Protecting Today's SCADA-Based Mass Transit Systems Should Begin with a Defense-in-Depth Strategy

A wide range of mass transit systems utilize supervisory control and data acquisition (SCADA) systems to control and manage subway, light rail, street car, passenger rail and related infrastructure. These comprehensive systems collect sensor measurements and operational data from the field, process and display this information and relay control commands to local and remote equipment. 

For decades, SCADA systems have operated behind the scenes, but have more recently become visible as information about real and potential cyber-attacks have appeared in the media. These systems offer an enormous trove of confidential data and hostile governments, competitors, terrorist groups, disgruntled employees and other malicious intruders know this. 

The types of critical infrastructure that SCADA systems control include physical and IT assets, networks and services that if disrupted or destroyed could have a serious impact on the health, security and/or economic well being of both people in the area of the transit system, but the country at large. Due to the critical nature of SCADA systems and the facilities they control and manage, all levels of management at these facilities must put security of these systems at the top of their agendas. 

Until recently, security concerns over SCADA systems were limited to physical attacks. Managers assumed that if operational consoles were isolated and only authorized personnel were allowed to gain access to the network, any security issues were covered.  There was limited risk of malfeasance since few people had the technical expertise to operate the system and data communication paths were isolated. 

However, SCADA systems have evolved significantly. IT teams at mass transit companies have recognized that lower costs, easier accessibility and improved efficiency can be gained thorough connecting their IP-based network to their SCADA systems.  Today's SCADA systems are integrated tightly with corporate networks and the Internet, which exponentially increases the security risks to which they are exposed far beyond physical attacks. 

Multiple factors have contributed to the increased exposure of SCADA control systems, these include: 

• Technical information availability — public information about infrastructure and control systems is available to potential hackers and intruders. Potential hackers can easily find design and maintenance documents and technical standards for critical systems on the Internet, threatening overall security.
   

• Remote connections that are vulnerable — Connections such as VPNs and wireless networks are used for remote diagnostics, maintenance and examination of system status. If users fail to incorporate robust identification, authentication and encryption into their communications, the integrity of any information transmitted is in question.
  
  

• Networking of control systems — Organizations have increased connectivity through the integration of their control systems and enterprise networks. Any breach at any point in the network, exposes all the information — SCADA-related data, emails, corporate information, et al. to intruders.
   

Shortly after 9/11, government experts found evidence of terrorist groups visiting websites that offered software and programming instructions for the equipment that ran power, water, and transportation and communications grids. Since then, numerous incidents of cyber-attacks on the inner controls of critical infrastructure systems have occurred. In 2006, a water filtration plant near Harrisburg, Pa., had its security system hacked. Malicious software that had the capability of disrupting the water treatment operations was inserted from an outside source into the computer system. 

More recently, the Stuxnet work has infected systems and reports indicate that more than 100,000 computer systems have been affected worldwide. While no damage was caused to any utility sectors, this sophisticated malware highlights the risks to modern SCADA systems with regard to connectivity, insecure remote connections and readily available technical information.