The major industries of today are composed of finely automated sectors, which are operated by interconnected, self-regulating systems known as industrial control systems. Examples of such industries include transportation, electric, oil and natural gas, utility power, mining, discrete manufacturing, chemical, metals, food, water, and pharmaceutical.
Initially, most of the industrial control system components were physically found in secured areas, and were not connected to IT systems or networks. This meant that local threats were the only security concern. With the rapid evolution of technology and communications, industrial control systems are increasingly being merged with IT networks, making the former significantly less isolated from the outside world. This requires a whole new set of security measures to protect the industrial control systems from external and remote threats as well as the localized ones. Additionally, the implementation of wireless networks makes the whole system even more vulnerable, as the number of possible threats now includes physically proximal adversaries who do not have a direct access to the equipment.
The endless list of potential threats to an industrial control systems might include discontented employees, hostile governments, malicious intruders, terrorist groups, natural disasters, accidents, complexities as well as accidental or malicious actions by insiders.
In order to ensure the security of a system, it may be insufficient to follow the advice outlined in the NIST 800-82 or NERC CIP guidance: it might be best to perform a more detailed penetration test. Such security assessments require not only basic network security skills but also knowledge of the equipment, SCADA-specific protocols and vulnerabilities.
The original SCADA protocols (vendor-specific protocols include ModbusRTU, DF1, Conitel, and Profibus) were serial-based, meaning that the master station initiated the communication with the controllers. Nowadays, almost all SCADA protocols are encapsulated in TCP/IP and can be operated over Ethernet.
To get a better understanding, one can use Modscan32 to connect to the programmable logic controller and view register data by entering the IP address and TCP port number in the tool.
If there is no live programmable logic controller available to work with, one can always use the ModbusTCP simulator to practice capturing traffic with Wireshark, configuring the Object Linking and Embedding for Process Control Server and building human-machine interfaces.
The security assessment of this highly sensitive environment should be conducted with extreme care in order to avoid causing harm to the environment.
Leron Zinatullin, zinatullin, @le_rond
Business-oriented information security professional with several years of proven experience in architecture design and project management. Extensive knowledge and practical experience pertaining to analysing and solving governance, risk, compliance, information security and privacy issues.