Why SCADA Security Must Be Addressed
Rick Cook writes on CSO Online:
Industrial control systems, including SCADA (supervisory control and data acquisition) have come under the security spotlight in recent years following a sprinkling of incidents - most notably the Slammer worm infestation at Ohio's Davis-Besse nuclear power plant in 2003, and post-9-11 attention to terrorist threats.More here.
But SCADA security is a tough nut to crack, buried beneath a complex mix of technology, attitude and a particularly intractable set of network characteristics. Still, industry experts see the risk to SCADA systems growing in the not-too-distant future. Not only are there very real dangers, but regulatory agencies are beginning to take notice and impose requirements.
Matthew Luallen, owner of Encari, a Chicago-based information security consultancy, points out that the electric utility industry is already under a three-year program to improve security. The sanctions for noncompliance, he says, can run up to $1 million a day.
Fundamentally, the control world has changed, particularly at the high end with methods like SCADA. There are more open systems, wireless technologies are becoming popular and there's increased connectivity, both internally and externally. There are more outsourced services and strategic alliances among vendors, which encourages openness and interoperability. Plant environments have become complex with multiple vendors' equipment, proprietary systems and mission-critical applications all tied together in complex networks; all must function in a time-constrained fashion.