Journey of a Cyberwarrior: SCADA/ICS infrastructure
Welcome to… “Journey of a Cyberwarrior”
As always, a warm welcome to all returning subscribers, and to newcomers, welcome aboard warriors!
Today we are diving into the exciting world of SCADA/ICS, but before we begin, this article will be divided into 2 parts, this first one outlining and understanding what SCADA/ICS is and in the second one we'll see different attacks, methodologies and how to protect such a critical infrastructure.
So first of all, what exactly is a SCADA/ICS?
ICS stands for Industrial Control System, and it’s a broad term, it includes multiple elements like SCADA, Distributed Control System, Programmable Logic Controllers (PLCs) and the NIST (National Institute of Standards and Technology) defines SCADA as subsets of ICS.
Now that we know what ICS is, it’s time to see what SCADA stands for right?
It stands for Supervisory Control And Data Acquisition (yes, the “and” counts too) and is system that collects data from various collection devices that monitor and/or control something and consolidates this at a central server for visualization and historization.
More simply, SCADA systems are vital components of most nation’s critical infrastructure, that include gas pipelines, water and wastewater systems, transportation systems, electrical utilities, refineries and chemical plants, manufacturing operations and much more.
It also includes sensors and other devices for example the programmable logic controllers or more shortly PLC (we will discuss about them too in a little bit) that directly interface with plant equipment or machinery.
SCADA systems are quite different from other systems with which we are familiar with, for example the protocols are completely different, inside the plants they are not using TCP/IP, they are not using Internet, they are using proprietary protocols which we’ll explore more about them a little bit later.
Attacking a SCADA environment means targeting a process, not just a user or server. Take an oil refinery, for example, oil refineries usually stop the process once every year for a couple of weeks to do maintenance and stuff and it really takes a lot of time, energy and work to shut down one of those plants, and being a process, you can’t shut down only a piece of it, as everything is interconnected, the whole plant must be shut down.
Now if you are a defender, you want to make sure no one is attacking that process while if you are an attacker, you are attacking that process to disrupt it, it’s possible to knock out one segment of the process disrupting the whole line because as already mentioned, everything is well choreographed with everything and each segment of the process takes place in a very specific order under very specific conditions, if those conditions are not met or if the order is not the one it should be, the whole process is disrupted and could lead to catastrophic consequences.
Think about the refinery process of diesel for example, you have the petroleum product that is undergoing a process of refinement to make it into diesel for our cars, now if an attacker would disrupt that process, that whole batch (which depending on the size of the refinery could translate up to 31.8 million liters) would be ruined plus the refinery would have to shut down to identify and adjust the problem translating into a cost of millions of dollars and that’s the best case scenario, in other cases, if the process is disrupted in specific areas it could also blow up and yes, that’s something it has happened in the past.
The above image represents a typical layout of a SCADA facility in simple terms, of course the bigger the facility is, the more complex the layout will be.
So, our starting point as an attacker is there, in the corporate network, there is where the employee sits at his computer with his little excel and word files and so on, however, that corporate network is separate from the ICS network, from the other side of the firewall.
As a defender, the very minimum almost super basic requirement is to put a firewall because it’s quite difficult to get into the ICS network however, it’s relatively easy to get into the corporate network, so that’s your first mandatory step to make.
Now, if we were to defend the ICS, the safest way would be to airgap it from the internet, a SCADA facility can run without internet access therefore attacking it would require physical presence which would be difficult from an attacker to be granted in such an important environment, however, that would also require physical presence on site 24/7 for the personnel that could not use a remote monitoring system.
领英推荐
Stuxnet attack
An example of such facility is the Natanz nuclear facility in Iran, which was hacked by the US in 2010 with Stuxnet (one of the most famous SCADA attacks in history that used four zero-day vulnerabilities in Windows systems and specifically targeted Siemens PLC’s running Step7 software), that facility was air gapped from the internet however how the US got access to the facility still remains undisclosed, presumably, they either paid somebody, they had a spy or somebody mistakenly brought in a thumb drive that was infected with Stuxnet.
The US NSA released that attack and let it spread all over the middle east with the idea to hopefully find its way to the Natanz plant. It didn’t blow the plant up, to be effective in a SCADA attack, you don’t have to blow the plant up, you don’t have to shut the plant down, you just have to make the process not efficient, disrupt the delicate chain because remember, these processes are very delicate, every element has to be working properly and have the proper output.
Now the Stuxnet attacked the centrifuges, which are the separators of materials by weight, this is the way how you enrich uranium, these centrifuges separate the heavy isotopes from the light isotopes and the heavy isotopes are what you want to use for good or for weapons of mass destruction and so on. So, the Stuxnet messed with the RPM (revolutions per minute) of the centrifuges making the enrichment process a failure and the Iranians took years to understand why every time they started the process, the uranium would came out unusable so it was actually more effective messing the process up than to blow up the facility.
Still, the best and safest option is to keep the plant offline however a very important question arise, can you afford to keep the plant offline? It’s very expensive to manage a plant offline because you need to have somebody in the plant all the time and for example if that person at 2:00am in the morning says “hey boss, we have a problem, something is not right” and the boss is a few km away, he needs to get up and go to the plant in the middle of the night not to mention that other technicians must be available 24/7 to come in in case of an emergency instead of just logon so it could be a nightmare if a problem arises.
Continuing with the online facilities, most of the times, the attacks take place inside the corporate network so as an attacker, our first objective is to gain access to the corporate network and again, that is simple, sometimes all we have to do is just send an email with a link to an employee that is inside that network and say “hey, here is our latest sales report, give me some insight on it” and he clicks the link and we own the computer and there you have it, we are inside the network, then, our second objective is to work our way into the ICS side.
How do we do that?
Well, getting into the ICS network is hard. The attack vector starts from the corporate network, and that firewall is basically the last line of defense against users who clicked on a malicious link, compromising the corporate network. Once inside, an attacker must find a way to bypass or exploit the firewall to pivot into the ICS network. This could involve exploiting misconfigurations, stealing credentials for remote access, or even introducing malware specifically designed to traverse segmented networks.
For example, sophisticated attackers might deploy tools to move laterally within the corporate network, seeking connections or credentials that bridge the corporate and ICS networks. The goal is to find that single weak link, be it an improperly segmented network, an unpatched vulnerability, or careless behavior by an insider, that opens the door to critical infrastructure.
Great! Now that we know what SCADA and ICS are, what exactly is a programmable logic controller?
PLCs are the brain behind industrial processes. These ruggedized computers are designed to automate specific tasks, like controlling machinery, monitoring sensors, or managing the flow of materials in a production line. What makes PLCs unique is their ability to operate in harsh environments, such as high heat, vibration, or humidity, which is why they’re a staple in industrial settings.
PLCs receive input from sensors, process that data based on programmed logic, and then issue commands to machinery or other systems. For example, in a refinery, a PLC might monitor temperature and pressure, ensuring they stay within safe operating ranges. If something deviates, the PLC can immediately trigger an alarm or shut down part of the process, of course this is a very rare instance as mentioned before, each segment of the process takes place in a very specific order under very specific conditions so a deviation due to natural causes without outside intervention is very unlikely, not impossible just very very rare.
As we’ll see in the next part of this journey, attackers often target PLCs because they control the physical operations of industrial systems. By altering a PLC’s logic, they can disrupt or even sabotage entire processes.
Understanding how PLCs work is key to defending against these threats, so stay tuned as our dive into the SCADA world, attack strategies, and defense mechanisms has only just begun. Mastering how a SCADA facility operates isn’t just knowledge, it’s an essential skill every true cyberwarrior must possess.
Don’t forget to join next week’s edition where we’ll explore more about SCADA attacks and methodologies.