Better safe than sorry

By Paul Francis, CTO of Citect

PE. What is SCADA and how does it relate to the utilities sector?
PF. SCADA stands for supervisory control and data acquisition. This refers to industrial control systems, which are used for gathering data, monitoring information about the process and enabling visualization through a human machine interface (HMI). Hence an operator can visualize the state of an operation and perform control operations through equipment such as PLCs and RTUs. For example, from a utilities perspective it is possible to monitor and log turbines, boilers, natural gas air compressors, cooling towers and so on . ,

PE. Why should we be concerned about SCADA security at this particular time?
PF. Historically, many of these networks were considered to be closed, and the main security risks involved people on the inside such as disgruntled employees or contractors. Over the past few years both the environment and the technology has changed such that there’s an increased focus on critical infrastructure and SCADA systems in particular.

In some ways it is both an opportunity for improvement and a threat. To give one example, SCADA systems are now being mentioned in hacking conferences such as DefCon, whereas previously they would not have been very well understood outside of the engineering community. In light of the increased threat of both physical and cyber-terrorism, we’re also seeing more focus from government entities and independent security bodies throughout the world. This puts a much greater emphasis on auditing, monitoring and ensuring the security of critical infrastructure as well as the software itself.

PE. Are there any specific SCADA security vulnerabilities within the utilities and energy sector that we should be looking at?
PF. Whereas previously control networks may have been stand-alone, systems may now need to be connected in some form to other enterprise and reporting solutions. In the utilities market, we have been witnessing greater cost rationalization and a movement away from remote staffing to central monitoring. This implies that the data acquired in the field needs to be sent over some form of network back to a central location. We’re therefore seeing more wireless and other wide-area networks, whether industrial specific smart networks or off-the-shelf technology. This in turn increases the surface vectors that are available for people to attempt to hack into. In utilities this may be somewhat magnified due to the distributed nature of the installations.

Physical security, especially in a distributed environment, is one thing that should not be overlooked – the Department of Homeland Security and similar organizations in the US and around the world are focused very much on this. Utilities should take their lead and be particularly conscious of security around items such as remotely located pipelines and other equipment. If you are running a gas pipeline through, for instance, Alaska, it’s much more difficult to monitor in comparison to something which is contained within one location.

PE. What can companies do to help address these vulnerabilities?
PF. Citect issues best practice guidelines and white papers, along with technical and architectural guidelines on how to configure and design SCADA systems. We are working with organizations such as the Idaho National Labs to audit our software and help ensure we are utilizing security best practices in our development and testing. This also enables us to identify whether vulnerabilities exist and plan appropriate actions to deal with them. We also provide security and safety knowledge-base articles with an RSS feed that people can subscribe to. They will then be notified if there are any particular vulnerabilities or recommendations that may pertain to their installation.

There are a number of security standards available, including ISA99, which talks specifically about security (including SCADA) at multiple levels of an organization, and also covers areas such as user and physical environments too. I would encourage companies to review and implement these where applicable. There are also many government related or funded organizations which create communities of interest that bring together vendors and end users to discuss these issues, best practices, and recommendations for securing and hardening infrastructures.

Paul Francis joined Citect as CTO in August 2005 from leading Australian-owned ICT, infrastructure and services company, Volante. Prior to that he worked in the UK, The Netherlands and the US, for organizations such as Lotus Development, IIR and Saltmine, where he was Director Of Technology.