Computerworld - Computerized process-control systems run some of the most critical infrastructures in the U.S., such as power utilities, water treatment plants, chemical plants and mass-transit systems. Until recently, little attention was given to securing these systems from a cybersecurity perspective. This is in large part because they were perceived as operating in a closed environment. However, this perception has led to a false sense of security, especially against a backdrop of increasing information security risks.
This article examines the state of security related to process-control systems and what can be done to secure them.
What is SCADA?
There are two types of process-control systems in view—distributed control systems (DCS) and supervisory control and data acquisition (SCADA). DCS are typically used for single-point processing and are employed in a limited geographic area. On the other hand, SCADA systems are used for large-scale, distributed management of critical infrastructure systems and are often geographically dispersed.
For example, in a power utility, DCS may be used for generation of power, while SCADA is used for the distribution and transmission of power. The basic SCADA configuration shown in Figure 1, consists of a supervisory control station and multiple controller stations, either local or remote. Through the use of the control station, operators can monitor status and issue commands to the appropriate devices. Control stations consist of devices that collect data or effect control of equipment. These devices are either remote terminal units (RTU), intelligent electronic devices or programmable logic controllers (PLC).
Figure 1: Process Control System
The security problem
Because of the limited attention paid to security, both DCS and SCADA systems are perceived as being largely unsecured and vulnerable to attack, as noted by a Government Accountability Office report last year. The report included many examples of attacks on control systems including:
These examples highlight some of the exposures related to SCADA systems that can lead to further liabilities. However, to tackle the SCADA security challenge, we must better understand and define the problem. There are three primary issues related to SCADA security that have emerged in recent years: unsecured data transmissions, open public network connections and technology standardization.
Unsecured data/command transmissions
Many older SCADA systems weren't designed with information security in mind. This omission has led to systems with unsecured data transmission. Most of the older SCADA systems will still transmit both data and control commands in unencrypted clear text. This allows potential attackers to easily intercept and issue unauthorized commands to critical control equipment.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
