ICS & SCADA

Supervisory Control and Data Acquisition Systems (SCADA Systems)

Most critical infrastructure, including major utilities infrastructure, industrial networks and transport systems, are controlled by SCADA systems. SCADA systems are smart, intelligent control systems that acquire inputs from a variety of sensors and, in many instances, respond to the system in real time through actuators under the program’s control. The SCADA system can function as a monitoring/supervisory system, control system or a combination thereof. SCADA Vs. IT Security Requirements

Moving to IP-based systems provides tremendous economic advantages in a time of intense competition. Consequently, more and more systems are expected to move toward IP-based systems. For example, the advantages of migrating from a proprietary radio-based network to an IP-based network include shared network resources across multiple applications, network improvements such as added redundancy and capacity across all applications, shared network management systems, and having to maintain only one skill set for onsite support staff. However, all known vulnerabilities and threats associated with traditional TCP/IP are available for exploitation, making it a challenge for the SCADA security community. Although all risk factors associated with IT systems apply to SCADA systems, it is not possible to completely superimpose an IT security framework on SCADA systems.

Governing SCADA Security

Industry organizations are developing standards for their vertical industries. These include, for example:

• Electric: North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)

• Chemicals: Chemical Industry Data Exchange/American Chemistry Council (CIDX/ACC)

• Natural gas: American Gas Association 12 (AGA 12)

• Oil and liquids: American Petroleum Institute (API)

• Manufacturing: International Society for Automation/International Electrotechnical Commission (ISA/IEC 62443) (formerly ISA 99)

Some governments have come up with their own regulations and standards, e.g., the US National Institute of Standards and Technology (NIST), the UK Center for Protection of National Infrastructure (CPNI) and The Netherlands Center for Protection of National Infrastructure (CPNI).

However, compliance to standards/regulations does not guarantee continuous security, but it does provide a snapshot of required controls at a point in time.

As new threats are identified almost daily, SCADA systems require a dynamic risk-based approach to keep pace with evolving threat scenarios.

IT security and risk professionals who have worked in traditional areas such as banking, finance or telecommunications are facing the same challenges of continuously evolving threats and risk. Most traditional IT security frameworks are modeled on standards/guidelines from ISACA, NIST or the International Organization for Standardization (ISO).

Resources

• Navigating Industrial Cybersecurity: A Field Guide (PDF)

• ScadaFence Blog

• SCADA Pentesting Course at BruCON

• SCADA Hacker

• CISA Cybersecurity Advisory AA22-103A

• DoD Control Systems Security Resource Guide (PDF)

• Awesome Industrial Control System Security

• Awesome Hardware and IoT Hacking