TechnologyNovember 13, 2009

Understanding and minimizing HMI/SCADA system security gaps

Abstract background

Being at the heart of an operation's data visualisation, control and reporting for operational improvements, HMI/SCADA systems have received much attention, especially due to various cyber threats and other media fuelled vulnerabilities. The focus on system security has grown exponentially in the last decade, and as a result, everyone involved with implementation f operational issues will consider more closely what it takes to protect what is usually the focal point of most systems.

HMI/SCADA TECHNOLOGY has developed functionality, scalability and interoperability over the last 20 years. For example, the software has evolved from being a programming package that merely visualises data within a programmable logic controller (PLC) to being a development suite of products to deliver 3D visualisations, intelligent control capability, data recording functions, and networking. With systems and implementations becoming increasingly complex, some industry standards have emerged with the goal of improving security. However, part of the challenge is knowing where to start in securing the entire system.

The purpose here is to explain where vulnerabilities within a HMI/SCADA system may lie, describe how the inherent security of system designs minimise some risks, outline some proactive steps businesses can take, and highlight several software capabilities that can enhance security.

SCADA security in context
The International Society of Automation (ISA) production model demonstrates the layered structure of a typical operation, and shows that HMI/SCADA security is only one part of an effective cyber security strategy. These layers of automated solution suites share data, and wherever data is shared between devices, there is a possibility for unauthorised access and manipulation of that data. We focus here on the HMI/SCADA layer, but unless other potential weaknesses at other levels are covered, the operation as a whole remains vulnerable.

To minimise existing security gaps, companies need to first understand where potential vulnerabilities typically lie within the system. Software features, along with the advanced automation hardware and industrial communications, have made control systems multi layered, complex and susceptible to threats. An HMI/SCADA system’s level of security is best understood if broken down into two major elements: communications and software technology.

Communications
Advances here have made large scale HMI/SCADA system implementations successful for many industry applications. There are two levels of communication that exist within the system IT realm and the field producing notable security level differences.

IT realm. Components of an HMI/SCADA system are modular, not only to allow for easy troubleshooting but also to distribute the computing load and eliminate a single point of failure. It is not uncommon to have multiple thick, thin, web and mobile runtime clients connected to the main HMI/SCADA server hub over an internal Ethernet-based network. However, in some cases, systems may use external leased lines, modems, wireless, cellular, or satellite technologies as well.

The main HMI/SCADA server hub also comprises multiple networked servers to distribute the load, ensure uptime, and store the mass amount of data. With these components all networked in some way, they use standardised common protocols to transfer data, all of which are largely unencrypted, requiring either weak or no authentication.

Field. HMI/SCADA implementations frequently consist of a number of widely dispersed remote sites with a control or data gathering function, all connected to a central control and monitoring point. Data has to be passed between the control room and the remote terminal units (RTUs) over a network – which may be fibre optic, telephone or wireless – and the protocols for passing this data have frequently been developed with an emphasis on reliability and ease of implementation rather than security.

Modern computing facilities have made secure practical encryption almost impossible to defend against a determined hacker, so communications between devices need to employ several layers of defence with the primary aim to make access to the data difficult, but also detect if the data has been compromised.

Software technology
Software over the years has largely become feature bloated as companies keep adding new capabilities while maintaining all of the existing ones, increasing the complexity of software security. There are two separate but dependent software technologies in the system, the HMI/SCADA software and the Platform Operating System, which have distinct differences when it comes to security values.

HMI/SCADA software. Most HMI/SCADA software installations have either external network connections or direct Internet connectivity to perform remote maintenance functions and/or connect up to enterprise systems. While these types of connections help companies reduce labour costs and increase the efficiency of their field technicians, it provides a key entry point for anyone attempting to access with a malicious intent.

Platform operating system. Operating systems that employ elements of consumer or open source operating systems such as Windows Server, Linux and Unix variants are increasingly popular since they help reduce costs. This trend toward open technologies has made proprietary custom, closed, highly secure systems a direction of the past, but their use increases the risks.

Because HMI/SCADA systems are complex and contain multiple layers of technology, even a simple system patch is a major undertaking that requires planning, funding and time. The risk elements are also substantial because many systems now rely solely on their HMI/SCADA system for visualisation, data recording and some control elements. And to this point, some companies hold back on patches, service packs and upgrades, while others choose not to apply any new patches employing an ‘if it works, don’t touch it’ policy. Furthermore, software patches have generally been developed to cover for a security breach that has already occurred.

Some would say that even if companies could keep their platforms current, with the fast pace of consumer-based operating systems and large number of system exploits, platform operating systems are the single largest security risk in the system.

Reducing risk by design
The good news is that some vulnerability is minimised by the nature of system and software design whereby the fundamental principles and canons of engineering mandate safe and reliable systems. This ensures a basic level of security to protect against an intruder. Engineers design systems with intentionally broken automated chains: in some cases functions require physical confirmation prior to the software performing commands and in other cases, the SCADA software only does a portion of the command, requiring one or many additional manual steps to execute the complete function.

Inherent system security is best surmised at the software and hardware levels.

 

    • Software: With many viewing HMI/SCADA software as a visualisation tool that provides a means for dynamic operator input, and visualisation as a flexible information terminal, the reality is that HMI/SCADA software capabilities are much more exhaustive. When elements are added such as control and logic capabilities, system engineers must examine the risk from a potential failure standpoint and the extent of control that is allowed without being in line of sight of the area being controlled.

Software is also developed from the operator’s perspective and uses company guidelines throughout the application to ensure the operator is controlling with intent. While this doesn’t necessarily bring additional security from external intruders, it does provide enhanced protection against mistakes. For example, the ‘select before operate’ design philosophy is typically used in HMI/SCADA applications. This requires the operator to select an item on the screen, pull up the controlling elements, operate the item, and finally confirm to send the command. While this might seem like a simple ideology leading to a drawn-out process, the design intent ensures that an operator’s actions are deliberate as opposed to a hasty reaction to an urgent situation.

Inherent security example: manufacturing and part movement
…an HMI/SCADA system is programmed to command an automated gantry to move manually.

  • To move the automated gantry, the HMI/SCADA ‘soft’ button must be engaged as well as separate manual pushbuttons.
  • The automated gantry system is also interlocked with photoelectric sensors, and will not move if it detects any object within its operating area.
  • Additionally, there are two physical mats on the plant floor outside the operating area within line of sight of the gantry on the plant floor-one in front of the HMI/SCADA terminal and one in front of the manual pushbutton station. These mats have built-in sensors to ensure that someone is physical present prior to operating.
  • All conditions must be true for the automated gantry system’s manual functions to be powered up and engaged. This type of system design is largely for the safety of the workforce, but also ensures that a hacker cannot independently operate this function if he has control of the HMI/SCADA system.
  • Hardware: At this level, design engineers employ many techniques to ensure safe control, either physically or by the HMI/SCADA software. Thousands of individual devices and RTUs can exist in a system and are typically implemented with an area-based manual or automatic control selection: field technicians use manual control to perform maintenance or to address a software failure-locking out the software control and establishing local control.

Additionally, when engineers design this level of the system, many hardware-based fail safes are built into the design such as fusing or hardwire interlock logic to examine the local situation, so when components are commanded by the HMI/SCADA software, there is a hardware level of checks to ensure it can be executed. This protects the system from unsafe or even incorrect software control. Furthermore, many critical applications use triple- and quadredundant logic controllers to ensure continuous operation.

The general design rule that system engineers apply for all levels of a system can be summarised as: If a single point of failure exists, protect it or provide secondary means.

In other words. design philosophies should result in an holistically safe and secure environment, severely impeding an intruder’s ability at the HMI/SCADA level to compromise the entire system.

However, even the safest system design and industry standards cannot secure a system with 100% confidence. Companies should thus not rely on them wholly to protect their systems. Instead, they should take a proactive approach to enhancing security, and a good starting point is knowing what technologies are available to help them best meet their needs.

Inherent security examples: water treatment and chemical control
…an HMI/SCADA system in a water treatment plant is the main control point for chemicals being added to the water. One of the key chemicals controlled by the HMI/SCADA system is chlorine. Excessive amounts of chlorine could be hazardous to public health, and conversely too little can also put people in danger, so engineers have designed a level of safety into the automation system.

  • While the HMI/SCADA system controls the main chlorine values, downstream chlorine sensors continuously measure the concentration level and have the ability to cut off the chlorine addition in the event of abnormal levels.
  • The metering control elements are isolated from the HMI/SCADA control with the only interaction between the systems being a one way alarming connection to enunciate in the event of abnormal levels of chlorine.
  • Additionally, water treatment facilities are mandated to frequently test the chemical makeup of the outgoing water. The system’s operators analyze the test results daily and have the ability to cut off and bypass the chemical systems based on the test results.
  • With this multitiered automation and manual ability designed into the system, the system as a whole has an inherent level of security against rogue remote control and malicious attacks.Be proactive: Enhance your security with software capabilities!

Selecting a trusted solution provider with deep expertise, experience and advanced technologies is also critical. Off the shelf HMI/SCADA solutions have successfully helped companies minimise their security gaps with a broad range of security based software technologies, including:

  • Biometrics – When bio-security elements are integrated to the system, customers can program their system to require finger scans to perform specific functions such as switching on and off the grid’s main switchgears, which ensures that the appropriate person be physically present to execute the order. This type of integration eliminates the possibility of a hacker performing the same operation virtually – reducing the overall potential impact and enhancing system security
  • Electronic Signature – Many view this option as a simple reporting tool. However the features are much more comprehensive. For example, it can introduce authentication potential at the command level to verify the user performing the operation with a username and password as well as a separate authentication, typically a manager, for verification. The information is then stored in a system audit trail that can be recalled in the future; some customers also choose to integrate this feature with biometrics to eliminate the use of a single, widely known username and password.
  • Authorised connections and client/server data encryption – Many off the shelf HMI/SCADA software products now have built in features that limit the allowable client connections to known computers and use integrated data encryption for client communications. This protective capability eliminates the possibility of a hacker simply loading the HMI/SCADA client and connecting over the network.
  • Domain authentication – To leverage complex alphanumeric passwords at the HMI/SCADA level, some software packages offer Windows Domain Authentication security integration. For example, GE Fanuc features an application add-on that maps group memberships to its HMI/SCADA software roles and when integrated, the users and subsequent passwords are managed at the IT level. This allows for the HMI/SCADA application to leverage existing group IT level policies, which are typically very stringent and can exceed industry requirements.
For critical examination…
Examine your field assets, particularly older, remote components:

  • How does the SCADA communicate with them? Can this be secured?
  • Is the control network adequately separated from other networks?
  • Where are the points of entry/failure? Are there redundant options?

Examine your IT assets:

  • Are the services/software running on an asset the minimum needed to maintain functionality?
  • How secure is that software and does the software employ passwords, biometrics or retina protection?
  • Do you have easy access to the operating system and SCADA system patches? Is this automatic?

Examine change management software policy:

  • What is the policy for implementing an operating system and SCADA patches – does it cover all assets?
  • Are all assets protected (covered by firewalls and anti virus software)?
  • How easy is it to manage user accounts across all layers of software – is there an integrated system that includes the operating system and software products or does each product have separate user accounts and passwords?

Examine your access control:

  • Does your SCADA software allow anonymous client connections?
  • Is there a robust login policy with regular renewal of passwords?
  • Does each user have an appropriate limit to their actions?

And finally…
The vulnerabilities of HMI/SCADA systems pose a serious threat, and the complexity of multilayered technologies make it difficult to completely secure one’s operation. As discussed here, the inherent safe design of most HMI/SCADA systems offers some protection, but by no means enough to fully protect systems. That’s why it’s important for companies to better understand where vulnerabilities exist within their systems and to take a proactive approach to address those susceptible areas. Off the shelf HMI/SCADA vendors offer software solutions with security based capabilities, which can help companies enhance the protection of their critical infrastructure assets and reduce costs for a sustainable competitive advantage.

Marcel van Helten is market director, infrastructure, GE Fanuc Intelligent Platforms

Kyle Reissner is product marketing manager, automation software with GE Fanuc Intelligent Platforms