SCADA

SCADA stands for Supervisory Control and Data Acquisition.

A high level scan of the literature (Table 1) and brief conversations with cyber security specialists shows there appears to be a good understanding of the layers of risk in SCADA systems by professionals (Figure 1). This understanding, however, may not extend to Directors and Senior Executives – the ultimate owners of these risks and their implications.

Figure 1: Some high level cyber security issues raised by the move from private serial networks to IP based networks 

1.     A subtle gap appears to be the area of convergence between cyber, operational and physical risks driven by the move from private serial networks to IP networks. This move is a double edged sword increasing productivity alongside vulnerabilities.

2.     The further gap is a holistic expression of the cyber security threat to SCADA and its implications in a language Boards and C-level executives understand. Efforts at filling this gap would support key IT influencers and decision makers in their internal recommendations process to this stakeholder group.

Non-exhaustive, SCADA security related areas and references are tabulated below. 

 

SCADA security-related areas Some reference URLs
Scenarios and Cases ·     http://www.securityfocus.com/news/6767; http://www.reuters.com/article/2013/02/26/us-cyberwar-stuxnet-idUSBRE91P0PP20130226;·     http://www.smh.com.au/news/businessinnovations/slaying-the-hackers/2008/04/14/1208025354324.html
Threat and vulnerability statistics ·     http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-scada-that-didnt-cry-wolf.pdf;·     http://www.darkreading.com/vulnerability/scada-security-in-a-post-stuxnet-world/240049917;·     http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ips_industrial_control_protection.pdf

·     https://www.owasp.org/index.php/OWASP_Scada_Security_Project

·     http://www.brisbanetimes.com.au/it-pro/government-it/malicious-virus-shuttered-power-plant-us-government-20130116-2cuox.html

Cyber-Physical-Operational considerations ·     http://www.pipelineandgasjournal.com/scada-security-compliance-and-liability-%E2%80%93-survival-guide?page=show
Risk assessment ·     http://www.tisn.gov.au/Documents/SCADA-Generic-Risk-Management-Framework.pdf;·     http://www.tisn.gov.au/Documents/SCADA-Advice-for-CEOs.pdf
Patching and testing ·     http://www.darkreading.com/vulnerability/the-scada-patch-problem/240146355
Good practice guides ·     http://www.cpni.gov.uk/advice/cyber/scada/;·     http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems/window-of-exposure-a-real-problem-for-scada-systems
Standards, documentation, regulatory and compliance, training ·     http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems/can-we-learn-from-scada-security-incidents;·     http://www.scmagazine.com/threat-of-the-month-scada-sport-fishing/article/298547/
Differences between SCADA and traditional IT security; and compensating controls, including vendor and contract management ·     http://www.net-security.org/secworld.php?id=16065·    http://www.cso.com.au/article/424992/auscert_2012_security_standards_air_gaps_needed_protect_scada_systems/
Future tech implications and ‘Internet of Things’ ·     http://www.sans.org/event/internet-of-things-summit

 

Table 1: Light touch examples of existing news articles and grey literature.

Leave a Reply

Your email address will not be published. Required fields are marked *