SCADA Security Basics: Why are PLCs so Insecure?
Last week Eric Byres addressed the difference between SCADA, ICS and other jargon in our industry. This week I am going to address a question I am often asked “Why are industrial networks so hard to secure?” This is a big topic, so today I will address only “Why are PLCs so Insecure?”
The History of PLCs
Historically speaking, PLCs (programmable logic controllers) have been around since the early 1960s. The PLC started to be used shortly after the microprocessor was invented, as it allowed companies to replace the racks of relays that had previously performed industrial control. These panels of relays were difficult to modify, were hard to maintain and were a challenge to diagnose if a problem arose. Fixing a set of relays is a difficult task, especially since failures had the annoying tendency to happen at 3am!
Before PLCs racks of relays, like the ones shown above (circa 1965), controlled industrial automation systems. Source: XL Technology Systems.
As you know, the ICS (industrial control system) industry covers a lot of ground: power generation and transmission, water/waste water systems, oil and gas pipelines and manufacturing, to name a few. PLCs were initially concentrated in the manufacturing sector, but soon they migrated to applications in most industries. For example, they were quickly selected as an ideal way to control very sensitive high speed systems, such as the compressors and turbines on natural gas pipelines.
Initially the PLC was a completely isolated device, but by the mid-70’s communications capabilities started to be added. Soon companies realized that getting data from PLCs was necessary to monitor the efficiency and effectiveness of the plant floor. Furthermore, networking controllers together also can optimize the safety and reliability of systems.
And as companies grow, other systems are often added and they are required to interface with the existing systems. For example, if a new gas turbine is brought online at a compressor station, then the data from that new turbine needs to be monitored in the same location as the other turbines.
Now PLCs tend to have very long life spans; often 20 years or more. Many of the PLCs in use today have been in operation for at least a decade or more, and back then, memory and CPU horse power was very limited compared to what is available today. So while the new PLC might have lots of spare CPU power, the original PLCs that control the gas turbines noted earlier probably have just enough working memory to perform the control functions, and barely enough storage space for their small operating systems. Adding new features, such as security, is a very tight fit!
A natural gas compressor station like this would have many PLCs controlling and managing the safety of both the prime movers and compressors.
Cyber Security was not a Concern Twenty Years Ago
Twenty years ago, who thought of cyber security? At that time, the word security referred to a set of keys to lock or unlock the door to the control room in the oil refinery. There was no Stuxnet back then, in fact, at that time the Internet was just coming online.
The external world has changed immensely since then, but as I noted before, the PLC controlling the gas turbine is at least a decade old and is likely based on a design yet another decade older. And since no one knew about security 20 years ago, security was never designed into that PLC. Security was an afterthought or not even a thought at all.
The goal at the time was to provide the correct functionality to control various systems using that PLC. This goal was achieved and is now an integral cog in any control system. The other goal was to make interconnection as easy as possible. There is, however, a negative impact. This interconnectedness means it is easier access for a hacker or virus to propagate a network. An unknown entry point in the office network may contain a long forgotten link to the plant floor.
Imagine if Cyber Security was Addressed Twenty Years Ago
Since I love utopian thought, let us imagine that the engineers twenty years ago were paranoid. Let us imagine they had envisioned the interconnectedness of their PLCs and had worried about security holes and hackers, and let us imagine they had decided to build security into the PLC as an integral part of its functionality.
This would involve doing things such as:
- Creating a risk analysis of their PLC during the design phase
- Examining all the methods of access to the PLC. These would include HTTP (web service), Telnet, Modbus etc.
- Thinking about “How could an enemy take advantage of this design?
In addition, a code review of the network stack used could illuminate memory usage problems or holes in the Modbus server design, for example. Imagine how many attacks could have been mitigated, how many hours of downtime avoided, how much money saved if this kind of thinking had occurred!
Vendors need to include Security in Product Design and Development
While there is no silver bullet in security there are at least ways to be prepared and lessen threats.
Flash forward to now. Now we are in the era of Stuxnet, Duqu, and Gauss.
What does this mean? Now is the time for vendors to take action!
Vendors, start putting code reviews, security analysis, and risk assessments into practice. With the large increases in processor power and flash space in the last two decades, there is no excuse to not provide a security layer into your current families of PLCs.
This forward thinking should become common place in the SCADA and ICS industry. Interconnectedness is not going away, nor is the threat of outside malware attacks or even inside actions of disgruntled employees.
If there are no Silver Bullets, what is an Operator to Do?
The question arises then, what do I do with my old devices? These ideas about security are great for the PLCs being designed now, but I cannot retrofit my entire plant with new PLCs!
Rest assured there are ways to become more secure even with legacy devices. My recommendations are:
- Become knowledgeable about ICS security and industry standards
You are already doing this as you are reading this article. Keep reading our articles and take advantage of the many presentations, white papers, articles etc. this site has to offer.
In terms of industry standards, no matter what industry you are in I recommend that you become familiar with the key concepts in the ISA/IEC 62443 standards (formerly called ANSI/ISA-99 Standards).
- Use ICS Specific Security Technology
Security technology exists today that can be installed in live systems without harm to production, with no configuration required, that can be installed by field maintenance people, that allow rules to be tested and changed without putting plant operations at risk etc. Of course I recommend the Tofino Industrial Security Solution, our own product, but you are welcome to look at others.
What is your ideal scenario for ensuring plant security? How much do you expect the vendors to do, and how much do you think needs to be done at the operator’s initiative? I look forward to hearing from you.
Erik Schweigert, BSc
Erik is the lead embedded systems developer at Tofino Security.
Practical SCADA Security thanks Erik for this article.
Related Content to Download
- Blog: SCADA Security Basics: SCADA vs.ICS Terminology
- Blog: Use Purchasing Decisions to Demand better ICS Security
- Blog: SCADA Security and the Broken Business Model for Software Testing
- Blog: Defense in Depth is Key to SCADA Security – Part 1 of 2
- Blog: Defense in Depth: Layering Multiple Defenses – Part 2 of 2
- Blog: Securing SCADA systems from APTs like Flame and Stuxnet – Part 1 of 2 (Ed. Note: Applicable if you are looking for advanced security practices)
- Blog: Securing SCADA systems from APTs like Flame and Stuxnet – Part 2 of 2