Why SCADA Security Must Be Addressed
The threat to SCADA systems is largely hypothetical today, but experts see real incidents around the corner
By Rick Cook
September 01, 2008 — CSO —
Industrial control systems, including SCADA (supervisory control and data acquisition) have come under the security spotlight in recent years following a sprinkling of incidents - most notably the Slammer worm infestation at Ohio's Davis-Besse nuclear power plant in 2003, and post-9-11 attention to terrorist threats.
But SCADA security is a tough nut to crack, buried beneath a complex mix of technology, attitude and a particularly intractable set of network characteristics. Still, industry experts see the risk to SCADA systems growing in the not-too-distant future. Not only are there very real dangers, but regulatory agencies are beginning to take notice and impose requirements.
Matthew Luallen, owner of Encari, a Chicago-based information security consultancy, points out that the electric utility industry is already under a three-year program to improve security. The sanctions for noncompliance, he says, can run up to $1 million a day.
Fundamentally, the control world has changed, particularly at the high end with methods like SCADA. There are more open systems, wireless technologies are becoming popular and there's increased connectivity, both internally and externally. There are more outsourced services and strategic alliances among vendors, which encourages openness and interoperability. Plant environments have become complex with multiple vendors' equipment, proprietary systems and mission-critical applications all tied together in complex networks; all must function in a time-constrained fashion.
"Supervisory and information control systems in manufacturing facilities are evolving rapidly, and with the technological advances come security risks," Wonderware VP of global product management Rashesh Mody said in a recent white paper.
Lack of understanding between industrial automation and corporate IT is also a problem. Automation has evolved along very different pathways than corporate IT, and relations between the two groups all too often run from mutual incomprehension to outright hostility.
There is not even a lot of agreement about the level of the threat. The people in the controls business see problems as unlikely because of the separation between factory and office networks. Computer security experts like Alan Paller of the SANS Institute see the danger as very real. Paller points out that most of the incidents that have attracted attention involved highly regulated industries such as nuclear power plants, which are required to report out-of-the-ordinary activity.
"The fundamental problem is that although senior executives were told SCADA systems are not connected to the Internet, in fact they're connected to routers, and those routers are connected," Paller says.
The availability of security features in control system software also varies widely. As CERN, the international physics laboratory in Geneva, noted in a November 2007 report, "vulnerability scans at CERN using standard IT tools have shown that commercial automation systems often lack even fundamental security precautions: Some systems crashed during the scan, while others could easily be stopped or have their process data altered."
However, some of the control system vendors are taking security seriously. After the well-publicized discovery of a security flaw in its SuiteLink product, Wonderware began an extensive campaign to upgrade the security of its products.
Further, a lot of the doomsday scenarios are overblown. Andrew Ongun, general manager of Evolutionary Commercial Systems, a Huntington Beach, Calif., consultancy specializing in control systems, points out that, for example, a lot of the equipment has built-in sanity checks that won't allow parameters to reach dangerous levels, no matter how badly the system is hacked.
Read more about data protection in CSOonline's Data Protection section.
Other stories by Rick Cook