• About CSIA
  • Mission Statement
  • Committees
  • CSIA Team
  • CSIA Offices
• Board Members
• Events
  • CSIA Events
  • Industry / Gov't Events
  • Member Events
• Member Directory
• Newsletters
  • Current Issue
  • Archive
  • Sign Up
• Testimonials
• Join CSIA

SCADA: Get the Facts

What is SCADA?

SCADA stands for Supervisory Control and Data Acquisition. SCADA systems are computer-based monitoring tools that are used to manage and control critical infrastructure functions, such as the transmission and distribution of electricity, pressure and proper flow of gas pipelines, water treatment and distribution, wastewater collection, chemical processing and railway transportation systems control, in real time. They are just one implementation of Process Control Systems (PCS), a term commonly used in conjunction with SCADA.

SCADA systems collect, display and store information from remotely-located data collection transducers and sensors to support the control of equipment, devices and automated functions. They are comprised of all hardware and software elements associated with the control and monitoring of a system, including graphical user interfaces (GUIs), databases, sensors, relays, switches, remote terminal units (RTU), networks and applications. A SCADA system is software that is positioned on top of hardware to which it is interfaced, often through Programmable Logic Controllers (PLCs) or other commercial hardware modules.

While SCADA systems are most commonly used in industrial processes such as power generation and distribution, they are also used in experimental facilities such as nuclear fusion. A SCADA system’s primary function is to efficiently transfer information to and from a wide range of sources and locations, while ensuring that data integrity and appropriate updates are maintained.

How have SCADA systems evolved in recent years?

Before the 1960s, utility plants were monitored and managed by humans. For example, to turn on a water valve, an employee had to physically come to the water plant to do so. At that time, SCADA devices were only connected by phone lines and dedicated circuits. When computer use became mainstream in the 1980s, SCADA systems ran on DOS, VMS and UNIX, but were traditionally “walled-off” from the corporate networks. Today, almost all SCADA systems have moved to Windows NT/XP or Linux operating systems and are connected to corporate TCP/IP networks. In fact, much of the Western world’s critical infrastructures such as water, electricity and transportation systems are completely automated and computerized, running on these electronic, software-based control systems.

Until recently, SCADA systems were often used in a reactive manner to identify system faults as they occurred, recording system data and events for later analysis. With escalating demands on businesses for increased efficiency, SCADA systems have been re-architected to now include data management functionality that prevents problems, rather than recording them. Unfortunately, the security of SCADA systems is lacking, due to the narrow focus on using the systems for increased productivity, reliability and greater operating efficiencies.

Why is SCADA security receiving increased attention?

Because today’s SCADA systems are completely computerized and located on centralized networks, they are a tempting target for a major physical or cyber attack. SCADA equipment often covers large geographical areas with some equipment residing in remote locations. These remote areas are an easy target for intruders or vandalism. Protecting these vital plants from system failures, intrusions or terrorist attacks is critical to the viability of overall critical infrastructures. A major physical or cyber attack on the control and data systems of electric power plants, or oil and gas refineries and pipelines could potentially bring a country to a halt. The problem is compounded because private companies control 85 to 90 percent of critical infrastructures, leaving governments few avenues to ensure that IT systems are secure.

The increased adoption of technologies with known vulnerabilities, the widespread use of commercial-off-the-shelf (COTS) systems and the increased connectivity of SCADA systems to the Internet are the key reasons why the security of SCADA systems must be given higher priority. The disruption of utilities and other critical infrastructures could be harmful to both the environment and the general public.

What are the main threats to SCADA systems?

SCADA systems, like all computer networks, are vulnerable to hacking, intrusions, viruses, data loss, data alteration and the like. There are four main threat categories to consider:

1. Malware – SCADA systems are vulnerable to various forms of malware, including worms, viruses, Trojans and spyware.
2. Insider – This internal threat can be accidental or intentional; however, the latter is the greater threat and is commonly referred to as the “disgruntled employee” scenario, where a knowledgeable insider may be motivated to damage or corrupt the system.
3. Hacker – This is the outsider who is interested in probing and breaking into a SCADA system because of the challenge it presents.
4. Cyber Terrorists – A SCADA system is a very appealing attack target for a well-funded terrorist group that seeks to cause widespread damage to a large portion of the population. Al Qaeda is one organization that has demonstrated increased interest, for example, in U.S.-based SCADA systems.

Most utility companies are finding it difficult to deploy security measures such as anti-virus and firewalls because of technical challenges with the current systems in place. Many older Distributed Control Systems (DCS) and SCADA systems cannot accommodate current enterprise security solutions that soak up central processing unit (CPU) capacity and clog connectivity. Patching vulnerable software is a key challenge due to the network downtime that utility companies cannot afford and the risk that security patches could interfere with the operation of existing applications. Most SCADA systems operate in real-time and cannot be offline for lengthy upgrades or security installations, for fear of degradation in performance. Additionally, there is too much widely-available public information about utility companies’ corporate networks, which could be used for a more focused network attack.

Have there been any SCADA-specific attacks to-date?

A few of the most well-known, verified SCADA security incidents include:

• August 2003: The infamous SQL server worm, Slammer, infected a private computer network at the Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours. The worm also affected communications on the control networks of at least five other utilities by propagating so quickly that control system traffic was effectively blocked.
• Spring 2000: A former employee of an Australian industrial software company used a radio transmitter to remotely hack into the controls of a sewage treatment system at Maroochy Shire, Queensland, and release approximately 264,000 gallons of raw sewage into nearby rivers.
• March 1997: A teenager in Worcester, Massachusetts, remotely disabled part of the public switching network which disrupted telephone service to residents and the fire department and caused a malfunction at the local airport.

Some have speculated that the blackouts across the Northeastern United States in August 2003 might have been caused by a SCADA-related attack, as it left 50 million customers and parts of eight states and Canada without power. The outage cost an estimated $7 billion to $10 billion in financial losses and shut down parts of a two million barrel-per-day pipeline and airports in 13 cities.

What has the U.S. government done to address SCADA security in recent years?

Over the past few years, the U.S. Department of Homeland Security (DHS) has become increasingly concerned over the lack of security of SCADA systems because many of these control systems are owned by private companies and are increasingly being interconnected to improve efficiency. Because SCADA and other types of control systems regulate critical, real-world activities, their lack of security has worried experts for some time.

Government attention to critical infrastructure protection dates back to 1997, when the U.S. President’s Commission on Critical Infrastructure Protection issued a report that raised considerable awareness for the nation’s increased reliance on vulnerable, interconnected physical and cyber infrastructures. A year later, the White House issued an important policy document, Presidential Decision Directive 63 (PDD-63), which defined critical infrastructures as: “those physical and cyber-based systems essential to the minimum operations of economy and government.” The directive had the goal of, by 2003, protecting the nation’s critical infrastructures, defined as banking and finance, energy, telecommunications, water systems, transportation and emergency services. It called for significantly increased security to government systems by 2000, and laid the foundation for the protection of today’s critical infrastructure SCADA systems by establishing several new communication structures, including the Information Sharing and Analysis Centers (ISACs) and the National Infrastructure Protection Center (NIPC).

Two months after 9/11, the Critical Infrastructure Protection Act of 2001 was passed, stating that any disruption of critical infrastructure must be “infrequent and minimally detrimental” to the nation. When the DHS was created a year later, a Director of Information Analysis and Infrastructure Protection (IAIP) position was created to oversee cyber and critical infrastructure protection. The IAIP was later renamed the Directorate for Preparedness, tasked with facilitating grants and overseeing nationwide preparedness efforts to support first responder training, citizen awareness, public health, infrastructure and cyber security and ensuring proper steps are taken to protect high-risk targets. Homeland Security Presidential Directive 7 (HSPD-7) was issued in December 2003 to update policies intended to protect the country from terrorist attacks. This directive superseded PDD-63 and requires federal departments and agencies to develop methods and technologies to protect all critical infrastructures and key resources of the government and economic sector.

Some of the most noteworthy progress the U.S. government has made regarding SCADA security includes:

• The creation of the Energy Policy Act (EPACT): In August 2005, President Bush signed this Act which authorized the creation of an electric reliability organization (ERO) to enforce compliance with regulatory standards in the energy sector. Almost a year later, the North American Electric Reliability Council (NERC) was established.
• The “Cyber Storm” Exercise: In early 2006, DHS performed a “Cyber Storm” exercise which involved both the government and industry in the simulation of a cyber attack that included elements of a SCADA protocol attack that spread throughout the critical infrastructure. This attack involved 115 organizations in the U.S., Canada, the U.K., Australia and New Zealand. Public agencies and private companies also participated. One of the scenarios involved a simulated attack on the computer systems at an electric utility, causing widespread power outages. The results, released in September 2006, found that DHS is ill-prepared to take on a serious cyber attack and that many agencies were unable to link multiple attacks across disparate systems and lacked processes, tools and technologies to handle incidents. DHS will conduct a Cyber Storm II exercise in early 2008.
• Establishment of a National SCADA Test Bed: Funded by the Department of Energy, the national SCADA test bed, co-located at the Idaho National Laboratory and Sandia National Laboratory, was developed to systematically analyze, test, and improve cyber security features in the control systems that operate the nation’s electric power grid.
• Creation of the Control Systems Security Center (CSSC): The National Cyber Security Division (NCSD) of DHS established a National Cyber Alert System that is a clearinghouse for information about control systems security and vulnerabilities under the U.S. Computer Emergency Readiness Team (US-CERT) and Idaho National Laboratory. The Center aims to reduce the risk of cyber attacks on control systems through assessments, educations and incident support. The first vulnerabilities were reported in 2006.
• The Linking the Oil and Gas Industry to Improve Cyber Security (LOGIIC) Project: Funded by DHS’ Science and Technology Directorate, this program brought together 14 organizations to identify ways to reduce cyber vulnerabilities in SCADA systems. The goal of the project was to identify new types of security sensors for process control networks. For the past 12 months, Sandia National Laboratories based in Albuquerque, New Mexico, has served as the lead national laboratory in project LOGIIC.

What has the European Union done to-date regarding SCADA security?

In June 2004, the European heads of state and government asked the Commission to prepare an overall strategy to enhance the protection of critical infrastructures. In response, the Commission transmitted a Communication entitled “Critical Infrastructure Protection in the Fight against Terrorism,” putting forward a number of suggestions to enhance European prevention, preparedness and response to terrorist attacks involving critical infrastructures.

The Commission's intention to propose a European Programme for Critical Infrastructure Protection (EPCIP) and a Critical Infrastructure Warning Information Network (CIWIN) was accepted by the European heads of state and government in December 2004. Throughout 2005, intensive work was done on the elaboration of EPCIP. Two European seminars on critical infrastructure protection and a number of informal meetings were held, bringing together experts from all EU Member States. This work culminated in the Commission’s adoption of the Green Paper on a European Programme for Critical Infrastructure Protection (COM (2005) 576 final) on November 17, 2005.

The Green Paper provided options on how the Commission could respond to the request by the Member States to establish EPCIP and CIWIN and constituted the second phase of a consultation process concerning the establishment of EPCIP. Furthermore, it provided an indicative list of critical infrastructure sectors and services which includes SCADA. In addition, the Green Paper foresaw a number of funding sources for activities related to the protection of critical infrastructures in Europe. As a result, the European Commission launched the Pilot Project on the Fight against Terrorism which invited interested parties to submit proposals covering one or more of the following themes:

1. Enhancement of protection measures for critical infrastructure;
2. Vulnerabilities and resilience of critical infrastructure, including developing methodologies;
3. Risk mitigation strategies and threat assessments for critical infrastructure;
4. Development of contingency plans;
5. Development of common security standards and innovative technologies for protection of critical infrastructure; and
6. Trans-national projects, which must involve partners in at least two Member States, or at least one Member State and an applicant country.

In December 2006, the European Commission put forward its proposals for the creation of a European Action Programme for Critical Infrastructure Protection. The proposals consist of:

• A Directive of the Council on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection. The proposed Directive establishes a procedure for the identification and designation of European Critical Infrastructures (ECI), and a common approach to the assessment of the needs to improve the protection of such infrastructure.
• Non-binding measures designed to facilitate the implementation of EPCIP including an EPCIP Action Plan, the CIWIN, and the use of CIP expert groups at EU level, CIP information sharing processes and the identification and analysis of interdependencies.
• Support for Member States concerning National Critical Infrastructures (NCI) which could optionally be used by the Member States.
• Accompanying financial measures and, in particular, the proposed EU programme on "Prevention, Preparedness and Consequence Management of Terrorism and other Security Related Risks" for the period 2007-2013, which will provide funding opportunities for CIP-related measures having a potential for EU transferability.

These proposals will now be reviewed by the EU Member States for their approval.

Aside from these initiatives, the European Commission has funded CIP research activities through its Preparatory Action on Security Research and will continue funding these through the new 7th Research Framework Programme (2007-2013), which includes a joint initiative between ICT & Security Themes on Critical Infrastructure Protection. The focus of the ICT part will be on building secure, resilient, responsive and always available information infrastructures linking critical infrastructures to build secure and resilient SCADA systems.

Are there any standards for securing SCADA systems?

The U.S. Federal Energy Regulatory Commission selected the NERC to set and enforce mandatory Critical Infrastructure Protection (CIP) security standards for the energy sector. The CIP rules cover areas such as reporting sabotage, ensuring physical security, monitoring and running antivirus controls, and doing patch updates on all critical assets, including control centers, substations and SCADA systems. The power industry is considered further along in SCADA security than other critical industries.

What is CSIA’s position on SCADA security?

Although some progress has been made recently, CSIA believes that critical infrastructure protection and SCADA security are important issues that have not been given enough attention globally by governments or the private sector. In the U.S., the appointment of Greg Garcia to oversee implementation of the National Strategy to Secure Cyberspace is an important first step to addressing SCADA security. Preparedness exercises, such as Cyber Storm I and II, are also useful; however, NCSD and DHS must use the lessons learned and rapidly turn them into solutions. Establishing programs that mitigate attacks and forming a clearer plan for an early warning program are essential for better security across agencies. CSIA urges President Bush to form a task force of key government agencies, appropriate regulators, experts in the cyber security field and representatives from across all utilities and suppliers, to meet and recommend concrete actions to improve the security of control systems supporting critical infrastructure.

In addition, CSIA has three key recommendations for DHS concerning cyber security preparedness and response:

• Situational Awareness – The private sector and the government must share information in order to gain cyber and telecom situational awareness. DHS must develop a more robust capability to monitor the overall health of critical functions supporting information systems and the Internet that combines data from sources under government control, including the intelligence community and law enforcement. Organizing this information into a “dash board” will give the Department much greater insight of the functioning of the information infrastructure. DHS should seek to bring a dedicated system on line within two years as it will be central to coordinating response and recovery to cyber disaster.
• Establish an Emergency Communications System – DHS must ensure the United States has back-up systems and plans in place to ensure that we can contain or lessen the impact of a cyber attack or disruption, as well as recover and reconstitute in a converged environment involving both circuit switched and IP-based networks. DHS should establish an aggressive set of goals and supporting programs that will ensure we have a resilient emergency communications system in place by 2010.
• Recovery and Reconstitution – DHS should describe how it will work with the private sector to respond to and recover from a massive information infrastructure attack or disruption. This requires a clear “chain of command” in case of such an incident. This is especially important since the private sector owns and operates most of the nation’s critical information infrastructure.

Additional Resources:

U.S. Department of Energy – Control Systems Security
http://www.oe.energy.gov/randd/css.htm

The Center for SCADA Security – Sandia National Labs
http://www.sandia.gov/scada/home.htm

Idaho National Laboratory – National SCADA Test Bed Program
http://www.inl.gov/scada/

Pacific Northwest National Laboratory (PNNL)
http://homeland-security.pnl.gov/cip.stm

National Institute of Standards and Technology (NIST) – Guide to SCADA and Industrial Control Systems Security
http://csrc.nist.gov/publications/drafts/800-82/Draft-SP800-82.pdf

Federal Energy Regulatory Commission (FERC)
http://ferc.gov/default.asp

The Process Control Systems Forum
https://www.pcsforum.org/

The Institute for Information Infrastructure Protection (The I3P)
http://www.thei3p.org/

British Columbia Institute of Technology (BCIT)
http://www.bcit.ca/appliedresearch/security/