OMICRON Magazine

UNUSED SERVICES SCADA COMMUNICATION CONFIGURATION ERRORS MOST FREQUENT SECURITY RISKS in plant networks DETECTING CONFIGURATION CHANGES Open/unused services offer a disproportionate increase of opportunities for hackers to attack your automation or SCADA system. Thankfully, we can easily detect these unused services through network monitoring. Here are some common unused services we found during our assessments: › IPv6: Mostly activated on PCs, sometimes on IEDS. IPv6 was never actually used but provided several attack vectors in the network. › Windows file sharing: The file sharing service was always activated on PCs and Windows-based RTUs and Gateways, but not used. › PTPv2: It was enabled by default on some industrial switches, even if it has never been used. Simply turning off these open/unused services will decrease the number of cyber risks to your assets. Misconfiguring RTU and SCADA devices can slow down communication and might result in failed transmissions for critical on-site events. For example, in a European substation, MMS Reports were configured to be sent to the wrong client IP address. After resolving these configuration errors, there was a verifiable improvement in the IED’s communication speed. Checking impeded communication speed will lower the operational risk of obstructed response processes. In a North America substation, we detected misconfigured GOOSE messages. This problem occurred because two individual engineering parties configured the devices. In turn, this lack of communication between engineers caused communication problems between these OT devices. We discovered that certain remote command activities in the substation didn’t function properly due to invalid interlocking conditions. This means they wouldn’t have been able to operate their switchgears remotely in urgent scenarios. This case showed me that minor GOOSE communication issues could cause more significant plant problems. Therefore, we still offer these basic security assessments for free, allowing us to contact other power plants, substations, and control centers to further our knowledge. ? × Undocumented external connections accessing IEDs & switches directly Outdated firmware with known vulnerabilities Unused services Unauthorized access Usually, these security problems are fostered by functional problems, such as: Configuration issues in IEDs, RTUs, and network switches Time synchronization failures Network redundancy issues 8