CMP Network Computing
Log In to Network Computing
   Techweb
 
Top 11 List Security Channel SpamOmeter Internet Threat Level
Live Lab Cams Storage Channel IT Pro Downloads Network Design Manual
 Site Map |  What's New |  Current Issue |  Past Issues |  Article Index |  Newsletters |  Content Feeds |  Subscribe
Welcome to Network Computing Networking News Product Reviews, Sneak Previews, Analysis Workshops, Primers, Tutorials Site Content According to Technology Covered Forums, Blogs, Opinions Site Tools for IT Professionals Centerfold Case Studies Interactive Buyer's Guides


IT Knowledge Made Simple
Stay on top of strategic IT infrastructure trends with our special IT StrategyCenter, powered by StudioOne Networks.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Resilient IT / Strategies

Effective Practices for Securing Water Utility SCADA Systems

By Tom Schmidt

"The soft underbelly of our infrastructure."
 
That's how Rep. Dan Lungren (R-Calif.), chairman of the U.S. House Economic Security, Infrastructure Protection and Cybersecurity Subcommittee, recently described the nation's Supervisory Control and Data Acquisition (SCADA) systems.
 
As recently as a few years ago, water utility control systems and networks were still isolated from other networks and organizations. But due to the increasing need for interconnectedness with other business systems and networks, today's SCADA systems are more exposed to cyber threats. And while water utility companies are realizing the critical role that security plays in enabling the availability and reliability of their SCADA systems in this environment, securing SCADA systems and networks is no small task. This article looks at some of the key factors contributing to the escalation of risk to SCADA systems, as well as at effective practices for protecting SCADA systems against cyber threats.
 
A more dangerous threat landscape
Recently, Alan Paller, Director of Research at the SANS Institute, testified before the House Committee on Homeland Security's hearing on SCADA security. Paller cited the 2004 GAO report on SCADA security, which focuses, in part, on why the risk to SCADA systems is increasing. The report lists four main factors:

  • Control systems are adopting standardized technologies with known vulnerabilities. Essentially this refers to Microsoft software, UNIX and Linux software, and the Internet. An incident at the Davis-Besse nuclear power plant in 2003 showed how reliance on Microsoft software and on the Internet enabled malicious programs to take over utility control systems.
  • Control systems are connected to other networks that are not secure. This was also illustrated in the Davis-Besse outage, but there are other examples.
  • Insecure connections exacerbate vulnerabilities. The GAO focused on dial-up connections, but the Davis-Besse worm attack illustrated that Internet connections are also insecure.
  • Manuals on how to use SCADA systems are publicly available to terrorists as well as to legitimate users.

Paller also used a portion of his testimony to link terrorism to cyber crime. He offered the example of Imam Samudra, the Al Qaeda chief who purchased and planted the bombs that killed more than 200 tourists in Bali in 2003. An analysis of Samudra's laptop uncovered evidence that he was involved in hacking for profit through credit card fraud. The bottom line, according to Paller: "Terrorists are getting better at hacking computers to raise money, and can be expected to add cyber extortion to their portfolio of crimes. SCADA systems can be a potent target for them."
 
Taking action
Paller's dire view of the current state of SCADA security helps to explain the posture adopted by the U.S. Bureau of Reclamation with regard to its control systems. (Reclamation is the country's largest wholesaler of water, and its second largest producer of hydroelectric power.) Testifying before the same House Committee in October, Larry Todd, Reclamation's former Director of Security, Safety, and Law Enforcement, explained that the Bureau maintains a policy of not connecting SCADA systems to administrative networks.
 
"Today we adhere to that policy in all but the most unusual of situations. All connections to SCADA systems are minimized. Reclamation does not connect its SCADA systems to the Internet and routinely tests to ensure that such connectivity does not exist. Wherever practical, connections to our SCADA systems do not use Internet-like protocols, instead employing simple, limited capability, serial protocols. Those connections that must be present and that use Internet-like protocols are protected by firewalls and intrusion detection systems. Reclamation has adopted 'best practices' and follows the cyber security guidance outlined by the National Institute of Standards and Technology (NIST) in their Special Publications."
 
Todd noted that the "focus of security efforts" has changed since the Bureau first deployed SCADA systems:
 
"In those early years SCADA design focused almost entirely on the operational integrity of the SCADA systems."
 
The situation today is a different matter: "We perform background checks on key personnel and have 'hardened' our facilities and control rooms through the addition of various access controls. This includes the access to our SCADA system control consoles. To help identify physical and cyber vulnerabilities within the organization, Reclamation has invited independent organizations ... to evaluate our security posture. We have also supported numerous investigations by our Inspector General's Office, some of which included limited penetration testing of our SCADA systems."
 
Effective practices for securing SCADA systems
Water utilities seeking to effectively protect their SCADA systems against cyber threats should adopt a four-step approach:

  • Security assessment Gathering knowledge about the environment, both inside and outside of the organization. This includes awareness of electronic threats before they reach the organization, identifying possible regulatory compliance issues, assessing the effectiveness of security and administration tools, and manually validating these security concerns using penetration testing methods.
  • Security policy creation and enforcement Establishes who is authorized to gain access to what information, establishes who is authorized to perform what functions, measures compliance with these policies and procedures, and recommends ways to improve compliance.
  • Security measure deployment Includes the deploying of security measures and responding successfully to vulnerabilities; securing devices, applications, and networks against threats before they occur; and taking steps to ensure that information is up-to-date, compliant, and restorable. It also involves recovery procedures and tools in the event that an attack eludes other security measures.
  • Security monitoring and management Recognizes that as water utilities deploy security technologies throughout their networks, the challenge of properly managing and monitoring these resources becomes increasingly complex. The implementation of "technology-only" solutions without close monitoring and management significantly weakens the effectiveness of security devices. As a result, many organizations are using third parties that have experience in providing 24/7 management and monitoring of security devices.

Conclusion
The interconnected nature of SCADA and corporate networks, remote workers, and other networks, combined with the increasing frequency and severity of cyber attacks, point to a pressing need for heightened security in the water utility industry. Fortunately, a growing number of technologies and services are available to help water utilities secure not only their SCADA networks but also the networks to which they're connected.
 
All solutions should be tested within the SCADA environment to ensure that a utility's unique concerns are addressed, including the ability to implement security solutions without degrading the performance -- and thus the availability -- of SCADA systems.
 
Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Network and Infrastructure
Analytics and ROI
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"Terrorists are getting better at hacking computers to raise money, and can be expected to add cyber extortion to their portfolio of crimes. SCADA systems can be a potent target for them."

-- Alan Paller, Director of Research at the SANS Institute
Sponsor Tools

White Papers

View More


Resources
Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


CIO Interview: CIO of Port of Portland, Michelle Gaines
Playtime: 7 min 59 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.
Advertisement
Site Navigation
Home | Article Index | Newsletters | RSS Feeds | Site Map | IT Tools | Reviews | Technologies | Workshops/Tutorials | News | Forums/Blogs/Opinion | Bookstore | Jobs | RFP/RFQs | White Papers | Audio | Downloads | Editors | Webmaster | Sales and Marketing | Magazine Media Kit | Online Media Kit | Events | Reprints | Editorial Calendar
Technology News and Opinion
Small Business Pipeline | IT Utility Pipeline | Business Intelligence Pipeline | Desktop Pipeline | Compliance Pipeline | Server Pipeline | Storage Pipeline | Security Pipline | Mobile Pipeline | Linux Pipeline | Advanced IP Pipeline
Companion Sites
Independent Testing Services | Network Magazine | IT Pro Downloads | UnixWorld | Interactive Buyer's Guide | InternetWeek | InformationWeek | Transform Magazine | Pipeline Technology Sites | Intelligent Enterprise | TechWeb | Shop-Marketplace.com



TechWeb is brought to you by CMP Media LLC, Copyright © 2004
Privacy Statement | Terms Of Service