Implementing a cybersecurity strategy for cloud-based SCADA

It’s critical to have the proper framework and cybersecurity measures in place to help prevent cyber attacks for cloud-based deployments of supervisory control and data acquisition (SCADA) systems.

By Rusty Gavin, Honeywell Industrial Cyber Security August 14, 2018

Supervisory control and data acquisition (SCADA) in the cloud offers the potential for greater flexibility, scalability, and certainty. It also promises the ability to massively reduce capital expenditure, provide predictable costs, accelerate implementation, and quickly accommodate changes when adding or altering assets. As a more efficient deployment model, cloud-based SCADA is designed to reduce barriers to entry across many industries.

With cloud-based SCADA, there is no need for a control or backup center. Users can leverage the cloud infrastructure from their preferred service provider and move from a capital expenditure (CapEx) model to an operational expenditure (OpEx) model. Eight to 10 months for a SCADA project can be reduced to a few weeks. Also, users can start with fewer assets and add or remove them as needed. In addition, software versions are always kept current. Benefits are continually being proven in the industry.

For example, a project for a crude oil and natural gas exploration and production company in Canada used offsite SCADA to bring over 300 wells online within one month of signing the order. 

Cloud-based SCADA and cybersecurity

Cloud-based SCADA can offer a reliable and secure approach. On-site resources and expertise can be supplemented by remote support, continual monitoring and automatic updates provided by the service provider. In many ways, the design of communications is similar to topics considered in earlier SCADA systems, however now it is more important to have a solid cyber-secure design.

The issue of cybersecurity is critical in such systems as the number of threats to industrial control systems (ICSs) is growing. The move to digitization in industrial control systems has increased the cyber risks. Manually operated equipment has one upside: it can’t be hacked. As control functions are automated, the range of potential targets for an attack increases. Increasing connectivity, with more devices and systems networked in the Industrial Internet of Things (IIoT), has brought many benefits, but it has also brought cybersecurity concerns.

It is not just the "attack surface" or number of the vulnerabilities that has grown, but also the potential consequences of a cybersecurity breach. Increased regulatory expectations mean businesses risk serious reputational damage and costs (in terms of regulatory penalties) even without a successful breach. Those that are successful, meanwhile, have demonstrated the risks are far from theoretical. Examples include:

  • The Sandworm hackers caused blackouts for more than half a million people in the Ukraine in 2016—after targeting the U.S.
  • The Shamoon virus crippled tens of thousands of computers at Middle Eastern energy companies in 2012, and resurfaced four years later.
  • The WannaCry ransomware spread across the globe last year and affected more than one-third of the U.K.’s National Health Service trusts-and not just hospital computer systems, but medical equipment such as MRI scanners and blood testing devices, as well.

More than half of industrial facilities have experienced some form of cybersecurity incident, and three quarters expect an attack on their industrial control system (ICS), according to Kaspersky Lab.

Addressing the rise in cyber attacks

The number and range of cyber attacks is growing as threats evolve. Among the most worrying developments are that safety systems are being specifically targeted by hackers. In December 2017, hackers invaded a critical infrastructure facility’s safety system-described as a "watershed" moment in industrial cybersecurity. However, it actually followed an attack on the safety systems at a Middle Eastern petroleum company.

In addressing these risks, businesses are hampered by a number of factors. The first is general skills shortages as a result of a rapidly retiring workforce, and a lack of technical skills, specifically. Petroplan’s Talent Insight Index 2017 found that more than one in five in the oil, gas, and energy sectors indicated that they lacked the right talent for growth, and more than one-third said they needed greater information technology (IT) skills as the reliance on digitization and Big Data grew.

Meanwhile, within businesses, operational silos persist-between sites, businesses within groups and especially between IT and operational technology (OT) staff-despite the technological convergence. Operating in silos results in a lot of confusion as to who takes ownership and responsibility of these risks. This is significant because the traditional approaches for IT and OT differ. Specifically, availability in the operational space is a greater priority and is essential in many cases to safety. Appropriate security solutions for IT and OT, therefore, substantially differ.

With little in the way of consistent cybersecurity standards, there’s no "one size fits all" approach to implementing a cybersecurity strategy. 

Challenges with cybersecurity

There are two key dangers in terms of cybersecurity when it comes to cloud-based SCADA.

First, cybersecurity measures are ignored or inadequately addressed. Unsecured connections through satellite or radio communication provide hackers with an opportunity to target the remote site and hack into the cloud or SCADA system. Every unsecured valve site, for example, becomes a significant source of vulnerability.

Second, the risks are overstated to the extent that businesses are put off from cloud deployment. That would not only mean they miss out on the benefits cloud-based SCADA has in terms of efficiency, which would have a potentially bigger cumulative impact on the industry, but over the long-term than any of the cyber attacks that have occurred. It would also be unlikely—because of the shortage of skills and in-house resources to address cyber risks—to improve a businesses’ security.

That’s clear when attack vectors are considered, how breaches occur, and how malware or hackers get in. Hackers exploit common vulnerabilities including:

  • Unsecured points of connectivity to the ICS environment, with multiple equipment and system vendors given access.
  • External or business network security being compromised.
  • Employees and contractors falling victim to phishing or spearphishing attacks or through their laptops, phones, smart watches, IoT devices, or removable media. 

Securing access points

SCADA data is essentially benign information. The system collects and displays data from programmable logic controllers (PLCs) or remote terminal units (RTUs). It is essentially one-way traffic, providing a view of the facility’s status. It is not a control function. Security is important when looking at cloud-based SCADA, but it is not an insurmountable challenge.

The central problem to overcome for securing offsite SCADA solutions is the lack of centralization. Businesses are left trying to secure multiple access points (Figure 1) used by remote employees, contractors, customers, and the vendors of control systems and third-party equipment and software (where they are given remote connectivity for the purposes of upgrades, patching, monitoring, or support).

The numbers of these access points and the lack of central oversight and control lead to a variety of problems including:

  • Partial data availability on assets and events
  • No proper hardening
  • No proper monitoring, nor governance
  • No proper planning and accountability around cybersecurity.

Businesses are left to trust that personnel who make and manage the connection through these access points are doing so in a secure way—which is an assumption that shouldn’t be made.

This problem is only going to become more pronounced as the number of connected IIoT devices grows. Furthermore, there is an increasing need for advanced and Big Data analytics to receive value from the massive amounts of data being generated and transforming it into actionable intelligence. These analytics capabilities will either be located at the facility or cloud-based, requiring a secure data transfer tunnel (Figure 2).

Centralized cybersecurity

The key to cloud-based SCADA is security in the cloud—centralizing security through a cloud-based security center and communication center (Figure 3).

This security center can handle the authentication of connections, ensuring they are valid before allowing access to the communication server. The communications server, meanwhile, undertakes the authentication with a virtual security engine (VSE) located at each plant or site. The VSE also can initiate a connection with the communication server from the remote site and can be automated to occur at specified intervals or times so the server doesn’t have to constantly be connected.

All communications from these plants or sites pass through a secure tunnel, using port 443, with transport layer security (TLS) encryption, and a firewall rule can be enforced for all remote connections. This provides a distributed architecture with secure tunnels from operations to remote sites.

Traffic from the plants or sites is all channelled through the secure tunnel, while the communication server is protected by a firewall. If it is necessary to push down a patch or update, however, the secure connection also can be used to give access to technicians remotely.

This centralized approach to cybersecurity provides operations with the ability to define, automate, and monitor security policies across the SCADA environment, providing increased visibility, reliability and compliance. Organizations can centrally define plantwide policies, confidently deploy them, and automate execution and monitoring. It ensures all remote field assets are secure from the operations center.

Combined with a top-down security management platform, this architecture can be used to deliver robust ICS security following the NIST Cybersecurity Framework. This framework defines industry standards and best practices to help organizations manage cybersecurity risks. Combining centralized control with the security management platform gives businesses the ability to consistently meet these standards across all sites (Figure 4).

Existing manual security processes, such as patching do not scale well. cloud-based SCADA can centralize and automate these, while bringing consistency, visibility and control to cybersecurity across the enterprise.

Cloud-based SCADA offers significant benefits, but concerns over security could prevent an organization from following through with implementation. With a suitable architecture and cybersecurity, businesses can enjoy the benefits of cloud deployment while minimizing the risk of a cyberattack.

Rusty Gavin is OEM channel manager, Honeywell Industrial Cyber Security. Edited by Emily Guenther, associate content manager, Control Engineering, CFE Media, eguenther@cfemedia.com.

MORE ANSWERS

KEYWORDS: Cybersecurity, Supervisory control and data acquisition (SCADA)

Exploring cloud-based SCADA

Identifying potential vulnerabilities when working with cloud-based SCADA

How to minimize cybersecurity risks by understanding access points.

Consider this:

Could cloud-based SCADA reduce your cyber attack footprint? 

Original content can be found at Oil and Gas Engineering.