Supervisory Control and Data Acquisition (SCADA) is a system that provides control of remote equipment. Such equipment, including heating, ventilation, and air conditioning (HVAC) systems, however, has been found to be connected to the Internet in some cases with inadequate security. This, understandably, provides hackers with a potential gateway to critical corporate systems.

Cloud security provider Qualys indicated that their research found that most of approximately fifty-five thousand HVAC systems that were connected to the Internet over the past two years had security vulnerabilities that were easily exploited.  This is particularly concerning because some of these systems control sewerage treatment pump houses, drinking water treatment facilities and even power plants. Imagine the disasters that could take place if one or more of these facilities were shut down for a length of time.scada-system

Among the many problems such access creates, another issue is with how hackers can exploit these systems to gain access to enterprise networks and then ‘leapfrog’ onto other corporate systems.

In order to properly protect these systems, corporations should use strong passwords and, ideally, limit their access to specific IPs. In an even more ideal scenario, SCADA systems wouldn’t be on the Internet at all, or would be accessible via ‘dial-in’ methods of authentication. Additionally, the ‘dial-in’ setup could limit access to specific or single “caller-ids”, which would require the hacker to exploit another system altogether before gaining access to the SCADA.

Looking back to the breach that occurred on Target’s network in November 2013, the breach happened because of a lack of network segmentation. By allowing the HVAC system access to the rest of the network, the hackers were able to jump from one system to another, gaining access to sensitive payment information.

These types of security breaches are preventable with the right network security solution. By monitoring communication behaviors, security professionals and network administrators become aware of abnormal data transfers.  Most of these baseline technologies rely on flow data (e.g. NetFlow, IPFIX, etc.) which  already exist on a majority of corporate networks.

Since flows are collected as information is moving across the network, no network communication is left unseen. As such, any unwanted activities can be quickly stopped. For example: below is scenario of how a security breach can be prevented on even non-secured SCADA systems:

Let’s say the hacker accessed the corporation’s HVAC SCADA system, because the company has a NetFlow collection system, all traffic to and from the SCADA device is being logged for future audits. If, and when, a break in is suspected, a full investigation can take place. Odd behaviors that often warrant further analysis include, excessive traffic to and from the HVAC system, excessive new connections, direct connections to the Internet that don’t utilize a VPN, or even communication with other non SCADA systems, e.g. mail servers, payment processing servers, etc.

By creating alarms and communications thresholds in your NetFlow/IPFIX collection software you can easily prevent data exfiltration and diminish the effects of a security breach more quickly and easily than you would otherwise have been able to.

See for yourself how a NetFlow solution can help you protect your SCADA systems; download our NetFlow solution, today.

Justin

Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.

Related