Research Article Vulnerability Analysis of Network Scanning on SCADA Systems
Total Page:16
File Type:pdf, Size:1020Kb
Hindawi Security and Communication Networks Volume 2018, Article ID 3794603, 21 pages https://doi.org/10.1155/2018/3794603 Research Article Vulnerability Analysis of Network Scanning on SCADA Systems Kyle Coffey, Richard Smith, Leandros Maglaras , and Helge Janicke De Montfort University, Leicester, UK Correspondence should be addressed to Leandros Maglaras; [email protected] Received 14 September 2017; Revised 5 December 2017; Accepted 5 February 2018; Published 13 March 2018 Academic Editor: Jianying Zhou Copyright © 2018 Kyle Cofey et al. Tis is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICSs) have controlled the regulation and management of Critical National Infrastructure environments for decades. With the demand for remote facilities to be controlled and monitored, industries have continued to adopt Internet technology into their ICS and SCADA systems so that their enterprise can span across international borders in order to meet the demand of modern living. Although this is a necessity, it could prove to be potentially dangerous. Te devices that make up ICS and SCADA systems have bespoke purposes and are ofen inherently vulnerable and difcult to merge with newer technologies. Te focus of this article is to explore, test, and critically analyse the use of network scanning tools against bespoke SCADA equipment in order to identify the issues with conducting asset discovery or service detection on SCADA systems with the same tools used on conventional IP networks. Te observations and results of the experiments conducted are helpful in evaluating their feasibility and whether they have a negative impact on how they operate. Tis in turn helps deduce whether network scanners open a new set of vulnerabilities unique to SCADA systems. 1. Introduction SCADA and ICS technologies are prevalent not only within manufacturing industries, but also within the organ- ICS and SCADA systems are an integral aspect of the modern isations responsible for the safety and wellbeing of citizens industrial environment and the Critical National Infrastruc- around the globe [3]. Water treatment facilities, electrical ture (CNI). For many years, SCADA and ICS networks were grids, and nuclear power stations all rely on a combination of a completely independent sector of any business or agency, SCADA and IP networks in order to control the distribution where the feld devices and industrial mechanisms which and regulation of the services they provide [4]. As these interacted with physical assets were separate from the corpo- industries have become greater in both scale and complexity, rate networks or intranet. However, as Internet technologies the automation and upkeep of all the technology within these became ever more integrated into modern society, and as cor- environments must be handled by machines and computers. porations began to grow exponentially around the globe, the Having the ability to remotely monitor and control large demand for remote auditing and control of industrial systems industrial sights allows companies and industries to expand increased. Tis resulted in the merging of Internet Protocol their capabilities in order to provide more services to the (IP) and SCADA/ICS technologies, which in turn exposed general public, whilst at the same time making the data acces- the older feld devices to a new set of attack vectors, leading to sible to the staf responsible for operating and engineering the unprecedented vulnerabilities when integrated with IP [1]. In technologies in question. Half of signifcant security incidents an age where threats from the cyberdomain are ever evolving, that are occurring are due to a particular element, which the tools used to perform security audits and penetration has not been changed since the inception of information tests against IP systems are subsequently being used on the security management, which is people [5]. All the examples older SCADA/ICS networks. Tese tools, without the correct stated above contain resources which not only are essential confguration, could cause substantial damage to the SCADA to the operation of modern-day life but could potentially devices connected to a business’s infrastructure, rather have devastating consequences if any of these systems were than helping to protect and audit them [2]. to malfunction. Tese systems threaten not only the lives of 2 Security and Communication Networks thepeoplewhousethistechnologybutalsotheenviron- 2. Related Work ments and the civilisations which surround these facilities [6]. Tefocusofthissectionistoexploreandcriticallyanalyse Similar to when a cyberattack is launched against a the current research into the issues with conducting asset company’s database or web server, the exploitation or mis- detection or network scans on SCADA systems with the use of the devices found on a SCADA network can have same tools used on conventional IP networks. Emphasis will negative efects on both the clientele and the corporation be on identifying the diferent types of network scanning [7]. However, unlike the IP networks in abundance today, methods and the tools which are currently available to SCADA systems are threatened not only by hackers wishing security auditors, penetration testers, and black hat hackers. to exploit vulnerabilities in sofware or frmware but also by ReferencewillbemadetothebespokeelementsofSCADA the tools commonly associated with monitoring, auditing, systems, specifcally the types of devices used to monitor and securing networks. Using tools which have not been and control feld equipment such as sensors and valves. confgured to interact with the bespoke devices that reside on Discussion will then be targeted at how the current tools SCADA networks could cause the devices to become unre- areusedonthesebespokedevicesandwhethertheyhave sponsive[2]oralterthedatabeingreceivedbythedeviceor a negative impact on how they operate. Te intention is being stored on the device [7]. In such an event, feld devices toidentifyhowmuchknowledgethereisabouthowthese including water pumps, electricity generators, or pneumatic two technologies interact with each other and where the instruments could either stop functioning or begin to behave signifcant vulnerabilities may lie. erratically, causing damage to either the devices themselves, Te analysis of sources within this document suggests the products they interact with, or the customers who use that a better understanding is needed about how network their facilities. Whereas IP networks can cause signifcant scanners interact with SCADA networks. Te lack of under- damage to intellectual property and personal privacy, there standing of how SCADA devices react to being scanned and is evidence that malfunctioning SCADA systems have caused the subsequent consequences this may have is a signifcant physical damage [8], all of which could be an efect of using factor which underlines the analysis in this document. It is thewrongsecuritytoolsonincompatiblenetworks. clear that network scanners must be directly tested against Although there has been recognition within the industry nonoperational SCADA devices in order to report on how the that the improper use of IP scanners has caused failures two technologies interact and whether they are compatible. within an industrial control process, there has been a lack of Tis will then allow the owners of these systems to better resources directed at educating people on exactly why these understand the consequences of using newer, IP-based tools IP scanners cause issues and whether there are any alternative on older SCADA networks. Tis knowledge will inform the methods which can facilitate a stable scan of a SCADA users of SCADA how to adapt or develop new ways of system. Te existing literature highlights that IP scanners performing asset detection without having damaging impacts are being used to gain information about SCADA systems on not only the devices themselves but the millions of [9], the types of devices that are potentially vulnerable when civilians who rely on the integrity and consistency of these scanned [10], and the consequences of performing scans on systems on a daily basis. live systems [7]. Reconnaissance, whether passive or active, lawful or mali- Te key aim of this article is to identify how network cious, remains one of the most important parts of any strate- scanners interact with SCADA devices and whether or not gic cybersecurity operation [11]. Network scans help visualise they cause signifcant disruption to the way these devices the confguration of a communications infrastructure and operate. Also, the results of this research aim to enhance the help identify possible methods of entry or exploitation. understanding of reconnaissance technologies when applied Reconnaissance can be achieved through service detection to SCADA networks. To do this, experiments need to be and operating system fngerprinting, two key features of conducted in order to monitor how a range of network many network scanning tools [12]. Conducting reconnais- scanners execute their asset/service detection scans and to sancewithinthecyberdomainhasbecomeevenmorevital see if this causes the normal operation of SCADA networks as the CNIs of various countries are now governed and con- to change or malfunction. Once this