP) lacks confidentiality or authentication, so once a hacker connects to the network, they can easily hijack a session.

Ideally, the industry will move to replace overly simplistic protocols with new ones that include authentication, access control, audit and encryption. But, in the meantime, network security can implement sniffing, scanning, filtering, firewalls and network intrusion detection systems.