The security of industrial control (IC) systems and SCADA systems around the world has never been as threatened as it is today. Modern society expects 100% uptime for all “taken-for-granted-services” like electricity, water, wastewater, traffic lights, and so on. However, systems running these services have never been as exposed to threats as they are in this digital age. As SCADA systems evolve, they use increasingly more off-the-shelf hardware and software like Microsoft Windows, Transmission Control Protocol, and Internet Protocol (IP) instead of legacy proprietary computers and components. This has resulted in systems that are more interconnected than ever as information sharing becomes a more crucial part in efficient and cost-effective day-to-day operations. The elusive and last frontier of security – the air gap – is no more. And where network connectivity is not an option, removable devices are used to transport data from Point A to Point B.

Removable media challenges

How bad can it get? The problem with using removable media like USB drives for data transport between systems without security measures is illustrated in a recent newsletter from the US Industrial Control Systems Cyber Emergency Response Team (US ICS-CERT). According to the newsletter, two US-based power plants were infected with malware after using USB drives in their SCADA systems. At one of the plants this resulted in downtime and delayed the plant’s restart by three weeks. That is some serious money lost.

Other examples of malware wreaking havoc include the recent widespread infections at Saudi Aramco and Ras-Gas, where malware were planted by USB drives. At Saudi Aramco approximately 40,000 computer hard drives were completely wiped. One can only imagine the cost involved.

The US ICS-CERT said, “A good backup procedure should incorporate best practices for USB usage to ensure that malicious content is not spread or inadvertently introduced, especially in critical control environments. This procedure should include cleaning the USB device before each use.”

As none of the infected power plants had updated antimalware software, there was no way the now-infected computers could have detected the malware on the inserted USB drives.

Almost everyone has heard the phrase, “The control system shall be protected by an automatically updated antivirus system.” This is a requirement many vendors of IC and SCADA systems get from their customers. The requirement is reasonable and natural, but it may be very difficult to comply with.

Until now, there have not been many good alternatives to traditional anti-malware software, and these are not built to meet the challenges faced in a control system. Many control systems are built on top of a very specific Windows installation, and the supplier does not leave much room for changes on the computer to guarantee that the computer does what it is supposed to do. And here is the challenge with standard, off-the-shelf anti-malware software: Every update of signature files constitutes a change of the system. After an update the computer may behave in an unwanted manner. Almost everyone has experienced false positives from an anti-malware package, and in a control system a false positive may be disastrous.

The control system’s network may be at some point connected to an office network for log data, production data, etc. This is an attack vector for malicious software, but it is reasonably easy to get good control over this type of entry point. The USB port, on the other hand, is a different story. There is software that limits/denies access to the USB port, but that does not really solve the problem as USBs must be used from time to time.

Most companies have a policy that requires USB storage devices be scanned for malicious software prior to insertion into control system computers. However, such a policy is quickly ignored by employees that “just need to get their work done.”

Control systems are in many cases unmanaged from an IT point of view; Microsoft Active Directory is not necessarily installed, and in many cases there is no centralized management either. Thus, adding configuration lockdowns or changes via group policy objects are not options.

Industry response

The IC/SCADA industry acknowledges this problem. Different solutions have been tried, including the use of glue guns to disable USB ports and physical USB locks. But the main problem has always been the usability or lack thereof.

So the challenge was to get the USB port under a security regime that maintains usability and to comply with the requirement for an updated anti-malware solution while at the same time ensuring that the integrity of computers is not compromised. A “fire-and-forget” solution that was always updated and required minimum management was needed. To help think outside the box, Kongsberg Maritime teamed up with a specialist on security and anti-malware. Together, they created what they believe is the best anti-malware solution on the market for IC and SCADA systems. The solution will actually enforce existing policies stating that USB drives must be scanned before use in control system computers.

The solution

A USB drive, or any USB-based removable media, should not be accepted by an IC or SCADA system computer that is being protected unless it has been validated as clean for mal-ware. A solution should be made up of two components:

  • A scanner station that scans USB drives for malware; and
  • A corresponding kernel driver on the IC or SCADA system computer that only allows usage of USB drives scanned by the mentioned scanner station. This driver must be nonintrusive for the system.

It is a simple and robust solution for both system owners and users. It is critical that no malware can be loaded on to the systems after the USB drive has been scanned and validated. But what about files added to the USB drive from other IC and SCADA system computers? Security measures need to be embedded in the solution that prevent misuse so that it is not possible to “spoof” the system by claiming that a file is valid when it is not.

Kongsberg Malware Protection is designed to work in a maritime environment and has redefined control system anti-virus protection. It makes certain that no scan engine interacts with critical control systems equipment and that anti-virus definition files are always updated. It also secures critical networks and provides USB protection. Among its key functions, in addition to network security protecting process equipment and USB scanning, are automatic updates of pattern files, low bandwidth with high-latency satellite connections, alarms and notifications through Simple Network Management Protocol (SNMP), high availability, and a portable updated scan engine.

This Kongsberg Malware Protection provides real-time malware scanning of network traffic with automatic outbreak prevention and damage control. Malware sources are detected, isolated, and in a sandbox with proactive protection with DNA matching and exploit detection engines inside. The automatic scan engine provides signature updates. The company also added customizable content and URL blocking as well as multitiered traffic blocking, or exclusion based on IP address, media access control address, or local area network ID. SNMP-based management systems are supported, and it has a multi-threaded application with multi-CPU support.

This solution will greatly enhance the security and even usability for IC/SCADA system owners and also help them achieve better peace of mind.