Not in Kansas anymore: Securing SCADA
Safeguarding our infrastructure
The President's Critical Infrastructure Protection Board as well as the Department of Energy has gone on record stating that technical audits of SCADA devices and networks are critical to ongoing security effectiveness. Many commercial and open-source security tools are available that allow system administrators to conduct audits of their systems/networks to identify active services, patch level, and common vulnerabilities.
The use of these tools will not solve systemic problems, but will eliminate the "paths of least resistance" that an attacker could exploit. It is important to analyze identified vulnerabilities to determine their significance, and take corrective actions as appropriate. It is also imperative to track corrective actions and analyze this information to identify trends. Once corrective actions have taken place, retest the system after to ensure that vulnerabilities were actually eliminated. To uncover and address any potential problems, be sure to actively scan non-production environments.
Creating secure micro-grids
Blue Pillar has experienced the implementation and the maintaining of security as a real growing concern for the energy industry. To help combat security vulnerabilities, Blue Pillar is working with energy infrastructure organizations to develop a cyber-secure central nervous system for campus energy asset portfolios and advocate the use of micro-grids.
Micro-grids are campus-based, integrated portfolios of distributed critical power resources, managed as a dispatchable nodal network, responsive to economic, grid instability and/or on-site power reliability events/issues. When working with such a portfolio, it must include legacy base-load assets (generators, switchgear, chillers, campus distribution feeders, co-generation) as well as intermittent or renewable resources (thermal storage, solar, on-site wind). A true micro-grid would be able to completely island campus load from the grid for long periods of time, automating and prioritizing the dispatch of various energy assets based on circuit-level load requirements (mission critical to "curtailable"), heat rate/efficiency of on-site assets and inbound power quality from the grid, among other factors. To enable a proactive and secure micro-grid, a bi-directional command and monitoring software service bus application must be in place.
"In terms of addressing security and deploying micro-grids, the automation system should allow the end-user to manage emergencies, historically analyze the responses, and automate monthly testing regimes which we consider being the number one defense against being ill-prepared for any unforeseen events," said Zeronik.
SCADA security checks and balances
Any facility that has a connection to the SCADA system should conduct a physical security survey and inventory access point check. It is imperative to identify and assess any source of information including remote telephone/computer network/fiber optic cables that could be tapped, radio and microwave links that are exploitable, computer terminals that could be accessed and wireless local area network access points. The goal is to identify and eliminate single points of failure.
Robust performance evaluation processes are needed to provide organizations with feedback on the effectiveness of cyber security policy and technical implementation of any SCADA. A sign of an organization on track is one that is able to self-identify issues, conduct root cause analyses, and implement effective corrective actions that address individual and systemic problems. There is much cause for securing not only the SCADA, but also the smaller, embedded software applications found within many new devices.
The National Infrastructure Protection Plan Program works with several government agencies in the area of cyber security to ensure the integrity and availability of the nation's cyber infrastructure. In addition, the National Supervisory Control and Data Acquisition (SCADA) Test Bed is a DOE Office of Electricity Delivery and Energy Reliability (OE)-sponsored resource to help secure our nation's energy control systems. It combines state-of-the-art operational system testing facilities with research, development, and training to discover and address critical security vulnerabilities and threats to the energy sector.
As America's infrastructures have become more complex and interconnected, their operation and control has become more complicated. SCADAs are today networked across the Internet and widely deployed to operate these infrastructures. These systems, and the Internet over which they handle information, are identified as insecure and have had many security vulnerabilities exposed. It is apparent that there are more safeguards now being put into place to secure our critical infrastructures. The performance of the nation's infrastructure is an essential component of the nation's economic prosperity.
Moving target
The exponentially growing cyber security threats and attacks including the increasing sophistication of malware will continue to impact the security of critical infrastructure, industrial control systems, and SCADA control systems. The reliable operation of modern infrastructures depends on computerized systems and SCADA systems, which will never be going away. Also with the Internet and World Wide Web technologies, SCADA systems have been increasingly integrated with ERPs and business systems, which compounds the threat of cyber-attacks. Unfortunately the reality is that there will always be a concern around the security and safety of any system of any importance to our critical infrastructure.
As technology advances, so do system vulnerabilities. Progress in securing our infrastructures must constantly be re-evaluated and we must always prepare ourselves for whatever challenge is thrown at us, be it natural or man-made. Strong considerations of our infrastructure interdependencies and the potential effects of either losing one or more critical components in an attack could happen. There is no way to completely safeguard ourselves from attacks and malfunctions which is why preparing a robust contingency plan will go a long way in preserving our critical assets.
Eric Marks is the industry practice leader for PricewaterhouseCoopers. He helps organizations to innovate, reduce costs, manage risk and regulation, and leverage in-house capabilities. Prior to PwC, Marks worked with Deloitte Consulting, IBM Global Business Services, and Cambridge Technology Partners. Using his more than 18 years of consulting experience, his vision is to support companies in designing, managing and executing lasting beneficial change within their organization. Marks holds a bachelor of mathematics in computer science from the University of Waterloo, an MBA in strategic management and marketing from The Wharton School of the University of Pennsylvania.
Loading comments... Write a comment