Evolving security needs for SCADA radio security

Cyber security is a key issue today and rarely out of the headlines. While most public focus relates to the Internet, SCADA engineers and security experts know that cyber terrorism concerns go beyond the Internet to other vectors, such as wireless.

Figure 1: Anonymous, a hacker nom de guerre associated with the image of Guy Fawkes. Copyright info: The image is by Vincent Diamante and is from Wikimedia covered under the Creative Commons Attribution-Share Alike 2.0 Generic licence.

Real threats exist from disgruntled ex-employees, those who ‘hack for fun’, radical protest groups and state sponsored entities who make deliberate attacks against information systems affecting infrastructure, property and lives.

In May 2009, president Obama remarked “The cyber threat to the massive grids that power our nation ... is one of the most serious economic and national security challenges we face as a nation.“

During the World Economic Forum held in Davos in 2009, International Telecommunication Union secretary-general Dr Hamadoun Tour© called for an international cyber war peace treaty.

The British minister of state for security and counter-terrorism, the Baroness Pauline Neville-Jones, said in March 2010 “I do not rule out the prospect of an aggressive act of such a scale which deliberately targets the networks that are the nerve system of the country’s critical infrastructure - that is, the energy grid, our water supplies”.

With increasing concerns worldwide and high-profile incidents, such as Stuxnet and Aurora, utilities must consider and plan for the emerging security regulatory environment that will be mandated by governments.

Polling telemetry SCADA radio equipment operating at VHF or UHF is a popular and effective means of data collection and remote control. These systems traditionally operated at 300 and 1200 bps using audio frequency-shift keying over analog FM radios operating in 25 kHz channels.

In response to pressure for both higher data rates and for more efficient use of the radio spectrum, SCADA radios are now available from a number of manufacturers that operate at 9600 bps in 12.5 kHz channels.

Users contemplating migration to these devices will benefit from a range of new operational enhancements including IP support and SNMP management. However, one of the most critical features that must be considered is security.

Radio-based networks offer a natural and convenient vector for hacking, as Australia’s own infamous Maroochy Shire case illustrated, but this need not be a concern if proper security protection mechanisms are implemented.

In fact an enterprise owned SCADA radio network can be made more secure and operate with higher availability than systems that rely on telco infrastructure, including cellular based systems.

A comprehensive security evaluation is the first step in working towards SCADA network protection. This evaluation should include fundamentals, threat analysis, management and best practice:

• Fundamentals: integrity, availability, confidentiality, and non-repudiation
• Threat analysis and attack vectors
• Management interfaces and protocols
• Industry security standards and government best practice recommendations

A reliable network must be designed around maintaining integrity and availability. Integrity aims to prevent the accidental or malicious modification of SCADA information transiting the network.

The SCADA communications network must ensure that control messages received by remote assets are the same messages that were originally sent by the SCADA master - a pump ‘halt’ message that changes to a ‘run’ message may have catastrophic consequences.

The network availability needs to be considered, the system is no good if control messages fail to arrive - the pump ‘halt’ message that never arrives also may have catastrophic consequences.

In good RF hardware design the use of forward error correction and redundancy check mechanisms address these goals. When used in combination with proper coverage planning they eliminate the effect of interference and other potentially negative propagation effects.

A secure network must be designed around maintaining confidentiality and non-repudiation. Confidentiality prevents unauthorised access to data, implemented using encryption to reduce the leakage of information to potential attackers.

Robust and recognised cryptographic algorithms should be used such as triple DES or ideally the newer AES. Encryption on its own is not a security panacea as even encrypted messages can be replayed by the attacker once the consequences, established by some means of observation, of the control message are known.

Non-repudiation goes the necessary step further by establishing the authenticity of data so that valid commands cannot be refuted and invalid commands are ignored, preventing replay and man-in-the-middle attacks.

Authentication requires a degree of sophistication not often seen in SCADA equipment. A useful means of user data authentication is the cipher block chaining message authentication code (CBC-MAC) technique specified in the National Institute of Standards and Technology publication SP 800-38C.

In military parlance the phrase 360 degree perimeter is used to describe the establishment of an outwards facing defence around a secured objective.

At 4RF we use this terminology to describe the consideration and protection of all the risk vectors of our SCADA radio products. Each possible interface - serial, ethernet, USB, and over-the-air must be considered for weakness from both user data and management perspectives.

For example, the USB type A interface is used to upload new firmware into the product. To prevent maliciously altered software from being introduced into radios, the hardware is programmed to recognise and load only firmware files, present on a USB memory stick, that have been encrypted with the system key.

The 360-degree concept can be extended to consider management interfaces (further addressed below) and new advanced concepts, such as the incorporation of distributed microfirewall at each ethernet interface, as recommended by the British Centre for the Protection of National Infrastructure.

Such microfirewalls should prevent, or at the least control, the use of telnet, ICMP, and FTP protocols. Of course the use of government standards should be an important part of establishing SCADA industry best practice.

One of the key advantages of modern IP-based systems is the relative ease of management through industry standard means, such as the simple network management protocol and often web-style HTTP browsing.

These require user authorisation levels to limit access to parameters. Limiting the number of personnel who can change functional settings reduces the potential of inadvertent or malicious tampering, such as disabling encryption or authentication.

User authentication via HTTPS and SSL should be incorporated with session cookies that expire when the browser is closed. Automatic logout should be mandated so that if users fail to end their management session it will be terminated after a pre-determined time.

Other security precautions such as data/management IP port segregation (only possible on devices with multiple ethernet physical interfaces) should be implemented.

SCADA radio system implementations should consider key security recommendations for industrial control systems published by multiple standards bodies, including:

• IEC/TS 62351 (TC57) ‘Power System Control and Associated Communications - Data and Communication Security’
• IEC/TR 62443 (TC65) ‘Industrial Communications Networks - Network and System Security’
• NIST IR-762823 DRAFT ‘Smart Grid Cyber Security Strategy and Requirements’
• IEEE P1711/P1689/P1685 for consideration of serial communications cryptographic retrofits

The North American Electric Reliability Corporation, responsible for the reliability of US power grids, has established the ‘Cyber Security Standards’ for critical infrastructure protection (CIP-002 through CIP-009) that provide a useful security framework reference.

CPNI, formally the National Infrastructure Security Coordination Centre, publishes a wide range of references including a good practice guide ‘Firewall Deployment for SCADA and Process Control Networks’.

Just a decade ago there was little interest in SCADA security. SCADA systems today need to be hardened through the implementation of powerful security features.

While some SCADA radios have encryption, few have the necessary features such as authentication, firmware encryption, management safeguards and the other components needed to fully address security issues.

The selection of futureproof designs, incorporating security measures, for SCADA network components is needed to provide insurance against threats as well as reducing eventual compliance costs as government infrastructure security recommendations turn into regulations.

Figure 2: 4RF Aprisa SR SCADA radio.