A wide range of mass transit systems utilize supervisory control and data acquisition (SCADA) systems to control and manage subway, light rail, street car, passenger rail and related infrastructure. These comprehensive systems collect sensor measurements and operational data from the field, process and display this information and relay control commands to local and remote equipment.
For decades, SCADA systems have operated behind the scenes, but have more recently become visible as information about real and potential cyber-attacks have appeared in the media. These systems offer an enormous trove of confidential data and hostile governments, competitors, terrorist groups, disgruntled employees and other malicious intruders know this.
The types of critical infrastructure that SCADA systems control include physical and IT assets, networks and services that if disrupted or destroyed could have a serious impact on the health, security and/or economic well being of both people in the area of the transit system, but the country at large. Due to the critical nature of SCADA systems and the facilities they control and manage, all levels of management at these facilities must put security of these systems at the top of their agendas.
Until recently, security concerns over SCADA systems were limited to physical attacks. Managers assumed that if operational consoles were isolated and only authorized personnel were allowed to gain access to the network, any security issues were covered. There was limited risk of malfeasance since few people had the technical expertise to operate the system and data communication paths were isolated.
However, SCADA systems have evolved significantly. IT teams at mass transit companies have recognized that lower costs, easier accessibility and improved efficiency can be gained thorough connecting their IP-based network to their SCADA systems. Today's SCADA systems are integrated tightly with corporate networks and the Internet, which exponentially increases the security risks to which they are exposed far beyond physical attacks.
Multiple factors have contributed to the increased exposure of SCADA control systems, these include:
- Technical information availability — public information about infrastructure and control systems is available to potential hackers and intruders. Potential hackers can easily find design and maintenance documents and technical standards for critical systems on the Internet, threatening overall security.
- Remote connections that are vulnerable — Connections such as VPNs and wireless networks are used for remote diagnostics, maintenance and examination of system status. If users fail to incorporate robust identification, authentication and encryption into their communications, the integrity of any information transmitted is in question.
- Networking of control systems — Organizations have increased connectivity through the integration of their control systems and enterprise networks. Any breach at any point in the network, exposes all the information — SCADA-related data, emails, corporate information, et al. to intruders.
Shortly after 9/11, government experts found evidence of terrorist groups visiting websites that offered software and programming instructions for the equipment that ran power, water, and transportation and communications grids. Since then, numerous incidents of cyber-attacks on the inner controls of critical infrastructure systems have occurred. In 2006, a water filtration plant near Harrisburg, Pa., had its security system hacked. Malicious software that had the capability of disrupting the water treatment operations was inserted from an outside source into the computer system.
More recently, the Stuxnet work has infected systems and reports indicate that more than 100,000 computer systems have been affected worldwide. While no damage was caused to any utility sectors, this sophisticated malware highlights the risks to modern SCADA systems with regard to connectivity, insecure remote connections and readily available technical information.
Ensuring cyber security in the control infrastructure of mass transit systems may seem like a daunting task as it requires cooperation and commitment from the entire organization as well as support organizations, such as local police forces. Upper management must recognize the numerous benefits of a secure SCADA system. These advantages include ensuring system uptime, reliability, availability and safety to both the facility and surrounding area. A secure system protects the company, its vendors, systems integrators, customers and others who interact with the SCADA system.
To provide maximum protection for critical SCADA data assets, IT teams at mass transit systems should deploy a "defense-in-depth" security approach that includes multiple layers of protection to recognize and thwart cyber-attacks.
Defense in Depth in Today's Networks
The basic premise of defense in depth is to use a layered approach to network security — deploy one or more layers of protection at network boundaries (firewalls, anti-virus/malware appliances and intrusion prevention devices) and additional layers of protection at the individual computer workstations or endpoints. This defense strategy is most effective when using multiple unique defense mechanisms — such as multiple vendor solutions for anti-virus control. Any gaps in one vendor's security solution are addressed by the second vendor's solution.
Network Level Security
The first level of security to consider when implementing a defense-in-depth strategy is at the network level. Proper attention to security at the network level will provide benefits to all downstream resources. For example, use of a network protection appliance at the network switch in conjunction with a traditional anti-virus solution at the network endpoints adds up to 38 percent additional anti-malware protection vs. utilizing anti-virus endpoint protection alone.
- Network Perimeter — the network perimeter or edge is where Internet traffic enters and exits an organization's network. IT teams can deploy various types of protection, including malware protection, spam filtering, content filtering, network firewalls, and intrusion detection and prevention.
The network perimeter is often protected by Unified Threat Management (UTM) technology. This solution is typically deployed as a network appliance, and it combines multiple security functions into a single solution with a unified management interface. These devices are especially valuable at the edge of the internal network where most external 'brute force' attacks are going to occur.
UTM solutions are a critical component of network level security, and they need to be implemented carefully. For example, network firewalls must be configured so that they do not allow unnecessary protocols to pass through to the internal network, or the perimeter of the agency's network will be open to attack through open firewall ports.
In some cases security officers may choose to deploy an anti-malware appliance from a different security vendor in-line with the UTM to provide a second analysis vector on incoming data packets — this is another element of a defense-in-depth security strategy.
- Segmented Networks — large internal networks are often organized into groups of smaller networks. This type of network topology reduces congestion and improves network performance by reducing the amount of traffic flowing through any one network segment.
Segmented networks also provide a high level of security — broadcast traffic is contained within each local network, and network segments can be quickly isolated in the event of a security breach. In a segmented network topology, each segment can be protected with a dedicated network -level security appliance to prevent viruses and malware from crossing network boundaries.
Endpoint Level Security
An effective security infrastructure must protect all network endpoints (servers, workstations, et al.) from cyber-attack. The accepted way to protect these network resources is by installing anti-virus software and enabling a firewall at each endpoint.
Anti-virus software is used to prevent, detect and remove malware (including computer viruses, computer worms, Trojan horses, spyware and adware). There are a number of strategies that can be employed by an anti-virus solution:
- Signature-based detection — this strategy involves searching for known patterns of data within executable code. These patterns are regularly updated by the anti-virus company's research team. It is critical that all endpoints with anti-virus software receive updated signature files regularly.
- Heuristic detection — this strategy is used to identify new malware for which no signature is known. The anti-virus software identifies new viruses or variants of existing viruses by looking for patterns that are similar to those of known malicious code, or slight variations of such code.
- Sandbox detection and analysis — this strategy executes unknown files in a protected environment and analyzes the results of that execution to see if the files trigger any malicious actions in the host environment. Sandbox solutions can identify new and undiscovered malicious code that may pass through signature-based and heuristic detection methods undetected
All anti-virus solutions will provide some level of protection for the network endpoints, but the best anti-virus solutions use a combination of all three techniques to protect endpoints from infection. Security personnel should periodically evaluate their anti-virus solutions to ensure that they are leveraging a solution with multiple layers of defense.
Anti-Virus Endpoint Protection is Not Enough
Anti-virus software is a critical component of endpoint security, and security personnel must ensure that the software is installed on every server and workstation on their networks. Endpoints with outdated virus definition files are a security risk, so procedures should be put in place to ensure that all endpoints are regularly updated with new virus definition files. Once a comprehensive anti-virus plan has been deployed, a more comprehensive strategy of endpoint security should be considered — one that ensures all endpoints are kept secure through application of regular vulnerability patches.
- Patch and Remediation Software — More than 90 percent of cyber-attacks exploit known security flaws for which remediation is available. For network endpoints to be completely secure, IT teams must also know what software is installed and operating on each endpoint. They must further ensure that the software and operating systems of every endpoint are regularly patched to eliminate attack vectors which could be utilized by cyber criminals to compromise the resource.
- Application and Device Control Software — one aspect of endpoint security that is often ignored is application usage. By implementing a "whitelist" approach to managing application usage, IT teams can define which devices and applications are permitted on the network through user and/or machine-specific policy rules. Execution of unknown or malicious code is prevented because only authorized applications are allowed to run on laptops, PCs and mission critical servers.
A comprehensive application control solution should automatically determine what applications are in use throughout the network endpoints, enforce application usage policies across the entire network, and automatically log network events related to endpoint security policy for compliance reporting. Such a solution should implement endpoint agents that are tamper-proof and protected against unauthorized removal.
Device control solutions protect networks from internal threats like data theft by enforcing which removable media (such as USB drives) are allowed in the organization's network and controlling the data that is copied to and from the internal network through policy-enforced encryption. These solutions should also log all data transfers for security and compliance reporting purposes.
Secure and well-protected SCADA systems are critical to both the efficient operation of a mass transit system, as well as to safeguard the thousands of riders who utilize these systems daily. Without this protection, cyber-attacks have the potential to wreak terrible accidents and destruction to infrastructure, riders and system personnel.
A defense-in-depth approach to network security will provide the most comprehensive protection against malware threats and other forms of cybercrime. Security architectures with multiple layers of protection from multiple vendors provide the best protection, especially when deployed at multiple levels in the network. Likewise, a multi-layer endpoint management strategy with anti-virus, patch, remediation, and application and device controls will provide the most comprehensive protection at network endpoints.
IT teams at mass transit organizations should continuously review their system's security architecture to identify areas of vulnerability and implement 'defense-in-depth' network strategies where appropriate to ensure that the system's network resources are adequately protected.
Darin Andersen is general manager at North America, Norman ASA