FlowTraq > Blog > Network Security and Visibility > SCADA Process Control Systems should use Network Behavior Anomaly Detection

SCADA Process Control Systems should use Network Behavior Anomaly Detection

Dr. Vincent Berk
By | January 31, 2014


Simple pattern detection is often sufficient to catch unusual ModBus communications to guard against breaches and disruption from hackers

Any organization that manages a large, geographically dispersed, physical infrastructure (like power grids, water, oil & gas, nuclear facilities, sewage or chemical plants) naturally employ computer systems that measure temperatures, open and close valves, and turn devices on or off.  These computer systems generally are referred to as “SCADA/PCS” systems, which stands for: Supervisory Control And Data Acquisition / Process Control System.

These systems are designed to allow operators to have central control of production processes, and monitor and measure system performance.  Traditionally these systems were designed with tons of wires running to unique devices.  Each sensor needed its own wire.  So did every electronic valve, motor, heating element, etc.  This got confusing and expensive fast, so several common-bus protocols were designed to put many devices on the same wire, and keep their communications from mixing.  A popular one is named ‘ModBus‘.

However, building large custom infrastructures is still a very manual job, and these infrastructures have become increasingly complex as technology has become more advanced.  Naturally, the vendors of these SCADA/PCS systems resorted to technologies that were more accessible, and could be bought off the shelf, like TCP/IP, Windows operating systems, and common programming languages.  This suppresses costs both from a parts perspective, as well as from a training perspective for the developer who now has a much shorter learning curve.  ModBus was quickly adapted to run over UDP on universally available Internet Protocol networks.

So, early in 2000 a young Java programmer fresh out of college could be employed to start building the newest and hottest SCADA/PCS system for managing the control rods in the upcoming AP1000 nuclear reactor, running on the freshly released Windows 98 operating environment.  The AP1000 is designed to run for 50 years, and Windows 98 was EOL-ed before the first reactor was deployed.

The rate at which computer technology evolves by far outpaces the rate at which physical infrastructure is replaced.  This means that 25 years from now, very few people will have the training or the knowledge to service – and secure – the SCADA/PCS systems built today.  Oil and gas producing factories, chemical plants, and power grids will all have to come to grips with the choices we have made today to save a few pennies while adopting the newest technology.  What will we do?  Run Windows 98 in an emulator on Windows 7, which runs in an emulator in Windows Z??

What will happen when an opportunistic attacker breaks into the subway control system of a major city?  Or a disgruntled employee decides to take matters of revenge after a round of layoffs at his sewage treatment plant?  Who can predict the consequences when a systems engineer accidentally leaves the power grid control systems connected to the public Internet after running a Windows update?

Thankfully, most SCADA/PCS systems have extremely predictable patterns of communication between their ‘remote telemetry units’.  These patterns are, in fact, so predictable that simple anomaly detection is often sufficient to catch any unwanted party to sniffing around.  However: as of today, I am unaware of a single operator that employs advanced security technologies like Network Behavior Anomaly Detection on their SCADA/PCS infrastructure.

Scary world we live in!