SCADA systems (Supervisory Control and Data Acquisition) or ICS (Industrial Control Systems) are not new, they’ve been around since the mid-1960s, evolving from the electric utility systems of the 1940s. It is their age that now places them firmly in the security spotlight. Why? Because as they come up for replacement and upgrading they are increasingly being migrated to corporate networks.
These systems were built to run on low bandwidth serial connections, and over disparate networks. Innovation means that converged SCADA networks are increasingly common, running over cable, fibre and wireless IP networks. While not many people understand how to compromise a SCADA serial network or PLC (Programmable Logic Controller) there are plenty who know how to hack IP, and therein lies the problem; a once closed system is now increasingly open to abuse.
One risk of running SCADA on converged IP networks is the possibility of an attack on the corporate network leading the hacker to access the SCADA network. Corporate attacks are all too common, so this risk to SCADA is not a theoretical one. Even an unsophisticated attack could cause havoc. For example a worm, even without a payload, could be enough to knock-out a system due just to the noise created. It’s worth noting here that the reliability of SCADA IP systems can sometimes be compromised easily- a badly constructed TCP/IP request on its own can cause a failure without any malice intended.
Because we’re talking about Critical National Infrastructure and Utilities here the risks are not to be taken lightly. If a SCADA system fails what is its resting state? Does it fail-safe or fail-secure? Is that state safe for the particular environment? The difference between a valve or switch failing open or failing closed is important, soberingly it can mean the difference between life and death.
So, a hacker could attack a SCADA system over IP, using a compromised PLC programmer’s laptop, or maybe via a GPRS enabled serial-IP converter, or even through a poorly implemented wireless set-up. The challenge for you is how to test your SCADA system without subjecting it to the same unforeseen and unknown risks.
Pen testing a SCADA system requires a pen tester with knowledge and experience of working with and programming PLCs and RTUs (Remote Telemetry Units). In an ideal situation there would be a test rig, if you’re to avoid making errors with potentially serious consequences.
Ways to test SCADA / ICS
There are three ways that test the security of these environments:
- Configuration Review
- Grey Box Testing
- Black box Testing
This is a 100% non-invasive paper-based exercise.
It includes talking to relevant key individuals who support, manage, and maintain the networks. We also scrutinise network diagrams and review the configuration files of various devices such as switches and firewalls across the network.
Grey Box Testing
With grey box testing we first conduct a configuration review and then target selected ‘safe’ systems across the ICS / SCADA network. These are typically the backup/slave system within the network or the development/test system. Due to nature of these environments we always work with the client to customise the testing so that it meets their specific audit requirements.
Black box Testing
Black box testing is where we have no prior knowledge of the system.
This type of testing can only be carried out on a development or test system, as the risk of the system crashes is so high, and the outcomes of such crashed could be catastrophic.
We recommend never testing a live system.