Executive Summary
The continuous growth of cyber security threats and attacks including the increasing sophistica- tion of malware is impacting the security of critical infrastructure, industrial control systems, and
Supervisory Control and Data Acquisition (SCADA) control systems. The reliable operation of modern infrastructures depends on computerized systems and SCADA systems. Since the emer- gence of Internet and World Wide Web technologies, these systems were integrated with business systems and became more exposed to cyber threats. There is a growing concern about the security and safety of the SCADA control systems. The Presidential Decision Directive 63 document es- tablished the framework to protect the critical infrastructure and the Presidential document of 2003, the National Strategy to Secure Cyberspace stated that securing SCADA systems is a na- tional priority.The critical infrastructure includes telecommunication, transportation, energy, banking, finance, water supply, emergency services, government services, agriculture, and other fundamental systems and services that are critical to the security, economic prosperity, and social well-being of the public. The critical infrastructure is characterized by interdependencies (physi- cal, cyber, geographic, and logical) and complexity (collections of interacting components). Therefore, information security management principles and processes need to be applied to SCADA systems without exception. Critical infrastructure disruptions can directly and indirectly affect other infrastructures, impact large geographic regions, and send ripples throughout the na- tional and global economy. For example, under normal operating conditions, the electric power infrastructure requires fuels (natural gas and petroleum), transportation, water, banking and fi- nance, telecommunication, and SCADA systems for monitoring and control.
In this paper, we provide an analysis of key developments, architecture, potential vulnerabilities, and security concerns including recommendations toward improving security for SCADA control systems. We discuss the most important issues concerningthe security of SCADA systems in- cluding a perspective on enhancing security ofthese systems. We briefly describe the SCADA architecture, and identify the attributes that increase the complexity of these systems including the key developments that mark the evolution of the SCADA control systems along with the growth of potential vulnerabilities and security concerns. Then, we provide recommendations toward an enhanced security for SCADA control systems. More efforts should be planned on reducing the vulnerabilities and improving the security operations of these systems. It is necessary to address
not only the individual vulnerabilities, but thebreadthofrisksthatcaninterfere with critical operations.
We describe key requirements and fea- tures needed to improve the security of the current SCADA control systems. For example, in assessing the risk for SCADA systems, use of general meth- ods for risk analysis including specific conditions and characteristics of a control system needto be applied. Effective risk analysis for SCADA systems requires a unified definition for mishap and identification of potential harm to safety. As computer systems are more integrated, the distinction between security and safety is beginning to disappear. In bridging the gap between these domains, we propose a unified risk framework which combines a new definition of mishap with an expanded definition of hazard to include the security event.
However, methods for risk management that are based on automated tools and intelligent tech- niques are more beneficial to SCADA systems because they require minimum or no human inter- vention in controlling the processes. We also identify a unified security/safety risk framework for control systems. Implementing security features ensures higher security, reliability, and availabil- ity of control systems. Thus organizations need to reassess the SCADA control systems and risk model to achieve in depth defense solutions for these systems. The increasing threats against SCADA control systems indicate that there should be more directions in the development of these systems.Therefore, achieving better quality and more secure SCADA control systems is a high priority.
Information security management principles and processes needto be applied to SCADA systems without exception. We conclude with a thought about the future of SCADA control systems. A strategy to deal with cyber attacks against the nation’s critical infrastructure requires first under- standingthe full natureofthethreat. A depth defense andproactive solutionstoimprovethe se- curity of SCADA control systems ensures the future of control systems and survivability of criti- cal infrastructure.
Keywords: industrial control system, SCADA control system, cyber security, critical infrastruc- ture, requirements, risk management, security framework.
Introduction
Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other smaller control system configurations including skid-mounted Programmable Logic Controllers (PLC) are often found in the industrial sectors and critical infrastructures. These are also known under a general term, Industrial Control System (ICS). A control system is a device or set of devices to manage, command, direct, or regulate the behavior of other devices or systems. ICSs are typically used in industries such as electrical, water, oil and gas, and chemical including experimental and research facilities such as nuclear fusion laboratories. The reliable operation of modern infrastructures depends on computerized systems and SCADA sys- tems.
The Presidential Decision Directive 63 document established the framework to protect the critical infrastructure and the Presidential document of 2003, the National Strategy to Secure Cyberspace statedthat securing SCADA systems is a national priority.
The critical infrastructure includes telecommunication,transportation, energy, banking, finance, water supply, emergency services, government services, agriculture, and other fundamental sys-
tems and services that are critical to the security, economic prosperity, and social well-being of the public. The critical infrastructure is characterized by interdependencies (physical, cyber, geo- graphic, and logical) and complexity (collections of interacting components). Cyber interdepend- encies are a result of the pervasive computerization and automation of infrastructures (Rinaldi, Peerenboom, & Kelly, 2001). The critical infrastructure disruptions can directly and indirectly affect other infrastructures, impact large geographic regions, and send ripples throughout the na- tional and global economy. For example, under normal operating conditions, the electric power infrastructure requires fuels (natural gas and petroleum), transportation, water, banking and fi- nance, telecommunication, and SCADA systems for monitoring and control.
74There is a growing concern about the security and safety of the SCADA control systems in terms of vulnerabilities, lack of protection, and awareness (Byres & Franz, 2005; Byres, Hoffman & Kube, 2006).Therefore, information security management principles and processes need to be appliedto SCADA systems without exception.
This paper provides a relevant analysis of most important issues and a perspective on enhancing security of these systems. The rest of this paper is organized in sections as follows: next section provides an overview ofthe SCADA architecture. Then, in the following section, we describe key developments that mark the evolution of the SCADA control systems along with the increase of potential vulnerabilities and security concerns. In the next section, we provide recommenda- tions toward an enhanced security for SCADA control systems. We describe key requirements and features needed to improve the security of the current SCADA control systems. We conclude with a thought about the future of SCADA control systems.
Mariana Hentea Excelsior College, Albany, NY, USA
mhentea@excelsior.edu
No comments:
Post a Comment