Protecting critical infrastructure in a world of infinite attacks

As transport networks increasingly rely on technology, protecting the systems underpinning them is a growing priority around the world. Image sourced from

US President Barack Obama is seeking US$14 billion to tackle it. The UK wants to build a start-up industry around it. And Australia is in the middle of what could be a year-long review into getting better at it. The issue is cyber security, and at risk is the entire digital economy and consumer confidence in it. In this Cyber insecurity series we investigate the size and nature of the cyber crime threat, the industry growing with it, and the solutions emerging to get in front of it.

The systems responsible for controlling and monitoring most of our national infrastructure - the services that our society relies on, are known as Supervisory Control and Data Acquisition (SCADA) systems.

These systems, on which infrastructure such as power stations, water distribution, roads and public transport rely on, are increasingly the target of cybercriminals. Needless to say, any disruptions to such systems could at best result in financial disasters and at worst the loss of lives.

Faced with increasing and more sophisticated cyber attacks, governments and the private sector need to find increasingly innovative ways to protect themselves. These are the weapons of the future. There will be future wars based on this - you don’t need to attack a country’s military when you can attack it economically. If you stop the electrical system of New York, New York will collapse.

In the past, SCADA and consequently the systems monitored and controlled by them were somewhat protected because they relied on proprietary technologies, with little awareness held in the IT industry. With a very closed industry, little information spread beyond the SCADA community. Today, SCADA systems have evolved from standalone, proprietary solutions and closed networks into large-scale, highly distributed computing systems operating over open networks such as the internet. In addition the hardware and software utilised by SCADA systems are now, in most cases, based on COTS (Commercial Off-The-Shelf) solutions.

Although such changes have increased the efficiency and sophistication of the services provided, they have also increased their vulnerability to malicious and sophisticated attacks. The once closed, proprietary software and hardware infrastructure is now vulnerable to attacks originating from external (internet) and internal corporate networks. The attacks plaguing such systems are the same ones that have been affecting ordinary systems over the years, such as viruses, trojans and worms. Additionally, the network protocols used by SCADA systems were not designed with security requirements in mind. For instance, the majority of protocols do not support any type of encryption.

Over the last few years there has been a push from the computer security industry seeking to adapt its security tools and techniques to address the security issues of SCADA systems. You can see this in the number of conferences dedicated or with tracks dedicated to SCADA systems.

At the same time, the US government together with industry has put in place a set of standards and regulations related to protecting SCADA systems. Those initiatives are on the right track to probably reach the level of security currently deployed on enterprise and personal computer systems. However as we all know, this is not sufficient, otherwise successful malicious attacks on computer systems would be non-existent.

No more security through obscurity

For many years the security industry has tried to improve and fix the security on computer systems. Security has improved immensely over the last decade, but we are nowhere close to totally secure systems. Statements made by people from the security industry corroborate this view. Recently, a CTO of a security company wrote about why anti-virus companies did not catch viruses such as Stuxnet and Flame, worms built to attack SCADA systems. He acknowledged anti-virus products made for regular consumers will not protect against well-resourced adversaries. This means many things. First, the use of COTS hardware and software in critical systems may be a terrible idea. Second, anti-virus companies will never reach the level of sophistication of a well-resourced adversary.

Given the growing awareness of the internals of SCADA systems, the once proudly used “security through obscurity” mantra no longer applies. Searching for the keyword “SCADA” on the Open Source Vulnerability Database (OSVDB), an initiative that catalogues vulnerabilities on computers returns more than 300 hits (vulnerabilities).

Living with malicious attacks

Security systems based on prevention and interdiction are not offering the desired level of security, and are not enough for SCADA systems, which have different requirements to general corporate systems. SCADA systems are widely spread, they rely on multiple technologies, they have limited resources, they are a mixture of real-time and not real-time operations and more importantly they have different needs regarding their availability, reliability and security, among other things.

Rather than trying to achieve an attack-free system, the focus is shifting to provisioning of an acceptable level of services even in the presence of malicious attacks. Various researchers from Cyberspace and Security Group at RMIT are tackling these issues, including devising new models to improve availability of services even if cyber attacks occur (through replication of essential services). They are also working on detecting attacks in real-time (using new clustering algorithms to summarise data and detect abnormal behavior). The future is about making systems robust enough that they can survive and keep operating during an attack.