Chapter 9 — ICS/SCADA Security

What Is ICS/SCADA?

🏭

SCADA

Supervisory

Control

And

Data

Acquisition

Think of SCADA as the "brain" that watches and controls physical machines from a central place.

CPS — Cyber-Physical Systems

A fusion of ICT (software/networks) with the physical world through sensors (input) and actuators (output).

ICS — Industrial Control Systems

The umbrella term for control systems used in critical infrastructure. SCADA and DCS (Distributed Control Systems) are types of ICS.

Why It Matters

Controls power grids, water, oil & gas
A cyber attack = physical hazard
Could affect national safety & economy
Human lives are at stake

📍 REAL-WORLD APPLICATIONS Smart Grid · Water Treatment · Oil & Gas · Transportation · Telecom · Manufacturing

Remember the applications: "SWIM-TO-M"

Smart Grid

Water

Industrial Mfg

Medical / OT

Transportation

Oil & Gas

More Telecom

ICS/SCADA Architecture

🔧

The system has 4 main hardware components that form a data pipeline from the physical world to the control center.

🌡️

FIELD INSTRUMENTS

Sensors · Actuators
Valves · Pumps

⟶

💻

PLCs / RTUs

Process & control
local devices

⟶

📡

COMMUNICATIONS

Wired · Wireless
Satellite · Fiber

⟶

🖥️

SCADA CENTER

MTU · HMI
OPC · Database

Mnemonic: "Fancy People Cook Soup"

Field Instruments

Sensors, actuators

PLCs / RTUs

Logic controllers

Communications

Network layer

SCADA Control Center

HMI, MTU, OPC

🌡️ Sensors vs Actuators

Sensors = INPUT — measure temp, pressure, flow, voltage
Actuators = OUTPUT — take mechanical/electronic action
Both are critical analog devices for PLCs/RTUs

💻 PLC vs RTU

PLC — rugged industrial computer, runs predefined logic, controls outputs directly
RTU — telemetry device, collects data from sensors, sends to MTU
In sophisticated systems: PLCs can act as RTUs

🖥️ MTU — "The Heart"

Master Terminal Unit = heart of SCADA
Initiates all communication
Collects & stores data in database
Provides HMI interface to operators

🔌 OPC Server

OLE for Process Control — software interface letting Windows communicate with industrial hardware. Like a translator between IT and OT.

PURDUE ENTERPRISE REFERENCE ARCHITECTURE (6 Levels)

💡 EXAM TIPKnow the levels from bottom (physical) to top (cloud). Think: Physical → Sensors → Control → SCADA → Enterprise → Cloud

Physical Process

The actual physical equipment — pipes, machines, turbines

Sensors and Actuators

Temperature, pressure, flow sensors; valves, motors

PLCs and RTUs

Local control logic; communicate with field devices

SCADA and HMI

Supervisory control, operator interfaces, data historian

Enterprise IT Systems

Business applications, ERP, corporate networks

Cloud and External Networks

Internet, third-party integrations, cloud services

IT vs OT Environments

⚔️

💡 KEY INSIGHT In standard IT security: CIA priority = Confidentiality first. In ICS/SCADA: the priority FLIPS — Availability comes first!

ASPECT	💻 IT (Information Technology)	🏭 OT (Operational Technology)
Focus	Data processing	Physical processes
Top Priority	Confidentiality	Availability & Safety
Downtime	Somewhat acceptable	Minimal — zero preferred
Updates/Patches	Frequent, automated	Slow, careful, rare
System Lifecycle	3–5 years	15–30+ years
Failure Impact	Data loss, financial	Physical harm, deaths

SCADA Communication Protocols

📡

Unlike standard IT which uses TCP/IP, ICS/SCADA uses specialized industrial protocols. Security levels vary widely.

PROTOCOL	PORT	SECURITY	NOTES
Modbus	502	LOW ⚠️	No encryption or authentication — very legacy
DNP3	20000	MEDIUM	Supports Secure Authentication feature
DNP	19999	MEDIUM	Earlier version of DNP3
OPC UA	Various	HIGH ✓	Encrypted & authenticated — modern standard
IEC 61850	Various	HIGH ✓	Used in smart grids specifically
EtherNet/IP	2222	MEDIUM	Industrial Ethernet protocol
PROFINET	34962-64	MEDIUM	Used in factory automation

⚠️ DANGER ZONE Modbus was designed in 1979 with ZERO security in mind. It's still widely deployed. An attacker who reaches a Modbus device has direct control with no authentication barrier.

ICS/SCADA Vulnerabilities

🕳️

Mnemonic: "SNAIL" — 5 Root Causes

Scanning absent

No real-time network monitoring

No patch speed

Slow/no updates & patching

Authentication weak

Poor or no auth practices

Ignorance of devices

Unknown device capabilities

Lack of traffic visibility

Can't see abnormal activity

Threats & Attack Methods

☠️

ICS/SCADA threats are divided into two main categories:

😴 UNINTENTIONAL THREATS

Originate inside the premises. No malicious intent.

Human Factor — negligence, carelessness, lack of training (employees, contractors)
Machine Failure — device weakness, equipment crashes
Natural Disasters — floods, earthquakes, avalanches, tsunamis

😈 PURPOSEFUL THREATS

Intentional attacks with specific objectives.

Disgruntled / annoyed employees
Industrial espionage
Sabotage operations
Cyber hackers (remote)
Viruses and worms
Physical theft
Electronic terrorism

📌 HOW ATTACK COMPLEXITY IS DETERMINED 3 factors: (1) How vital the attack purpose is · (2) What impact level must be achieved · (3) How well the ICS/SCADA system is secured

⚠️ KNOWN ATTACKS ON ICS/SCADA Eavesdropping · Denial of Service (DoS) · Wireless Jamming · Man-in-the-Middle · Replay Attacks

Security Challenges

🧩

🏚️ Legacy Architecture

Old system designs where security was never considered. Messages still transmitted in cleartext (no encryption).

⏱️ Patching Problem

No regular patching scheme. Some firmware is never updated. Downtime for maintenance is difficult to schedule.

🌍 Geographic Scatter

Components (sensors, RTUs, PLCs) are geographically spread out — very hard to physically secure.

🔗 IT/OT Gap

Managed by different departments. No coordination = security gaps. OT dept manages PLCs; IT dept manages networks. Nobody owns the overlap.

🚫 Can't Pen-Test Live

Cannot run penetration tests on production SCADA systems — the risk of disrupting real operations is too high.

📋 Other Challenges

Unsupported OS/applications
Shared accounts (no individual auth)
OT networks exposed to public
Limited remediation time
Vulnerability tracking problems

Security Objectives

🎯

💡 CRITICAL EXAM CONCEPT In ICS/SCADA, the CIA priority order is REVERSED from standard IT! Availability → Integrity → Confidentiality (AIC instead of CIA)

AVAILABILITY

Systems must run 24/7. Even brief downtime in critical infrastructure = danger.

INTEGRITY

Operators must TRUST sensor readings to make correct decisions.

CONFIDENTIALITY

Sensor state data is time-specific and discarded after use — less critical.

⚡ Redundancy

Critical devices (historian servers, switches, modems, field instruments) need redundant backups to survive failures.

📉 Systematic Degradation

System should gracefully degrade:
Normal (full auto) → Emergency (partial auto) → Full Manual (no auto)

🔍 Early Detection

Detect failures early — exhausted memory, bandwidth, processor usage — before they become attacks.

Security Requirements & Countermeasures

🛡️

🌡️ Field Instruments

Security from procurement → installation → monitoring → maintenance
Must meet auth, authorization, CIA
Physical: secure fences, gates, locks
CCTV + motion detectors at remote stations

🖥️ Server Security

Strong multifactor authentication
Application whitelisting
Physical + logical access controls
Load balancing & failover
Configuration/patch management

🔒 Physical Perimeter

Track location/movement of personnel
Video surveillance integrated with SCADA alarms
Real-time alarm capability
Mantrap — single-person access control enclosure

📡 Network Security

Avoid legacy dial-up/leased-line modems
Use NSM, NDR, and SIEM tools
Encrypted communications
Network segmentation

📌 NSM vs NDR vs SIEM — Know the Difference NSM (Network Security Monitoring) — gather, analyze, warn about intrusions
NDR (Network Detection & Response) — passive, behavior-based, no impact on ops
SIEM — real-time analysis + data aggregation + dashboards + forensics

ISO 27001 RECOMMENDED POLICIES

Clear Desk & Screen Policy
Access Control Policy
Data Classification
Mobile Computing Policy
Password Policy
Penetration Testing Policy
Backup & Recovery Policy
Physical Security Policy
System Monitoring Policy
Third Party Access Policy
Virus/Malware Policy
Disposal Policy

Governance & Compliance

📋

⚠️ THE GOVERNANCE GAP PROBLEM OT devices managed by engineering/automation department. IT components managed by IT department. Without coordination = security gaps. Nobody clearly owns the ICS/SCADA overlap zone.

📜 Key Standards & Frameworks

NIST SP 800-82 — Guide to ICS Security
NISTIR 7628 — Smart Grid Cyber Security
NERC CIP 002-009 — Critical Infrastructure Protection
DHS Catalog — Control Systems Security
ISO 27001 — Information Security Mgmt

✅ Benefits of Good Governance

Clear roles & responsibilities for OT & IT
Better view of ICS/SCADA threats
Improved stakeholder communication
Resource optimization
Consistent security strategy

7-PHASE PLANNING MODEL

Mnemonic: "A Dog Trains Security Controls Harder, Monitoring"

Assess the existing systems
Document the policies and procedures
Train the employees and contractors
Segment the ICS/SCADA network and security
Control the access to the ICS/SCADA system
Harden the components of the ICS/SCADA system
Monitor and maintain the security of ICS/SCADA system

AI-Enabled SCADA

🤖

Modern SCADA systems are integrating AI/ML to shift from reactive to predictive & proactive operations.

FEATURE	⚙️ Traditional SCADA	🤖 AI-Integrated SCADA
Monitoring	Reactive	Predictive & Proactive
Maintenance	Scheduled or manual	Predictive maintenance
Decision-Making	Human-driven	AI-assisted or automated
Anomaly Detection	Rule-based signatures	Machine learning-based
Data Analysis	Historical reports	Real-time intelligent insights
Security	Signature-based detection	AI-driven threat detection

Quick Self-Test

📝

Q1. In ICS/SCADA systems, which CIA property has the HIGHEST priority?

✅ Correct! Availability is #1 in ICS/SCADA because systems must run 24/7. Even brief downtime in a power grid or water system is dangerous.

❌ Wrong. In ICS/SCADA the CIA order is REVERSED: Availability → Integrity → Confidentiality (AIC). This is a key difference from traditional IT security!

Q2. What does MTU stand for in ICS/SCADA architecture?

✅ Correct! MTU = Master Terminal Unit — the "heart" of SCADA. It initiates all communication, collects data, provides HMI, and stores data in the database.

❌ Wrong. MTU = Master Terminal Unit. Remember: it's the "HEART" of the SCADA system — controls everything centrally.

Q3. Which SCADA protocol has the LOWEST security level (no encryption or authentication)?

✅ Correct! Modbus (port 502) was designed in 1979 with ZERO security. No encryption, no authentication — any attacker who reaches it has full control.

❌ Wrong. Modbus is the culprit — it's a 1979 protocol with absolutely no built-in security. OPC UA and IEC 61850 are actually the safest options.

Q4. What are the 4 main components of ICS/SCADA infrastructure? (Choose the correct set)

✅ Correct! Remember "Fancy People Cook Soup" — Field Instruments → PLCs/RTUs → Communications → SCADA Control Center.

❌ Wrong. The 4 components are: Field Instruments → PLCs/RTUs → Communications → SCADA Control Center. Use the mnemonic "Fancy People Cook Soup"!

Q5. How many phases are in the ICS/SCADA security planning model?

✅ Correct! 7 phases: Assess → Document → Train → Segment → Control → Harden → Monitor. Remember: "A Dog Trains Security Controls Harder, Monitoring"

❌ Wrong. There are 7 phases. Remember: Assess, Document, Train, Segment, Control, Harden, Monitor — "A Dog Trains Security Controls Harder, Monitoring".