Saturday, November 8, 2008

Security issues

The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Consequently, the security of SCADA-based systems has come into question as they are increasingly seen as extremely vulnerable to cyberwarfare/cyberterrorism attacks.[2][3] In particular, security researchers are concerned about:

  • the lack of concern about security and authentication in the design, deployment and operation of existing SCADA networks
  • the mistaken belief that SCADA systems have the benefit of security through obscurity through the use of specialized protocols and proprietary interfaces
  • the mistaken belief that SCADA networks are secure because they are purportedly physically secured
  • the mistaken belief that SCADA networks are secure because they are supposedly disconnected from the Internet

Because of the mission-critical nature of a large number of SCADA systems, such attacks could, in a worst case scenario, cause massive financial losses through loss of data or actual physical destruction, misuse or theft, even loss of life, either directly or indirectly. Whether such concerns will cause a move away from the use of existing SCADA systems for mission-critical applications towards more secure architectures and configurations remains to be seen, given that at least some influential people in corporate and governmental circles believe that the benefits and lower initial costs of SCADA based systems still outweigh potential costs and risks.[citation needed] Recently, multiple security vendors, such as Byres Security, Inc., Industrial Defender Inc., Check Point and Innominate, and N-Dimension Solutions have begun to address these risks by developing lines of specialized industrial firewall and VPN solutions for TCP/IP-based SCADA networks. In a September 2008 Pumps & Systems magazine article [4] Kevin Finnan describes best practices for securing SCADA systems in remote sites. Also, the ISA Security Compliance Institute (ISCI) is emerging to formalize SCADA security testing starting as soon as 2009. ISCI is conceptually similar to private testing and certification that has been performed by vendors since 2007, such as the Achilles certification program from Wurldtech Security Technologies, Inc. and the MUSIC certification from Mu Dynamics, Inc. Eventually, standards being defined by ISA99 WG4 will supersede these initial industry consortia efforts, but probably not before 2011. The increased interest in SCADA vulnerabilities also results in numerous new vulnerabilities in SCADA software (e.g. disclosures by Core Security and C4 Security) and more general offensive SCADA techniques presented to the general security community.