SCADA System Security: Out of Control

Industrial control systems such as SCADA systems sit squarely at the intersection of the digital and physical worlds. They're vulnerable, they're unpatchable, and they're connected to the Internet.

1 2 Page 2
Page 2 of 2

Pollet points out another issue; vendors sometimes approve patches for only certain versions of software. He gives the example of a company that upgraded its operating system. "If I say my system isn't functioning, [control system vendors] ask what patch you're running. I say I'm running a patch for Windows 2003 Server. They say I can't give you any support [because that's not the OS our software works with]. They say scale back to the original OS. Companies can void a warranty by upgrading," says Pollet.The Fix Is inSort OfAll these vulnerabilities raise the question: Are the major control system providersincluding ABB, Emerson, GE, Honeywell, Invensys and Siemensbuilding more secure systems? Up until now, Weiss says those companies have focused entirely on improved performance, because that's what the buyers have asked for. Vendors responded by incorporating off-the-shelf software and hardware, and building Web and wireless connectivity into their products. But vendors are to blame as well. Instead of waiting for market pressures to force them into building more secure systems, they could take a more proactive stance and begin making a concerted effort to beef up the security of their products, and work more closely with customers to identify and mitigate the vulnerabilities of existing systems.

There are some examples of new efforts by vendors. Areva, a control system vendor, recently announced a new partnership with Symantec to strengthen the security of its products. Last year, software company Verano announced Industrial Defender, a product suite aiming to protect control systems from cyberattacks.

Meanwhile, the companies that use control systems aren't completely reduced to waiting for vendors to get their acts together. Pollet says better information security on the corporate network can greatly reduce the risks posed to control systems; he mentions better router configuration, antivirus software, intrusion detection systems and more diligent patching. Torres adds the nontechnology parts of the security equation: better configuration management, better documentation of network architectures, better patch management and better contingency planning. Above all, Torres thinks the cultural gap between the IT and control side needs to be bridged.

Various private industry and government groups are taking steps to make critical infrastructure companies more aware of the flaws in their control systems. The National Institute of Standards and Technology and the National Security Agency established the Process Controls Security Requirements Forum (members include reps from the electric, water, chemical and oil industries, as well as government labs and control system vendors) to develop security specs for control systems. NERC and the oil pipeline industry are working on the creation of permanent standards. Other government agencies and major critical infrastructure industries have established working groups to address the issue. Notably, last December, the Department of Homeland Security created a new Control Systems Section inside the Protective Security Division of the Information Analysis and Infrastructure Protection Directorate.

But most managers, engineers and workers with day-in and day-out responsibilities for maintaining control systems may be a long way from putting cybersecurity on the front burner. Earlier this year, Weiss held a conference session attended by 30 to 40 people, some 15 of whom were plant managers. Weiss says that in his informal discussions afterward, every one of those managers thought cybersecurity had to do solely with the vulnerability of their e-mail systems. "They had no idea whatsoever about security around control systems," he says. Weiss observes that 9/11 served to make security a big deal in terms of physical and IT security: business systems, websites and the like. But control system security? "To this day, most people don't think they're vulnerable," he says.

Copyright © 2004 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies