Tuesday, January 24, 2012


Supervisory Control and Data Acquisition (SCADA) systems are a suite of software used by the utility, gas, oil, water and manufacturing sectors to achieve efficient control over their complex operations. These systems control various components for example the opening and closing of valves in an oil pipeline. In the electrical utility sector they control power grids.

A major development in these systems is the introduction of a smart component in these systems. This entails the implementation of an end-to-end IP (internet protocol) network that connects critical components such as valves in a pipeline, smart meters in an electrical grid or pumping stations in a water pipeline. Smart meters are generally at a more advanced stage in the electrical grid systems of advanced western countries.

What makes the security of these smart grids important has to do with the deployment of these networked and IT and IP enabled critical components. These IP enabled components have to interface with old legacy components such as Programmable Logic Controllers (PLC). This presents a threat because most of the old components are not designed to support the complete IP communication stack.

Besides the system integration risk the implementation of IT and IP enabled components introduces the same security threats attendant with such technology. Cybercriminals can for example bring down communication links between these components and the control stations by using denial of service, routing, flooding and buffer overflow attacks.

Another factor to consider is the lack of skills to identify and manage risk in SCADA systems. Professionals in the industries that use SCADA (e.g. electrical) are not aware of the proper security controls necessary and suitable for their industries.

For example the electrical utility sector in most countries is only at an initial stage of developing the required skills to conduct risk assessment. This risk assessment would allow ICT security professional to design security architectures tailored to SCADA systems.

What then is the way forward? Industries that use SCADA, risk, ICT and ICT security operations must find a way of working together. The security management of IP endpoints and devices is the forte of ICT professionals. They are however ill-equipped to manage foreign endpoints like valves, smart meters, breakers, PLCs etc.

A complex network with hundreds of thousands of endpoints and network interconnections is extremely difficult. For a SCADA network to be truly, reliable, scalable, and secure, both ICT professionals and utility operators have to work together.

No comments: