How to meet the SCADA security challenge

Computerworld - Computerized process-control systems run some of the most critical infrastructures in the U.S., such as power utilities, water treatment plants, chemical plants and mass-transit systems. Until recently, little attention was given to securing these systems from a cybersecurity perspective. This is in large part because they were perceived as operating in a closed environment. However, this perception has led to a false sense of security, especially against a backdrop of increasing information security risks.

This article examines the state of security related to process-control systems and what can be done to secure them.

What is SCADA?

There are two types of process-control systems in view—distributed control systems (DCS) and supervisory control and data acquisition (SCADA). DCS are typically used for single-point processing and are employed in a limited geographic area. On the other hand, SCADA systems are used for large-scale, distributed management of critical infrastructure systems and are often geographically dispersed.

For example, in a power utility, DCS may be used for generation of power, while SCADA is used for the distribution and transmission of power. The basic SCADA configuration shown in Figure 1, consists of a supervisory control station and multiple controller stations, either local or remote. Through the use of the control station, operators can monitor status and issue commands to the appropriate devices. Control stations consist of devices that collect data or effect control of equipment. These devices are either remote terminal units (RTU), intelligent electronic devices or programmable logic controllers (PLC).

Figure 1: Process Control System

The security problem

Because of the limited attention paid to security, both DCS and SCADA systems are perceived as being largely unsecured and vulnerable to attack, as noted by a Government Accountability Office report last year. The report included many examples of attacks on control systems including:

• A cybersecurity breach in 1994 of the Salt River Project, a major water and electricity provider in Tempe, Ariz.






• SQL Slammer worm infection of the Davis-Besse nuclear power plant in Oak Harbor, Ohio, in 2003. The plant's process computer failed, requiring more than six hours for recovery. Control-system traffic was also blocked on five other utilities.

These examples highlight some of the exposures related to SCADA systems that can lead to further liabilities. However, to tackle the SCADA security challenge, we must better understand and define the problem. There are three primary issues related to SCADA security that have emerged in recent years: unsecured data transmissions, open public network connections and technology standardization.

Unsecured data/command transmissions

Many older SCADA systems weren't designed with information security in mind. This omission has led to systems with unsecured data transmission. Most of the older SCADA systems will still transmit both data and control commands in unencrypted clear text. This allows potential attackers to easily intercept and issue unauthorized commands to critical control equipment.