Home » Data Protection » Network Security

SCADA System Security: Out of Control

Industrial control systems such as SCADA systems sit squarely at the intersection of the digital and physical worlds. They're vulnerable, they're unpatchable, and they're connected to the Internet.

John Maguire, senior security analyst at PJM, the world's largest electric grid operator (it covers a region that includes Baltimore, Chicago, Philadelphia, Pittsburgh and Washington, D.C.), sees firsthand the lack of operational security know-how. PJM's members include some 800 power sources, and Maguire serves as PJM's external security rep to those companies. He says security is a tough issue for PJM's membership. "We've pointed at the right documents and suggested best practices, but there's a fear of getting started or not knowing how to get started. It's a new set of responsibilities, and security isn't their core business. In [industries such as] banking and insurance, most of their business is about information. For our members, it's about producing electricity," says Maguire.

In fact, IT and operations groups are not just separate, they're often antagonistic toward each other, according to Weiss. The engineers responsible for control systems care about around-the-clock reliability. For that reason, all the workers with responsibility for, say, an electric power substation, might have the same user name and password to ensure no one forgets theirs if they're called into action at 2:00 a.m. to troubleshoot a system. If a CSO told them, wait, that's bad security, we need two-level authentication for anyone to gain access, it would just reinforce the perception among the field guys that IT doesn't "get" control systems, Weiss says.

Hampering a get-together between the two sides is the lack of an overall security policy in many companies. Torres says he is heartened by the fact that an awareness of the importance of cybersecurity policies is on the upswing, with urging from groups such as the North American Electric Reliability Council (NERC) in the power industry, for example. Torres believes more companies are putting such policies in place; however, he adds, "Whether they include the right things or not is another question." Can't Patch ThisIn a typical corporate IT network, hundreds (or thousands) of PCs, servers and other devices are packed to the gills with processing power and memory. CSOs can slap on the latest security technologies without much adverse effect on the network. On the other hand, many legacy control systems still run on Intel 8088, 286 and 386 processors. These processors are "adequate for the functions they have, but if you try to lay, say, encryption over them, they can't handle it. We're sitting with 30- to 40- year-old systems," says Ken Watts, director of infrastructure and defense systems at the Idaho National Engineering and Environmental Laboratory, which does process control research for the Department of Energy.