Why firewalls are not recommended for securing SCADA systems

SCADA systems need to be secure, yet according to one expert, firewalls are not up to the task, and should be replaced with Unidirectional Security Gateways. Learn what to look for in a USG.

Image: iStock/HYWARDS

There are those who say the only reason critical American infrastructure, such as the power grid, has not been digitally hacked and taken down is that doing so would affect the bad guys as much as us. However, that is not much consolation when the Department of Homeland Security's (DHS) Critical Infrastructure 2025 Strategic Risk Assessment report states:

"... information and communication technology (ICT) is highly likely to continue being extensively incorporated into critical infrastructure during the next decade. As a result, the variety of cyber-physical system components (operating systems, computational hardware, and firmware) in ICT is likely to make universal security across critical infrastructure sectors problematic creating immeasurable vulnerabilities and attack vectors."

The immeasurable vulnerabilities and attack vectors are part and parcel of what are called Supervisory Control and Data Acquisition (SCADA) systems. Carl Gould, co-director of software engineering at Inductive Automation, defines SCADA as:

"A SCADA system at its most basic is a software system that is used for controlling, monitoring, and analyzing an industrial process."

"A SCADA system communicates, in real-time, with controllers out in the field that are running the actual process," continues Gould. "The SCADA system will gather real-time information from the field controllers, bringing the data into the SCADA system where it is presented using a Graphical User Interface (GUI), to the operators who are in charge of the process."

SEE: Devastating attacks to public infrastructure 'a matter of when' in the US (ZDNet)

Operational computers, the in-place SCADA system, and field controllers must be networked and are often accessible via the internet. It does not take much of a stretch to see how nefarious types could remote in and take control of some vital process such as the power grid through the SCADA system. The DHS's Strategic Risk Assessment report mentions that in 2014, Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) reported 245 cyber-related incidents, most of which were in the energy sector.

The Strategic Risk Assessment report then adds, "According to ICS-CERT, the scope of incidents encompassed a vast range of threats and observed methods for attempting to gain access to both business and control systems infrastructure, including unauthorized access and exploitation of internet-facing Industrial Control Systems and SCADA devices."

Firewalls vs. Unidirectional Security Gateways

Most networks, including SCADA systems, are currently guarded by firewalls. Andrew Ginter, vice president of industrial security at Waterfall Security, says that can contribute to the vulnerability problem. SCADA traffic, both inbound and outbound, is controlled by the firewall's software, which could have built-in weaknesses or have programming errors. (For more information, refer to Ginter's ISA paper: 13 ways through a firewall: What you don't know can hurt you.) In this HelpNetSecurity podcast, Ginter mentions, "All software has bugs; firewalls can be hacked."

Ginter prefers to use devices called Unidirectional Security Gateways (USGs) because the one-way flow of traffic disallows adversaries to remote--which requires two-way traffic flow--into SCADA systems and control them.

USGs consist of a transmit module and a receive module as depicted in the diagram in Figure A.

Figure A

Image: Waterfall Security

The transmit and receive modules are connected via a short fiber-optic cable. The transmit module contains a fiber-optic laser, allowing it to send traffic through the fiber-optic cable to the photocell in the receive module. The point being that optical traffic can only flow one way.

Real-time data transfer

The modules do, in fact, have software that is required to facilitate the transfer of data in near real-time. The software connects to the database on the industrial network, queries the database for information, and sends the information from the transmit module to the receive module. From there the data is moved to an identical database residing in a replica server on the corporate network.

The replica server's database allows operators to access all the information they need without having to attach to the SCADA system controlling the process. Ginter adds, "It is physically impossible to send information in, so you cannot compromise the control systems, cannot sabotage it."

SEE: How hackers attacked Ukraine's power grid: Implications for Industrial IoT security (ZDNet)

What to look for in a USG

For USGs and the server replication process to be effective, they both must be able to adapt to different network and SCADA technology. "The server replication process must be transparent to external users, and has no effect on the original operations servers," explains Ginter in the podcast. "External users access and use the replica servers in the same way they accessed and used the original operations servers, without changing working procedures."

Another important consideration is to determine if the USG system can replicate the industrial applications used by an organization such as process historians, process databases, control system servers, and OPC servers.

"The lesson here is that it is possible to secure SCADA systems more thoroughly than it is possible to secure IT systems," concludes Ginter. "We should raise the bar on security so high that attacks like the one in the Ukraine are not possible."

Let's hope Ginter is right. Trying to function without electricity for any length of time is becoming unthinkable.

Also see