Improving Security for SCADA Control Systems

Introduction Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other smaller control system configurations including skid-mounted Programmable Logic Controllers (PLC) are often found in the industrial sectors and critical infrastructures. These are also known under a general term, Industrial Control System (ICS). A control system is a device or set of devices to manage, command, direct, or regulate the behavior of other devices or systems. ICSs are typically used in industries such as electrical, water, oil and gas, and chemical including experimental and research facilities such as nuclear fusion laboratories. The reliable operation of modern infrastructures depends on computerized systems and SCADA systems. The Presidential Decision Directive 63 document established the framework to protect the critical infrastructure and the Presidential document of 2003, the National Strategy to Secure Cyberspace stated that securing SCADA systems is a national priority. The critical infrastructure includes telecommunication, transportation, energy, banking, finance, water supply, emergency services, government services, agriculture, and other fundamental systems and services that are critical to the security, economic prosperity, and social well-being of the public. The critical infrastructure is characterized by interdependencies (physical, cyber, geographic, and logical) and complexity (collections of interacting components). Cyber interdependencies are a result of the pervasive computerization and automation of infrastructures (Rinaldi, Peerenboom, & Kelly, 2001). The critical infrastructure disruptions can directly and indirectly affect other infrastructures, impact large geographic regions, and send ripples throughout the national and global economy. For example, under normal operating conditions, the electric power infrastructure requires fuels (natural gas and petroleum), transportation, water, banking and finance, telecommunication, and SCADA systems for monitoring and control. There is a growing concern about the security and safety of the SCADA control systems in terms of vulnerabilities, lack of protection, and awareness (Byres & Franz, 2005; Byres, Hoffman & Kube, 2006). Therefore, information security management principles and processes need to be applied to SCADA systems without exception. This paper provides a relevant analysis of most important issues and a perspective on enhancing security of these systems. The rest of this paper is organized in sections as follows: next section provides an overview of the SCADA architecture. Then, in the following section, we describe key developments that mark the evolution of the SCADA control systems along with the increase of potential vulnerabilities and security concerns. In the next section, we provide recommendations toward an enhanced security for SCADA control systems. We describe key requirements and features needed to improve the security of the current SCADA control systems. We conclude with a thought about the future of SCADA control systems. SCADA Architecture A SCADA system is a common process automation system which is used to gather data from sensors and instruments located at remote sites and to transmit data at a central site for either control or monitoring purposes. The collected data is usually viewed on one or more SCADA host computers located at the central or master site. Based on information received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices, which are often referred to as field devices. Generally, a SCADA system includes the following components: * Instruments that sense process variables * Operating equipment connected to instruments * Local processors that collect data and communicate with the site's instruments and operating equipment called Programmable Logic Controller (PLC), Remote Terminal Unit (RTU), Intelligent Electronic Device (IED), or Process Automation Controller (PAC) * Short range communications between local processors, instruments, and operating equipment * Host computers as central point of human monitoring and control of the processes, storing databases, and display of statistical control charts, and reports. …