How to meet the SCADA security challenge
Computerworld - Computerized process-control systems run some of the most critical infrastructures in the U.S., such as power utilities, water treatment plants, chemical plants and mass-transit systems. Until recently, little attention was given to securing these systems from a cybersecurity perspective. This is in large part because they were perceived as operating in a closed environment. However, this perception has led to a false sense of security, especially against a backdrop of increasing information security risks.
This article examines the state of security related to process-control systems and what can be done to secure them.
What is SCADA?
There are two types of process-control systems in viewdistributed control systems (DCS) and supervisory control and data acquisition (SCADA). DCS are typically used for single-point processing and are employed in a limited geographic area. On the other hand, SCADA systems are used for large-scale, distributed management of critical infrastructure systems and are often geographically dispersed.
For example, in a power utility, DCS may be used for generation of power, while SCADA is used for the distribution and transmission of power. The basic SCADA configuration shown in Figure 1, consists of a supervisory control station and multiple controller stations, either local or remote. Through the use of the control station, operators can monitor status and issue commands to the appropriate devices. Control stations consist of devices that collect data or effect control of equipment. These devices are either remote terminal units (RTU), intelligent electronic devices or programmable logic controllers (PLC).
Figure 1: Process Control System
The security problem
Because of the limited attention paid to security, both DCS and SCADA systems are perceived as being largely unsecured and vulnerable to attack, as noted by a Government Accountability Office report last year. The report included many examples of attacks on control systems including:
- A cybersecurity breach in 1994 of the Salt River Project, a major water and electricity provider in Tempe, Ariz.
- SQL Slammer worm infection of the Davis-Besse nuclear power plant in Oak Harbor, Ohio, in 2003. The plant's process computer failed, requiring more than six hours for recovery. Control-system traffic was also blocked on five other utilities.
These examples highlight some of the exposures related to SCADA systems that can lead to further liabilities. However, to tackle the SCADA security challenge, we must better understand and define the problem. There are three primary issues related to SCADA security that have emerged in recent years: unsecured data transmissions, open public network connections and technology standardization.
Unsecured data/command transmissions
Many older SCADA systems weren't designed with information security in mind. This omission has led to systems with unsecured data transmission. Most of the older SCADA systems will still transmit both data and control commands in unencrypted clear text. This allows potential attackers to easily intercept and issue unauthorized commands to critical control equipment.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts