The Grand Coulee Dam provides water to irrigate approximately 600,000 acres in the Columbia Basin Project.

Jun 13 2022

Federally Operated SCADA Systems Work to Block Cyberattacks

Federally operated power facilities work to block the possibility of cyber attacks.

Little-known fact: The power plant able to generate the most electricity in the United States is operated by the federal government, which also happens to be able to generate nearly half of all hydropower in the country.

The Grand Coulee Dam in Washington and the dozens of other dams and water projects run by the Army Corps of Engineers and the Bureau of Reclamation — not to mention the similar critical infrastructure that powers military bases around the world — are just as vulnerable to cyberattack as those run by states and the private sector.

Cyber vulnerabilities in industrial control systems (ICS) are “the new attack vector that our adversaries are targeting against us,” Army CIO Raj Iyer warns.

An April advisory from the Energy, Justice and Homeland Security departments as well as the National Security Agency noted that advanced persistent threat actors “have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access.”

The federal government is moving ahead to cyber-harden critical infrastructure by applying more robust protections to the SCADA (supervisory control and data acquisition) systems that are the basis of industrial control.

Click the banner below to get access to customized content by becoming an Insider.

SCADA Management Requires A Range of Efforts

The need to address potential gaps in SCADA become apparent when one considers the breadth of critical infrastructure managed or operated by government organizations and entities.

The Bureau of Reclamation is the largest wholesaler of water in the nation. The Army Corps of Engineers’ nationwide network of dams is the country’s largest generator of hydropower. Dozens of DOD bases rely on SCADA control systems.

“Industrial control systems are essential” to managing all that critical infrastructure, says Ahmad Zoua, senior project manager at Guidepost Solutions. “Unfortunately, many of them focus on functions, convenience and increased productivity, while cybersecurity is an afterthought.”

Current events have brought the issue to the fore. CISA has developed a new “Shields Up” campaign, which warns that Russia’s invasion of Ukraine could spur “malicious cyber activity against the U.S. homeland,” including efforts to disrupt critical infrastructure.

Even before Ukraine, however, agencies were taking steps to close the gap. The Army Corps of Engineers recently upgraded controllers and modules at The Dalles Dam in Oregon, one of the largest hydropower generators in the country. The Bureau of Reclamation likewise has undertaken an update of its SCADA systems in an effort to standardize the system and collect data and alerts more quickly.

EXPLORE: How federal agencies can benefit from the technology modernization fund.

The Role of Military Power in SCADA

Meanwhile, the Army has moved aggressively on the SCADA situation. Industrial controls are a key mission enabler across the Army.

“We have a lot of control systems — in our weapon system platforms, in installations — running our most complex manufacturing processes,” Iyer says.

“These are all devices that are connected to the network in some way; they communicate with other devices or back to a server. That means they are susceptible to cyberattacks,” he says.

The May 2021 attack on a major U.S. fuel pipeline and other similar incidents highlight the urgency of addressing that potential susceptibility. “I think it's very clear just from recent incidents that have happened outside of the Army that the homeland is no longer a sanctuary. Our adversaries and cyber criminals have in the past attempted to penetrate power grids, pipelines, and so forth,” Iyer says.

Federal mandates, too, are driving a rethink. “This year, in the National Defense Authorization Act, there were at least a dozen or so requirements around protecting critical infrastructure,” Iyer notes.

LEARN MORE: How the navy is improving collaboration and productivity.

How best to bring SCADA up to speed? “It starts with identifying all of the control system assets on our network, from tiny sensors all the way to huge complex systems. Identifying them, cataloging them and discovering them is the first step,” he says.

“We have an effort under way where we're actually putting sensors across our network to identify these assets, classify them, tag them, and understand their current security posture,” he says.

From there, the Army is moving to isolate these control systems from the rest of the network. “We could set up virtual networks, use things like software defined networking to isolate these things. Then we can put these devices on a separate network that's closed, isolated,” Iyer says. “They could be put behind a firewall so that they cannot be accessed from outside. That is all part of the architecting that we're doing right now.”

As with other government agencies, the Army also wants to engage with private-sector partners who have a hand in managing critical infrastructure. “These are not all government-operated installations, so we are working with industry or the contractors are that run our bases, in order to do that,” Iyer says.

Raj Iyer
Most of this equipment has embedded software built into it, and it's the software that runs all of these activities on the hardware and controls the hardware. If this software is not updated, you have the risk of cyberattacks.”

Raj Iyer CIO, U.S. Army

How Up-to-Date Systems Increase Safety

SCADA lies at the heart of the effort to minimize cyber vulnerabilities. One key strategy: Make sure the systems are current.

“Most of this equipment has embedded software built into it, and it's the software that runs all of these activities on the hardware and controls the hardware,” Iyer says. “If this software is not updated, you have the risk of cyberattacks.”

To that end, he noted that 80 percent of the Army’s cyber vulnerabilities in critical infrastructure “are because of purely misconfigured control systems, things like people not resetting the factory default passwords. That’s something we can easily address,” he says.

Beyond that, he says, Army also is looking to replace outdated SCADA iterations with more modernized deployments.

READ ABOUT: How IT asset management tools are supporting the Army and other agencies.

“A lot of these old control systems have outdated operating systems running on them,” he says. “With the risk assessment we're doing right now, we’ll see if we can substitute these outdated operating systems with some other lightweight OS. Or we could just divest this old technology and move onto something new. Some of the newer control systems are cybersecurity safe from the get-go.”

Cloud computing resource are “playing a huge role in this,” he says. “A lot of these devices are now cloud-enabled and don’t require the processing to be at the edge, where you need some kind of server infrastructure to actually run the software. You can actually run it in the cloud, with some kind of agent on the control system itself.”

In order to coordinate SCADA upgrade efforts, the Army has put in place a guiding operational-technology cybersecurity strategy.

“We also established a control systems governance office, responsible for actually coordinating all these activities: Making sure we are buying these control systems with the right standards, accrediting them, making sure they're secure and safe,” Iyer says.

How SCADA Helps Protect Health IT

At the Department of Veterans Affairs, SCADA protection comes from a slightly different angle. “We use building automation systems (BAS) in all our facilities to control facility infrastructure and associated equipment and collect data on operations,” a VA spokesperson says. “This is similar to SCADA, although  designed for buildings rather than processes.”

VA relies on the equipment manufacturers’ control systems “for the control of the equipment, and operational data is sent to the BAS system for centralized monitoring, alarm and data collection,” the spokesperson says.

To ensure cyber resilience, “the VA is continuously upgrading both software and hardware in coordination with infrastructure upgrades,” the spokesperson says. “The security of our BAS IT infrastructure is coordinated with the Office of Information Technology to ensure the safety and security of any communication required to be sent to outside sources. The VA BAS systems use one-way communication as a standard to further enhance cybersecurity.”

These efforts to ensure security across industrial controls is in alignment with efforts by the VA Office of Information Technology, which is responsible for developing and implementing cybersecurity policy for all of VA's information technology systems.

2019

The year of the first successful cyberattack to disrupt the U.S. power grid

Source: Source: Energywire, “Experts assess damage after first cyberattack on U.S. grid,” May 6, 2019

What are the Next Steps for SCADA Across Agencies?

Experts say SCADA is an area ripe for remediation.

Organizations that support critical infrastructure “are prime targets for major cyberattacks” due to the vital nature of the services they provide, says Therese Schachner, a cybersecurity consultant at VPNBrains. “Many of these organizations have significant vulnerabilities and other weaknesses in their control systems that attackers can leverage to initiate cyberattacks.”

Agencies looking to cyber-harden SCADA can take a number of key steps, starting with updating of outdated software.

“Many of these control systems use older versions of software with known vulnerabilities,” Schachner says. “By installing security updates, organizations can incorporate fixes for vulnerabilities in older software versions in order to better protect their computer systems.”

REVIEW: The role of endpoint detection and response to combat cyberattacks.

Network segmentation is another key upgrade. “With network segmentation, controls on Internet traffic between areas of a network can be enforced,” Schachner says. “Network segmentation helps prevent attackers from moving laterally through a computer system, escalating their privileges, exfiltrating data, and carrying out other unauthorized operations.”

Along these lines, Zoua says, it makes sense to separate operational technology from information technology. “This can be done logically via VLANs or physically using new switches and backbone infrastructure,” he says. “While physical segregation could be costly, it is a highly recommended approach as it eliminates configuration errors and cyber risks in most cases.”

In all this, Iyer says, it makes sense for government to be working hand in glove with private-sector partners.

“We are going to have to work very closely with the industry,” he says. “This is getting so much attention, and there is an opportunity and a need for greater collaboration and information-sharing on potential threats.”

Bureau of Reclamation

aaa 1

Register