How to meet the SCADA security challenge

Andre Yee, NFR Security   Today’s Top Stories    or  Other Security Stories  

Long Tail Supplier Collaboration - What's In It For You? E-Mail As a Service: Time for Another Look? Data Protection and Disaster Recovery with iSCSI and VMware Case Study: Simplified DR Planning and Implementation Virtualized iSCSI SANs: Flexible, Scalable, Enterprise Storage for Virtual Infrastructures Case Study: Consolidating Servers While Keeping Them in Sync with DR Sign up to receive Security Resource Alerts

March 08, 2005 (Computerworld) -- Computerized process-control systems run some of the most critical infrastructures in the U.S., such as power utilities, water treatment plants, chemical plants and mass-transit systems. Until recently, little attention was given to securing these systems from a cybersecurity perspective. This is in large part because they were perceived as operating in a closed environment. However, this perception has led to a false sense of security, especially against a backdrop of increasing information security risks.

This article examines the state of security related to process-control systems and what can be done to secure them.

What is SCADA?

There are two types of process-control systems in view—distributed control systems (DCS) and supervisory control and data acquisition (SCADA). DCS are typically used for single-point processing and are employed in a limited geographic area. On the other hand, SCADA systems are used for large-scale, distributed management of critical infrastructure systems and are often geographically dispersed.

For example, in a power utility, DCS may be used for generation of power, while SCADA is used for the distribution and transmission of power. The basic SCADA configuration shown in Figure 1, consists of a supervisory control station and multiple controller stations, either local or remote. Through the use of the control station, operators can monitor status and issue commands to the appropriate devices. Control stations consist of devices that collect data or effect control of equipment. These devices are either remote terminal units (RTU), intelligent electronic devices or programmable logic controllers (PLC).

Figure 1: Process Control System

The security problem

Because of the limited attention paid to security, both DCS and SCADA systems are perceived as being largely unsecured and vulnerable to attack, as noted by a Government Accountability Office report last year. The report included many examples of attacks on control systems including:

• A cybersecurity breach in 1994 of the Salt River Project, a major water and electricity provider in Tempe, Ariz.






• SQL Slammer worm infection of the Davis-Besse nuclear power plant in Oak Harbor, Ohio, in 2003. The plant's process computer failed, requiring more than six hours for recovery. Control-system traffic was also blocked on five other utilities.

These examples highlight some of the exposures related to SCADA systems that can lead to further liabilities. However, to tackle the SCADA security challenge, we must better understand and define the problem. There are three primary issues related to SCADA security that have emerged in recent years: unsecured data transmissions, open public network connections and technology standardization.

Unsecured data/command transmissions

Many older SCADA systems weren't designed with information security in mind. This omission has led to systems with unsecured data transmission. Most of the older SCADA systems will still transmit both data and control commands in unencrypted clear text. This allows potential attackers to easily intercept and issue unauthorized commands to critical control equipment.

Furthermore, the lack of authentication in the overall SCADA architecture means that attackers with physical access to the network can gain a foothold to launch denial-of-service or "man-in-the-middle" attacks, both of which can lead to disruption and safety concerns.

Open public network connections

SCADA systems have long been regarded as operating in a secure environment because of their closed network, which isn't exposed to external entities. Also, the communication protocols employed were primarily proprietary and not commonly published. This "security by secrecy" approach has led to a false sense of security that doesn't stand up to the test of an audit.

Furthermore, the notion that SCADA networks are closed systems is no longer true. Recent advances, such as Web-based reporting and remote operator access, have driven the requirement to interface with the Internet. This opens up physical access over the public network and subjects SCADA systems to the same potential malicious threats as those corporate networks face on a regular basis.

Standardization of technologies

Typically, compliance with industry standards and technologies is regarded as a good thing. However, in the case of newer SCADA systems, recent adoption of commonly used operating systems and standards make for a more vulnerable target. Newer SCADA systems have begun to use operating systems such asWindows or Unix variants that are commonplace in corporate networks. While this move offers benefits, it also makes SCADA systems susceptible to numerous attacks related to these operating systems. SCADA systems also face patch management challenges as vulnerabilities for these operating systems are uncovered.

Securing SCADA

Against the backdrop of these emerging threats, security managers at institutions that use SCADA are beginning to address the challenges involved in securing these systems. Much of what needs to be done is simply implementing sound information-security practices. Here are a few key initiatives to address lingering security issues:

• Secure network communications: Implement strong encryption over the SCADA network communications, ensuring that both monitored data and control commands are encrypted.






• Turn on security: Implement security features with devices on your network, especially authentication. Use secure protocols whenever possible.






• Know your SCADA network: Identify all connections to external networks including wireless networks, corporate LANs and WANs, and the Internet. Further secure your network by eliminating all unnecessary connections to external networks.






• Harden your SCADA environment: Remove all unnecessary services from the hosts on your network. Also, just as you would in your corporate network environment, ensure that all systems are patched and up to date.






• Conduct regular security audits: Ensure that security practices and procedures, such as incident response, are defined and implemented. Penetration testing of the network environment should also be prudently conducted with inspection for potential back doors into the SCADA network.






• Implement real-time threat protection: With the increasing number and complexity of attacks, it's insufficient to simply patch your systems or maintain access/service control. One alternative is to implement real-time threat protection in the form of network intrusion-prevention systems. Unlike standard packet-filter firewalls, these systems perform application-layer inspection to identify attacks that are carried in the payload and block the offending traffic in real time.

Andre Yee is president and CEO of NFR Security Inc., a Rockville, Md.-based vendor of real-time threat protection products, including an intrusion-prevention system with patent-pending Confidence Indexing.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"Dear me. Just because I recently talked about Windows XP SP3's virtues and vices, some people seem to think I've..." Read more... "Your Kevin Mitnicks, your Frank Abagnales, your Jerome Kerviels -- what are we supposed to do with our hackers, especially..." Read more... Read more Security posts or See all Blogs

Hackers hijack a half-million sites in latest attack Microsoft faults OEMs for some XP SP3 endless reboots Mozilla slates Firefox 3.0 RC1 for late May More top stories...

RIM's BlackBerry Bold beats Apple to the 3G punch IPhone out of stock 'companywide,' say Apple sales reps Vint Cerf supports municipal broadband networks

Your help desk career: Dead end or launching pad? A role on an IT help desk is what you make of it, tech pros say — just don't get too comfy. The darker side of Webmail Web-based e-mail may be exposing you to privacy and security dangers you didn't sign up for. Performance showdown: Flash drives versus hard disk drives Ever been tempted to replace the mechanical hard drive in your laptop with a shiny new solid-state disk? Our expert did so, and here's what he found. Xerox touts erasable paper, smart documents PARC showed erasable paper and other technologies that adds intelligence to documents with raw text. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 2 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone See your link here

Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? Download this webcast, free, compliments of Sterling Commerce Go to the webcast  Computerworld Executive Bulletin: Building a Robust Antivirus Defense Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs. (Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more. Download this executive briefing  Eliminate SPAM, Gain Productivity Get this white paper now! (Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. New Fujitsu High-End Itanium Windows- and Linux-Based PRIMEQUEST Servers Offer the Utmost in High Availability New Fujitsu High-End Itanium-Based PRIMEQUEST Servers Offer Industry-Leading System Management for Linux and Windows Symantec State of the Data Center Report 2007 View more whitepapers

• Hackers hijack a half-million sites in latest attack
• Microsoft faults OEMs for some XP SP3 endless reboots
• Mozilla slates Firefox 3.0 RC1 for late May
• More top stories 

Security Management Zone Security management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones



Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day. New baits



Computerworld Technology Briefing: An open-source path to optimal virtualization Looking for a virtualization strategy that offers both the flexibility and reliability to meet the demands of mixed-source environments? Look no further than the fast-emerging open virtualization approach backed by some of the biggest names in enterprise computing. Together they are pointing the way toward higher data center performance without higher costs. Download this briefing



In Security There's plenty of talk about how to behave during a Customs search of your computer and gear, but Jon Espenschied's got tips for securing your data (and privacy) before you reach the border. Click here to read the latest column by Jon Espenschied