
Subscribe to
Computerworld
or
Other Security Stories
March 08, 2005 (Computerworld) -- Computerized process-control systems run some of the most critical infrastructures in the U.S., such as power utilities, water treatment plants, chemical plants and mass-transit systems. Until recently, little attention was given to securing these systems from a cybersecurity perspective. This is in large part because they were perceived as operating in a closed environment. However, this perception has led to a false sense of security, especially against a backdrop of increasing information security risks.
This article examines the state of security related to process-control systems and what can be done to secure them.
What is SCADA?
There are two types of process-control systems in viewdistributed control systems (DCS) and supervisory control and data acquisition (SCADA). DCS are typically used for single-point processing and are employed in a limited geographic area. On the other hand, SCADA systems are used for large-scale, distributed management of critical infrastructure systems and are often geographically dispersed.
For example, in a power utility, DCS may be used for generation of power, while SCADA is used for the distribution and transmission of power. The basic SCADA configuration shown in Figure 1, consists of a supervisory control station and multiple controller stations, either local or remote. Through the use of the control station, operators can monitor status and issue commands to the appropriate devices. Control stations consist of devices that collect data or effect control of equipment. These devices are either remote terminal units (RTU), intelligent electronic devices or programmable logic controllers (PLC).
![]()
Figure 1: Process Control System
The security problem
Because of the limited attention paid to security, both DCS and SCADA systems are perceived as being largely unsecured and vulnerable to attack, as noted by a Government Accountability Office report last year. The report included many examples of attacks on control systems including:
These examples highlight some of the exposures related to SCADA systems that can lead to further liabilities. However, to tackle the SCADA security challenge, we must better understand and define the problem. There are three primary issues related to SCADA security that have emerged in recent years: unsecured data transmissions, open public network connections and technology standardization.
Unsecured data/command transmissions
Many older SCADA systems weren't designed with information security in mind. This omission has led to systems with unsecured data transmission. Most of the older SCADA systems will still transmit both data and control commands in unencrypted clear text. This allows potential attackers to easily intercept and issue unauthorized commands to critical control equipment.
Furthermore, the lack of authentication in the overall SCADA architecture means that attackers with physical access to the network can gain a foothold to launch denial-of-service or "man-in-the-middle" attacks, both of which can lead to disruption and safety concerns.
Open public network connections
SCADA systems have long been regarded as operating in a secure environment because of their closed network, which isn't exposed to external entities. Also, the communication protocols employed were primarily proprietary and not commonly published. This "security by secrecy" approach has led to a false sense of security that doesn't stand up to the test of an audit.
Furthermore, the notion that SCADA networks are closed systems is no longer true. Recent advances, such as Web-based reporting and remote operator access, have driven the requirement to interface with the Internet. This opens up physical access over the public network and subjects SCADA systems to the same potential malicious threats as those corporate networks face on a regular basis.
Standardization of technologies
Typically, compliance with industry standards and technologies is regarded as a good thing. However, in the case of newer SCADA systems, recent adoption of commonly used operating systems and standards make for a more vulnerable target. Newer SCADA systems have begun to use operating systems such asWindows or Unix variants that are commonplace in corporate networks. While this move offers benefits, it also makes SCADA systems susceptible to numerous attacks related to these operating systems. SCADA systems also face patch management challenges as vulnerabilities for these operating systems are uncovered.
Securing SCADA
Against the backdrop of these emerging threats, security managers at institutions that use SCADA are beginning to address the challenges involved in securing these systems. Much of what needs to be done is simply implementing sound information-security practices. Here are a few key initiatives to address lingering security issues:
Andre Yee is president and CEO of NFR Security Inc., a Rockville, Md.-based vendor of real-time threat protection products, including an intrusion-prevention system with patent-pending Confidence Indexing.
|
|
Print this Story |
|
Send Us Feedback |
|
E-mail this Story |
|
Digg this Story |
|
Slashdot this Story |
|
|
|
|
|
|
|
|
All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone |
|
|
| ||||||||
| ||||||||
| ||||||||
|



Security Management ZoneSecurity management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones
|
Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT the good, the bad, and the rest of the weird stuff you deal with every day. New baits |
Computerworld Technology Briefing: An open-source path to optimal virtualization Looking for a virtualization strategy that offers both the flexibility and reliability to meet the demands of mixed-source environments? Look no further than the fast-emerging open virtualization approach backed by some of the biggest names in enterprise computing. Together they are pointing the way toward higher data center performance without higher costs.Download this briefing
|

In SecurityThere's plenty of talk about how to behave during a Customs search of your computer and gear, but Jon Espenschied's got tips for securing your data (and privacy) before you reach the border. Click here to read the latest column by Jon Espenschied |
![]() |
Layered Security Solutions
Although basic network security issues have changed very little over the past decade, the
network security landscape has changed dramatically. Today's IT professionals still have the
primary responsibility of protecting the confidentiality of corporate information, preventing
unauthorized access, and defending the network against attacks. Security experts and analysts agree that a security solution comprised of multiple layers is the best defense against today's increasingly sophisticated attacks.Download this white paper
|
Universal Threat Management - Because Conventional UTM is Not Enough!
This white paper, written by Mark Bouchard of Missing Link Security Services, examines the challenges confronting today's enterprises with respect to managing threats on a network. It also discusses the need for "Universal Threat Management", which is a security solution approach for all physical locations within an enterprise that require threat protection.Download this white paper |
Selecting the Right Threat Management Solution
This short demo will guide you through key considerations for selecting a solution to manage threats on a network. Learn about the popularity of Unified Threat Management (UTM), and how it fits into an overall security solution. Explore critical elements of a network-wide solution for multisite and large network-size deployments and identify the four key features of a threat management solution.View this demo
|
| About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map |
|
CIO The Industry Standard |
