Improving Security for SCADA Control Systems

The continuous growth of cyber security threats and attacks including the increasing sophistica-tion of malware is impacting the security of critical infrastructure, industrial control systems, and Supervisory Control and Data Acquisition (SCADA) control systems. The reliable operation of modern infrastructures depends on computerized systems and SCADA systems. Since the emer-gence of Internet and World Wide Web technologies, these systems were integrated with business systems and became more exposed to cyber threats. There is a growing concern about the security and safety of the SCADA control systems. The Presidential Decision Directive 63 document es-tablished the framework to protect the critical infrastructure and the Presidential document of 2003, the National Strategy to Secure Cyberspace stated that securing SCADA systems is a na-tional priority. The critical infrastructure includes telecommunication, transportation, energy, banking, finance, water supply, emergency services, government services, agriculture, and other fundamental systems and services that are critical to the security, economic prosperity, and social well-being of the public. The critical infrastructure is characterized by interdependencies (physi-cal, cyber, geographic, and logical) and complexity (collections of interacting components). Therefore, information security management principles and processes need to be applied to SCADA systems without exception. Critical infrastructure disruptions can directly and indirectly affect other infrastructures, impact large geographic regions, and send ripples throughout the na-tional and global economy. For example, under normal operating conditions, the electric power infrastructure requires fuels (natural gas and petroleum), transportation, water, banking and fi-nance, telecommunication, and SCADA systems for monitoring and control. In this paper, we provide an analysis of key developments, architecture, potential vulnerabilities, and security concerns including recommendations toward improving security for SCADA control systems. We discuss the most important issues concerning the security of SCADA systems in-cluding a perspective on enhancing security of these systems. We briefly describe the SCADA architecture, and identify the attributes that increase the complexity of these systems including the key developments that mark the evolution of the SCADA control systems along with the growth of potential vulnerabilities and security concerns. Then, we provide recommendations toward an enhanced security for SCADA control systems. More efforts should be planned on reducing the vulnerabilities and improving the security operations of these systems. It is necessary to address not only the individual vulnerabiltiies, but the breadth of risks that can interfere with critical operations. We describe key requirements and fea-tures needed to improve the security of the current SCADA control systems. For example, in assessing the risk for SCADA systems, use of general meth-ods for risk analysis including specific conditions and characteristics of a con-

[1]  Colin J. Fidge,et al.  Fault evaluation for security-critical communication devices , 2006, Computer.

[2]  Sandip C. Patel,et al.  Security enhancement for SCADA communication protocols using augmented vulnerability trees , 2006, CAINE.

[3]  Roger Cummings The Evolution of Information Assurance , 2002, Computer.

[4]  John Steven Adopting an enterprise software security framework , 2006, IEEE Security & Privacy.

[5]  Richard L. Craft,et al.  An open framework for risk management , 1998 .

[6]  Karl-Erik Årzén,et al.  Trends in software and control , 2003 .

[7]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[8]  David Geer Security of critical control systems sparks concern , 2006, Computer.

[9]  S. Vidalis,et al.  Using Vulnerability Trees for Decision Making in Threat Assessment , 2003 .

[10]  Janie Fouke Threshold of the New Millennium , 2000 .

[11]  C. Perrow Shrink the Targets , 2006, IEEE Spectrum.

[12]  Mariana Hentea A Perspective on Security Risk Management of SCADA Control Systems , 2008, Computers and Their Applications.

[13]  Steve Mirsky,et al.  What's Wrong with This Picture? , 2003 .

[14]  O. Sami Saydjari Defending Cyberspace , 2002, Computer.

[15]  Eduardo F. Camacho,et al.  Four focused forums , 2006 .

[16]  E. J. Byres,et al.  On shaky ground - A study of security vulnerabilities in control protocols , 2006 .

[17]  William R. Dunn Designing Safety-Critical Computer Systems , 2003, Computer.

[18]  Gerard J. Holzmann,et al.  The power of 10: rules for developing safety-critical code , 2006, Computer.

[19]  Adrian Perrig,et al.  Security and Privacy in Sensor Networks , 2003, Computer.

[20]  Frédéric Raynal,et al.  New threats and attacks on the World Wide Web , 2006, IEEE Security & Privacy.

[21]  Michael Gegick,et al.  Matching attack patterns to security vulnerabilities in software-intensive system designs , 2005, SESS@ICSE.

[22]  Michael Gegick,et al.  Matching attack patterns to security vulnerabilities in software-intensive system designs , 2005, SESS@ICSE.

[23]  Herbert Bos,et al.  Can we make operating systems reliable and secure? , 2006, Computer.

[24]  James P. Peerenboom,et al.  Identifying, understanding, and analyzing critical infrastructure interdependencies , 2001 .

[25]  Tim Menzies,et al.  Making Sense of Requirements, Sooner , 2006, Computer.

[26]  Marvin V. Zelkowitz,et al.  Maintaining software with a security perspective , 2002, International Conference on Software Maintenance, 2002. Proceedings..

[27]  Mariana Hentea,et al.  Enhancing information security risk management with data mining and fuzzy logic techniques , 2006, CAINE.

[28]  Yixin Diao,et al.  Control engineering for computing systems , 2005 .

[29]  Angelos D. Keromytis "Patch on Demand" Saves Even More Time? , 2004, Computer.

[30]  George J. Vachtsevanos,et al.  Software technology for implementing reusable, distributed control systems , 2003 .

[31]  Gary Stoneburner Toward a Unified Security-Safety Model , 2006, Computer.

[32]  Benjamin Arazi Enhancing Security with Nanotechnology , 2006, Computer.