Supervisory Control and Data Acquisition (SCADA) systems are the proverbial donkeys on whose backs the modern industry rests. Worryingly, targeted SCADA attacks could severely impact the basic utilities that modern life relies upon.
SCADA systems are centralized control systems designed to facilitate the supervision, management, and control of various industrial processes through a combination of software and hardware components.
These systems allow operators and engineers to remotely monitor, interact with, and manage diverse processes from a central location. Think of them as the technological backbone that empowers industries to monitor real-time data, collect crucial information, and make informed decisions that keep operations running smoothly.
Key Components of SCADA Systems
A typical SCADA system comprises several essential components, each playing a distinct role in the overall functionality of the system:
- Human-Machine Interface (HMI): This is the visual interface through which human operators interact with the SCADA system. It presents real-time data in an understandable format and provides tools for issuing commands and making adjustments.
- Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs): These are hardware devices responsible for interfacing with physical equipment, sensors, and machinery. RTUs and PLCs collect data from the field and transmit it to the central system while also executing commands sent by the central system.
- Communication infrastructure: SCADA systems rely on communication protocols to transmit data between the central system and the field devices. These protocols ensure reliable and secure data exchange over various communication channels, such as wired and wireless networks.
- Data Storage and processing: The central system processes, stores, and analyzes the data collected from field devices. It generates reports, trends, and alarms based on the received data to assist operators in making informed decisions.
Security through obscurity
Nearly all modern SCADA systems can be reached by TCP/IP connection. In the past, these systems benefited from security through obscurity. It means that SCADA systems were safe, because few people knew of their existence and even fewer understood their technologies. Now, however, we have tools like IoT search engines and other reconnaissance tools, these systems can no longer rely on security through obscurity. In the face of cyber terrorism and hybrid warfare, putting an emphasis that impact on SCADA systems usually might translate to real life consequences such as nuclear meltdowns etc. The protection of SCADA systems is a must.
SCADA are used for electrical transmission systems, nuclear power plants, chemical plants, water treatment plants, home heating, etc. All these systems have digital controls, which could be a potential target to bad actors.
- Stuxnet and SCADA: Stuxnet is often referred to as the world’s first known cyber weapon. It was designed to target and manipulate industrial processes by exploiting vulnerabilities in SCADA systems. Specifically, Stuxnet targeted centrifuges used in uranium enrichment facilities, such as those in Iran. Its primary aim was to sabotage Iran’s nuclear program by causing physical damage to its uranium enrichment infrastructure.
- Disruption of operations: Adversaries could launch cyberattacks aimed at disrupting the normal operations of SCADA systems. This could involve manipulating control commands, causing process failures, or shutting down critical systems, leading to significant economic and operational consequences.
- Physical damage: Cyberattacks targeting SCADA systems could cause physical damage to industrial processes and equipment. For example, altering control parameters in a power plant could lead to equipment overheating or mechanical failures, resulting in physical damage and extended downtime.
- Safety risks: A compromised SCADA system could lead to safety hazards for personnel, communities, and the environment. Incorrect control commands or manipulation of safety systems could result in accidents, leaks, or even explosions.
- Targeting critical sectors: Bad actors might prioritize attacking SCADA systems in sectors such as energy, water, transportation, and manufacturing, as these sectors are fundamental to a country’s functioning and economic stability.
- Nation-state attacks: State-sponsored actors might conduct cyberattacks on SCADA systems as part of broader geopolitical conflicts, using cyberwarfare tactics to gain an advantage.
SCADA communication protocols
SCADA (Supervisory Control and Data Acquisition) systems use various communication protocols to enable the exchange of data between different components within the system. These protocols ensure reliable and secure communication between the central supervisory control system and the field devices, such as sensors, actuators, PLCs, and RTUs. Here are some common SCADA communication protocols:
- Modbus: Modbus is a widely used serial communication protocol that’s commonly used in SCADA systems. It’s simple and easy to implement, making it a popular choice for connecting PLCs and RTUs to the central SCADA system. Modbus TCP/IP communication typically takes place over port 502.
- DNP3 (Distributed Network Protocol 3): DNP3 is a robust and reliable protocol designed for communication between SCADA master stations and remote devices. It’s commonly used in utilities for monitoring and controlling power distribution systems. DNP3 over TCP/IP typically uses port 20000 for the control functions and 20001 for the monitoring functions.
- IEC 60870-5 (also known as IEC 870-5): This protocol standardizes communication between various types of electrical devices used in power systems. It has multiple parts, with Part 101 and Part 104 being commonly used for telecontrol applications in SCADA systems. 2404, 2405 and 2406 ports are used for IEC 60870-5 TCP/IP communication.
It’s worth mentioning that there are many more communication protocols – we’ve mentioned only the most popular ones.
The top five SCADA companies in the world
- ABB Ltd.
- Emerson Electric Co.
- Rockwell Automation Inc.
- Schneider Electric SE
- Siemens AG
How can bad actors find SCADA systems online?
Through IoT search engines
Shodan is a search engine that lets users search for various types of servers (webcams, routers, servers, etc.) connected to the internet. As you might know, we can find SCADA systems too. Since we know that “modbus” runs port 502, we can search Shodan for any IP that has that port open to the internet.
According to the Shodan search engine, there are 425833 servers running port 502.
Of course, not all servers that run port 502 are SCADA systems. Narrowing the search down, we can take one of five top SCADA companies and search by company name. Let’s take one from the list we provided earlier – “Schneider Electric”.
According to the Shodan search engine, there are 3445 servers associated with Schneider Electric.
Schneider Electric builds an automated building system called SAS (Schneider Automated Server). It’s used to automate the heating, cooling and security of high-tech buildings.
According to the Shodan search engine, there are 106 servers associated with Schneider Electric SAS.
- Exposed SCADA systems become prime targets for cybercriminals and hackers. They may exploit vulnerabilities, manipulate processes, or cause disruptions.
- Exposed SCADA systems increase the attack surface, providing more entry points for cyberattacks. This can lead to unauthorized access and control.
- Attackers may use techniques like brute force attacks to gain unauthorized access to exposed SCADA systems. Additionally, malware can exploit vulnerabilities and compromise system integrity.
- Distributed Denial of Service (DDoS) attacks can overwhelm exposed SCADA systems, rendering them unavailable to legitimate users.
How to protect SCADA systems from cyber attacks?
- Network segmentation: Isolate SCADA networks from less secure networks, such as the internet, through the use of firewalls and strict access controls. This minimizes the attack surface and limits the exposure of SCADA systems.
- Strong authentication: Require multi-factor authentication (MFA) for all access to SCADA systems. This adds an extra layer of security beyond passwords.
- Intrusion Detection and Prevention Systems(IDS/IPS): Deploy IDS/IPS solutions to monitor network traffic for signs of suspicious or malicious activity. These systems can help detect and block threats in real time.
- Incident response plan: Develop and regularly test an incident response plan that outlines the steps to take in the event of a cyber incident. This plan should include procedures for isolating affected systems and reporting incidents.
More from Cybernews:
Subscribe to our newsletter