6 minute read
Critical infrastructure may be at risk due to unprotected SCADA systems
Critical infrastructure at risk
Advertisement
Researchers have identified over 43,000 unprotected SCADA devices in operation across the globe.
Research from A&O IT Group points to the fact that the number of IoT/SCADA devices connected to the public internet without appropriate security measures in place is increasing, leaving these critical devices open to potential attack and hacking attempts.
Despite a number of high-profile attacks on SCADA systems, the majority of devices and protocols are not being robustly protected, however some – particularly Modbus and S7 – are being taken more seriously from a security perspective.
“Since our last investigation in January 2020, the number of unprotected SCADA devices has increased, highlighting a gap between the connectivity of these devices and security,” said Hodei Lopez, security consultant at A&O IT Group. The increase seems to be linear across all protocols, and one theory is that this could be a consequence of making systems available to a remote workforce due to the Covid-19 pandemic.
Researchers scanned for unprotected devices on Shodan, focussing on six groups of SCADA devices, the total of which came to 43,546 unprotected devices – Tridium (15,706); BACnet (12,648); Ethernet IP (7,237); Modbus (5,958); S7 (1,480); DNP (517). “We have seen a rise in the number of IoT/SCADA devices connected to the internet, but there is a real mixture when it comes to their security. Some users of protocols such as Modbus and S7 are demonstrating improvements in their security posture, but others are not seeming to consider security at all,” continued Lopez.
Through their research, the A&O IT Group team discovered that the United States comes out top in terms of the biggest attack surface with a total of 25,523 unprotected devices and has the highest amount of unprotected Modbus (1,445), Tridium (10,483), DNP (294), BACnet (8,146) and Ethernet IP (4,843) devices. The only devices out of the six investigated where the US doesn’t have the most are the S7 devices, but they are a close second with 312 vs. Germany’s 321. Furthermore, many of the S7 devices in the US are Conpot honeypots, indicating a higher level of alertness. This backs up the joint advisory from CISA and the NSA released in July of this year, which suggested that more sophisticated IoT attacks and malware are expected by the US.
Others high up the list of the top ten countries with unprotected devices include Canada as well as a number of European countries such as Spain, Germany, France and the United Kingdom.
“Critical infrastructure runs on legacy networks which previously were air gapped by being kept separate from the IT network. Now, due to an increasing demand for connectivity and the ability to work remotely, these legacy networks, which are often 25+ years old, are becoming connected. As a result, this infrastructure that essentially runs the world, has been opened up to a number of vulnerabilities and other security issues, leaving them open to cyber attack.
“Due to these previously stand-alone legacy networks now being connected to IT networks, cyber security for critical infrastructure is vital but somewhat lagging, and the first mistake security teams make is assuming that they can implement operational technology (OT) security by cloning their existing IT security strategy, but this is simply not the case,” said Lopez. “However, there is a lot organisations in industries such as manufacturing, production and energy can do to protect themselves, starting with visibility. In order to secure their entire infrastructure, it’s vital that organisations have a clear view of all of their assets connected to the network. Without this, vulnerabilities will be missed and provide an attacker with a clear path into the network.”
What else can organisations do to protect themselves? Firstly, as mentioned, visibility is key for security teams to know what assets are on their network and to avoid falling victim through unknown vulnerable devices. The importance of mapping the network and having a constantly updated and live list of active and dormant assets should not be underestimated.
Secondly, the importance of having a proper, secure infrastructure cannot be overstated. OT devices should be isolated from the company’s general IT network, usually behind a second firewall. The idea is that the networks are ‘separate but together’, not just one big network. Continuous security monitoring of the network and environment is also critical.
Finally, a continuous improvement in the networks is necessary. Firmware patches should be applied to firewalls and switches as soon as possible after testing, perimeter devices (such as firewalls or machines exposed to the internet) being a priority. Strong internal controls should be applied to restrict traffic that might not be trusted, and networks should always follow the rule of least privilege, not only for devices, but for users as well.
Power plant modernisation to ensure reliable, clean energy
The Tennessee Valley Authority (TVA) has tasked Emerson with the modernisation and optimisation of its Magnolia power plant.
The Magnolia project is part of TVA’s five-year, $110 million investment to install digital technologies across its power generating fleet. Emerson’s software and technologies will support TVA’s efforts to digitally transform the plant through advanced operations, enhanced cybersecurity and digital twin-enabled training.
Emerson will replace existing systems at the combined-cycle plant with its Ovation automation system and software. Digital twin technologies will provide advanced training to operators, enabling them to respond quickly and safely to power generation demands. Robust cybersecurity technologies are integral to the solution which is designed to enhance and secure operations at the facility.
“These upgrades are part of a larger long-term asset strategy to maintain our existing fleet in such a way that we can depend on their operation for years to come,” said Allen Clare, vice-president for gas & hydro operations at TVA.
Emerson and TVA are using virtual technologies in place of face-toface interaction to keep the project moving forward during the Covid-19 pandemic. The project is expected to be completed in 2022.
TÜV Rheinland is now able to offer certification of personnel competence for explosive atmospheres.
Safety specialists familiar with explosion protection are in demand worldwide. This is because all companies that operate or set up potentially explosive plants need such experts – especially the oil and gas industry. “Such specialists must be able to work internationally. However, there is often a lack of comparability in training,” explains Marc Krugmann, explosion protection expert at TÜV Rheinland. As a result, companies looking for explosion protection specialists find it difficult to assess whether a specialist is suitably qualified in each case.
To remedy this problem, internationally active companies and testing organisations, including TÜV Rheinland, have jointly developed a certification scheme that allows for comparison of the training of technical specialists in explosion protection.
Known as ‘IECEx Certified Persons Scheme’, the program now offered by TÜV Rheinland provides suitable qualifications and is continuously adapted to the state of the art.
IECEx stands for the working area of the International Electrotechnical Commission (IEC) that deals with explosion protection. Those who pass the test receive a certificate that lists their own qualifications in a detailed and standardised manner. “Any company worldwide can trust that a certified explosion protection specialist can assess safety in potentially explosive atmospheres according to global standards,” said Krugmann.
To obtain the certificate, candidates must pass a theoretical and practical examination. This covers, for example, basic knowledge for entering potentially explosive atmospheres, installation and maintenance of explosion-proof equipment, detailed testing of explosionproof equipment and installations, and auditing and testing of electrical installations in potentially explosive atmospheres.
