AREVA T&D Australia
Tel: 02 9739 3000
Fax: 02 9739 3040

Supplier´s Website
Enquire now

Incorrect details?

close

Enquire NowVisit Website

Contact Details

SCADA: govt. voices e-crime fears

UTILITIES and the transport sectors have been pinpointed by the federal government as major areas of cyber-security concern, in its efforts to counter terrorism and industrial sabotage. In particular, Supervisory Control and Data Acquisition (SCADA) systems in critical infrastructures have been rated as “high risk” in terms of likely security breaches.

“We’re very good at gates, guns and guards,” said Mike Rothery, from the Attorney-General’s Department. “We’ve had lesser experience in e-crime. We’re not on top of it but it’s a major focus.”

Rothery was speaking during a series of nationwide workshops highlighting SCADA security. The day-long workshops were held last month in Perth, Melbourne, Sydney and Brisbane.

The A-G Department’s critical infrastructure protection branch is headed up by the Trusted Information Sharing Network (TISN). Set up early last year, TISN works with operators of critical infrastructure to identify vulnerabilities in their computer systems and interdependencies between connected computer systems, and to test their ability to resist exploitation.

“TISN tackles the medium to long term issues relating to information system attacks and vulnerabilities. It’s not a rapid response force,” said Rothery.

While the spectre of terrorism obviously features, speakers at last month’s workshops agreed that most threats to SCADA security come from the Internet (for example, worms and viruses), recreational hackers, errors resulting from training programs or even disgruntled employees.

The workshops attracted three international speakers, two from the US and one from the UK.

One of the speakers was Gary Sevounts, director of power and energy solutions for Symantec Corporation, in the US. Symantec is a major publisher of antivirus software and other utilities for Windows PCs. Products include Norton Antivirus and Norton Utilities. In June last year, Symantec teamed up with Areva’s T&D division to provide security solutions for SCADA systems in the electric power industry. Areva T&D itself provides products, systems and services to the electric transmission and distribution industry.

According to Sevounts, security is a business enabler. “Availability and regulatory compliance are major performance drivers,” he said. “These are the major reasons to justify security - not to push the threat of terrorism all the time.”

Warning that “untested and unvalidated security measures can cause more damage than good”, Sevounts said the good news was that SCADA operators don’t have to spend a lot of money to implement cyber security processes.

“Start with your existing security products,” he said. “Then develop a clear understanding of your security posture, access levels, penetration testing, protocol security and patch management.

“Remember, cyber security is an ongoing process,” said Sevounts, noting that 54 percent of attacks are blended threats and that one-third of all attacks penetrate firewalls. “So put pressure on your SCADA/DCS vendors to work with cyber-security experts,” he advised.

Karl Williams, from the National Infrastructure Security Coordination Centre, a government body in the UK, expressed concern that “the message still is not getting through that security is a real issue”.

“There’s more to control systems that just reliability and availability,” said Williams. “People still aren’t factoring security into their thinking.”

He added, “IT have been doing security far longer than operations people have. We have a lot to learn from them.”

Williams identified malicious codes such as spam, spyware (including botnets, or robot networks), trojans and viruses as providing the greatest threats - followed by social engineering, identity theft, proxy storage, on-line fraud and domain name hijacking.

Historically, SCADA platforms were designed to be reliable and safe, and security was not a consideration.

However, greater reliance on public telecommunications networks to link previously separate SCADA systems makes them more vulnerable to electronic attacks - as does the increasing use of published open standards and protocols, in particular Internet technologies.

Also, many SCADA systems lack mechanisms to provide confidentiality of communications, enabling intercepted communications to be easily read. As well, a lack of authentication results in a system user’s identity not being accurately confirmed.

Another speaker at the workshop series was Jeffrey Kimmelman, principal consultant and CTO of Network & Security Technologies, a US company that provides protection to energy companies.

According to Kimmelman, the biggest problems with security have nothing to do with technology but the need to have a more unified approach to security.

“Adversaries are always trying to find new ways to attack us,” he said. “They know much more than we realise.”

According to Kimmelman, SCADA systems have become more vulnerable to attackable due to the explosive growth in the number of managed devices and commoditised technologies, which have replaced proprietary knowledge. The adversarial capability has greatly risen due to the rapid expansion of knowledge, the steep drop in the cost of tools, intense harvesting, the discovery of proprietary data, and the diffusion of knowledge from industry insiders.

“Is free cheap enough?” he asked, referring to malicious codes that can be downloaded from the web at no cost.

Kimmelman says because traditional SCADA telecommunications share the infrastructure of an open corporate network backbone, this makes them accessible to undesirable entities.

“As we’re moving towards TCP/IP, control systems remain freely accessible,” he said.

He believes that organisations fall behind in cyber security because their practices are entrenched in manual processes. “Trust is assumed, operations groups are insular and cyber know-how is minimal,” he said. “However, SCADA technology has converged with IT. The genie is out of the bottle. Both complexity and vulnerability have grown.”

According to Kimmelman, IT organisations can’t support SCADA operations because they lack the sensitivity to performance constraints and don’t understand the applications.

“At the same time, production operations groups don’t protect their own interests. They often have a poor understanding of security, and they fail to adequately characterise the threat.”

Kimmelman urged operators to rethink their security approach by following six basic steps:.

Centralise responsibility by focusing on all aspects of security.

Fund your security initiatives.

Develop an operational security policy. This must be clear, concise, relevant and current. The policy needs to define roles, prohibitions and permissions, and specify requirements.

Unite the efforts of all parties.

Promote a security culture.

Analyse risk systematically.

“Work on a three-year cycle,” said Kimmelman. “Stop-gap fixes will accumulate unless you force the design cycle. Remember that new technology and new threats will eventually make any solution obsolete.”

AREVA T&D Australia News

View all  |  RSS Feed