Executive Summary
The continuous growth of cyber security threats and attacks including the increasing sophistication of malware is impacting the security of critical infrastructure, industrial control systems, and Supervisory Control and Data Acquisition (SCADA) control systems. The reliable operation of modern infrastructures depends on computerized systems and SCADA systems. Since the emergence of Internet and World Wide Web technologies, these systems were integrated with business systems and became more exposed to cyber threats. There is a growing concern about the security and safety of the SCADA control systems. The Presidential Decision Directive 63 document established the framework to protect the critical infrastructure and the Presidential document of 2003, the National Strategy to Secure Cyberspace stated that securing SCADA systems is a national priority. The critical infrastructure includes telecommunication, transportation, energy, banking, finance, water supply, emergency services, government services, agriculture, and other fundamental systems and services that are critical to the security, economic prosperity, and social well-being of the public. The critical infrastructure is characterized by interdependencies (physical, cyber, geographic, and logical) and complexity (collections of interacting components).
Therefore, information security management principles and processes need to be applied to SCADA systems without exception. Critical infrastructure disruptions can directly and indirectly affect other infrastructures, impact large geographic regions, and send ripples throughout the national and global economy. For example, under normal operating conditions, the electric power infrastructure requires fuels (natural gas and petroleum), transportation, water, banking and finance, telecommunication, and SCADA systems for monitoring and control.
In this paper, we provide an analysis of key developments, architecture, potential vulnerabilities, and security concerns including recommendations toward improving security for SCADA control systems. We discuss the most important issues concerning the security of SCADA systems including a perspective on enhancing security of these systems. We briefly describe the SCADA architecture, and identify the attributes that increase the complexity of these systems including the key developments that mark the evolution of the SCADA control systems along with the growth of potential vulnerabilities and security concerns. Then, we provide recommendations toward an enhanced security for SCADA control systems. More efforts should be planned on reducing the vulnerabilities and improving the security operations of these systems. It is necessary to address not only the individual vulnerabilities, but the breadth of risks that can interfere with critical operations.
We describe key requirements and features needed to improve the security of the current SCADA control systems. For example, in assessing the risk for SCADA systems, use of general methods for risk analysis including specific conditions and characteristics of a control system need to be applied. Effective risk analysis for SCADA systems requires a unified definition for mishap and identification of potential harm to safety. As computer systems are more integrated, the distinction between security and safety is beginning to disappear. In bridging the gap between these domains, we propose a unified risk framework which combines a new definition of mishap with an expanded definition of hazard to include the security event.
However, methods for risk management that are based on automated tools and intelligent techniques are more beneficial to SCADA systems because they require minimum or no human intervention in controlling the processes. We also identify a unified security/safety risk framework for control systems. Implementing security features ensures higher security, reliability, and availability of control systems. Thus organizations need to reassess the SCADA control systems and risk model to achieve in depth defense solutions for these systems. The increasing threats against SCADA control systems indicate that there should be more directions in the development of these systems. Therefore, achieving better quality and more secure SCADA control systems is a high priority.
Information security management principles and processes need to be applied to SCADA systems without exception. We conclude with a thought about the future of SCADA control systems. A strategy to deal with cyber attacks against the nation’s critical infrastructure requires first understanding the full nature of the threat. A depth defense and proactive solutions to improve the security of SCADA control systems ensures the future of control systems and survivability of critical infrastructure.
Keywords: industrial control system, SCADA control system, cyber security, critical infrastructure,
requirements, risk management, security framework.
Material published as part of this publication, either on-line or
in print, is copyrighted by the Informing Science Institute.
Permission to make digital or paper copy of part or all of these
works for personal or classroom use is granted without fee
provided that the copies are not made or distributed for profit
or commercial advantage AND that copies 1) bear this notice
in full and 2) give the full citation on the first page. It is permissible
to abstract these works so long as credit is given. To
copy in all other cases or to republish or to post on a server or
to redistribute to lists requires specific permission and payment
of a fee. Contact Publisher@InformingScience.org to request
redistribution permission.
Mariana Hentea
Excelsior College, Albany, NY, USA
mhentea@excelsior.edu
No comments:
Post a Comment