Category: Top » Internet »

Author: Matthew McKernan | Total views: 40 Comments: 0
Word Count: 651 Date: Mon, 23 Feb 2009 10:23 PM

SCADA Security -- A Survival Guide

Is there the potential for an actual cyber threat or is it just media hype? In short, yes, cyber threats do exist for SCADA systems. Is the potential for cyber threats as great as some claim them to be? Probably not. Many have asked, "If there is no hard core evidence of a significant [outside] cyber attack on an industrial network, where is the threat?"

The answer is that these types of threats are becoming more likely, as current SCADA systems and networks increasingly utilize commercially off-the-shelf (COTS) software, connect to the enterprise layer and move toward IP connectivity. These recent changes have contributed to higher threat levels and increased vulnerability.

A few short years ago, the chances of someone finding these vulnerabilities and exploiting them were very slim. This was due to the fact that process control systems and SCADA networks were unheard of by the general population and systems were based on specialized platforms that were segregated from the enterprise layer. In recent years, industrial systems have begun to take a front seat in the spot light, due to the focus by the Department of Homeland Security on national critical infrastructure and some unfortunate media coverage.

Despite current efforts, there is a high probability that something bad is eventually going to happen. Evidence recovered from Al Qaeda suggests that terrorists have taken an interest in our SCADA networks (see, for example, Washington Post article dated March 11, 2005, entitled, "Hackers Target U.S. Power Grid"). In addition, the number of "SCADA hacking" presentations is increasing at security and "hacker" conventions, with the number of vulnerabilities discovered within these systems increasing. Bottom line, our little corner of industry is no longer isolated and the word is now out.

While cyber security is being given the lion's share of attention, with "hackers" already attracting premature blame from a few recently publicized incidents, the widespread disregard for physical and operational security within many organizations has become a huge concern. Many companies are heavily focused on shoring up their cyber security, with little or no regard for physical security.

When asked about their physical security, they too often reply as follows: "Well, we know our physical security is weak -- but what can you do?" Even though most of the current standards emphasize cyber security, it is important to remember that physical and operational security weaknesses can provide an alternate attack vector to SCADA systems and networks.

When asked to perform penetration testing of company systems, we have experienced a 100% success rate at gaining unauthorized cyber access by taking advantage of neglected physical and operation security controls. Companies that have addressed cyber, physical and operational security will be much better positioned to defend themselves. Taking this Holistic approach will address both the threats posed to their systems and the threats posed by persons in government, the media, and lawyers who will want to assign fault in the event a security breach results in an incident.

Regulatory Confusion
Beyond potential cyber, physical and operational threats, operators must now also contend with regulatory compliance. The compliance landscape is currently a complex environment in that each industry vertical must navigate through multiple regulatory requirements, industry standards, guidelines, and best practices. Exacerbating this challenge, most of these documents are very ambiguous, with little consensus on strategic guidance or tactical implementation.

The bottom line is that asset owners and operators across all industry verticals are not only unsure as to exactly how they must meet compliance and secure their systems, but also to what standards, guidelines, or best practices they may be held accountable.

As a result of the lack of clearly delineated requirements, operators are susceptible to various interpretations. This could lead to an audit failure or out-of-context scrutiny subsequent to an incident penalties and potential legal liabilities.

About the Author

Click on the links provided for more information on scada, scada security and risk management.

Rate, comment or bookmark this article

Seed Newsvine

Bookmark this article in your preferred program

Comments

No comments posted.

Add Comment

HTML code

Popular Articles in this cathegory

1: Online Video Websites, Why You Should Leave Video Comments

Are an individual who loves getting your entertainment online If so, there is a good chance that you know what online video sites are

2: Problems With BitTorrent Error Messages

BitTorrent software error messages and their solutions

3: MySpace Scroll Comments - Take Back Control Of Your Profile Page

If comments have taken over your entire MySpace page, then a "MySpace Scroll Comments" code may be a perfect solution to your problem. If you prefer to hide comments altogether, then check out this article for this and more helpful tips.

4: MySpace: Hide Comments To Avoid Potential Embarrassment

MySpace is a fantastic place to keep up with all of your friends. Unfortunately, your public profile is at risk of receiving nasty comments from ex-boyfriends and bullies if you don't take steps to protect yourself with a MySpace hide comments code. Learn the best way to secure your profile with this informative article.

5: Website Builder

Having a website these days is as common as having a car Most companies have one as do everyday people