How the Industrial Internet of Things (IIoT) Puts SCADA Systems at Risk

The Industrial Internet of Things (IIoT) is made up of interconnected sensors, instruments and other devices networked together with ICS/SCADA systems controlling water utilities, transportation systems, electric grids (the power grid) and other critical infrastructure systems.

The Industrial Internet of Things is a natural progression of the Internet of Things. Connected gadgets are becoming increasingly popular in our homes. They make our lives easier, more convenient and more fun, but also add a level of extra worry for those who think about the possibilities.

From your Amazon Echo to your IP security camera, they are all potentially vulnerable. When we take this to an industrial scale, the consequences become potentially much greater.

The essential nature of IIoT devices is that they are connected to Internet-based cloud services. The safety and the protection of a country’s critical infrastructures is a national security issue and so with this in mind, the safety of using IIoT devices should be closely examined.

An attack can come from anywhere. Of course, there may be a party with a political, environmental or personal reason to infiltrate a system, but also we cannot rule out that someone may try to do so just for a challenge, just for the hell of it, for no ultimate reason that could ever have been predetermined.

Consider the case of the Ukraine power grid cyber attack in 2015. The power structure was compromised and control over the SCADA systems landed in the wrong hands, resulting in almost a quarter of a million people having no power for their homes or businesses.

Given the extreme complexity involved in managing urban infrastructures, there is no blanket solution for bringing all systems online at once.

High-ranking government offices including the US DHS (United States Department of Homeland Security) struggle to predict with any degree of accuracy the likelihood of an attack, or the scope of such an attack on IIoT networks, and the effects of such an attack on SCADA systems.

What are SCADA Systems?

SCADA is an acronym for Supervisory Control and Data Acquisition.There are major differences between what happens if an IT system goes down versus what happens if a SCADA system goes down. SCADA systems are responsible for some critical urban infrastructures and many other kinds of industrial processes, integral to the smooth running of towns, and even countries.

There is a growing threat to the functionality of SCADA systems. An attack can affect urban online systems, infrastructures, power grids, water utilities and many more vital systems. The increasing frequency with which cyber attacks are taking place is cause for concern.

This is particularly alarming as it pertains to the IIoT and so it is of upmost importance that we ensure that IIoT devices cannot be compromised or mis-operated from compromised cloud services, resulting in physical problems. The repercussions of such problems could be huge and could put lives at risk.

For instance, an attacker could take down power to a town. Of course, it’s annoying when you have no power at home, but imagine a hospital with no power for the life support systems, or a city with no power for traffic lights. Suddenly the situation gets very serious very quickly.

SCADA systems generally monitor and control multiple PLCs (programmable logic controllers). PLCs form part of the Industrial Internet of Things. SCADA systems are typically used in electricity distribution networks and water systems.

Most SCADA systems are polled; a central master station sends requests every one to three seconds to distant PLCs requesting the current values of physical properties such as temperatures, pressures, flows, and equipment on/off statuses.

For example, when a PLCs measure a 1 degree change in the temperature of oil in a pipeline, the PLC reports the change the next time the central SCADA master asks the PLC for the current value of that measurement point.

Effective Ways to Protect Industrial Sites and Systems

It comes as no surprise that more industrial systems are going online every day. This naturally lends itself to increased security threats as increased connectivity offers increased opportunities to communicate attacks as well as to communicate legitimate data. Security is not the primary focus of OT. Yet, unbeknownst to many outsides of the field of system safety, operational technology and information technology are inextricably intertwined. There are several ways in which enhanced security can be provided to operational technology systems using IIoT devices, notably:

• Signed patches by the IIoT vendor.
• Ongoing monitoring of operational technology vulnerabilities by IT employees.
• Fully updated user interfaces and full accounting of operational technology assets.
• Regularly scheduled meetings with operational technology operators to understand the system requirements.
• Background checks of all stakeholders involved in patching, monitoring, processing, delivering, and handling of physical hardware.
• Unidirectional security gateway technology is implemented for securing the industrial control or SCADA network.

By the NIST 800-82r2 definition of “unidirectional gateway” the gateways are physically able to send information in only one direction – most commonly from a protected IIoT installation to the Internet. In addition, gateway software replicates servers and emulates devices.

Targeted attacks on SCADA Systems

Over the years, SCADA systems have been targeted by individuals, corporations, and governments seeking to inflict harm or damage on the operational structures they manage. The following examples are some that have been reported:

• MaroochyShire Sewage Spill – back in early 2000, a disgruntled contractor of the MaroochyShire Sewage company committed a revenge attack against the company and the town council. He used a wireless radio transmitter to infiltrate the sewage treatment system and change data on SCADA control devices. As a result, over 800,000 litres of sewage was dumped into parks and the local river.
• – this multi-government-sanctioned attack on the Iranian nuclear facilities took place in mid-2010. It was implemented within high security nuclear facilities via a USB flash drive and the Windows operating system. By the most credible estimates of the International Atomic Energy Agency, roughly 1000 extra uranium gas centrifuges were discarded from the Natanz uranium enrichment site during the months Stuxnet was thought to have been active. The worm slowly sped up and slowed down the centrifuges, most likely taking the centrifuges through critical vibrational resonance points,  which caused the centrifuges to shake to pieces.
• Zotob Worm at Chrysler Plants – while not specifically a premeditated attack on the SCADA system, this virus infected Chrysler’s manufacturing plants via the Internet. The worm ravaged the control network through an infected computer and spread throughout the system ultimately resulting in 50,000 assembly line workers ceasing production for an hour.

It is clear that the protection of industrial systems, networks and communication channels is sacrosanct, insofar as SCADA systems are concerned. The security of SCADA systems is increasingly important and differs markedly from corporate IT security. For example, the primary risk differences between SCADA and corporate IT can be summarized as follows:

• SCADA has very high integrity requirements while corporate IT has low to very high requirements
• SCADA system failure could result in loss of life/serious injury, failure of service delivery and so forth. For corporate IT the losses will generally be confined to business operations only.
• SCADA systems must perform in real time with no accommodation for latency. For corporate IT, latency may be acceptable.

SCADA systems are expressly focused on safety, while corporate IT focuses on confidentiality and integrity.

Securing SCADA systems and their new IIoT components will therefore continue to be a high priority for industrial enterprises.