Skip Links

A real-world case study of SCADA security

Security Strategies Alert By M. E. Kabay, Network World
October 27, 2010 12:06 AM ET
Sign up for this newsletter now!

The long view of security strategies for your network.

In this second of two articles, friend and colleague Professor Michael Miora, CISSP-ISSMP, FBCI concludes his case study on the security of supervisory control and data acquisition (SCADA) systems. All of the following is entirely Miora's own work with minimal editing. I have added a few comments about the psychology of risk perception at the end of his contribution.

The meaning

Having established the current security situation in the SCADA systems, we made a series of recommendations to close the gaps. Some of the recommendations were of the quick-win variety, giving vast improvement quickly and at low cost. Other recommendations were more complex and required time and effort for implementation. The clear message given in the report was that the water and power distribution networks owned and operated by this organization were vulnerable to serious service disruptions or degradations by moderately trained external personnel without access to internal networks or information.

The report also highlighted some major physical security issues. Even prior to 9/11, it was well recognized that a major issue for water distribution was public access to reservoirs and filtration systems. Our water distribution systems have been built over the last century and a half, mostly without regard to the threat of intentional contamination or other tampering. These systems were open to physical contamination.

Some concluding thoughts

Since 9/11, the focus on physical security has increased significantly. There are a variety of products available to help prevent intrusions onto active reservoirs and to monitor activity via video surveillance. Local authorities now routinely patrol reservoirs as well. The Environmental Protection Agency (EPA) has a Water and Wastewater Security Product Guide to help authorities find products that match security needs.

To this day, many water distribution systems are still struggling with the physical security efforts. One such example is the city of Boulder, Colo. "Boulder's supply of drinking water faces lingering vulnerabilities to terrorism and other acts of intentional contamination, seven years after a consultant recommended dozens of security upgrades, a recent city assessment concludes." Note that this is not the entity under discussion in this paper.

Where are they now?

In the decade since the initial assessment was performed, the organization we assessed has not conducted a re-assessment. There was at least one attempt, but the solicitation process bogged down in a deluge of needless bureaucracy and no contract was ever awarded. This writer wonders whether the threat continues to be mitigated as it was in the months following the initial assessment, or if piecemeal system and operational modifications have eroded the good work the organization did when it received our initial assessment.

[Kabay comments: One wonders if management succumbed to the sense that absence of evidence of tampering equates to absence of vulnerabilities. In my experience as a consultant, I have regrettably run up against upper management who seem to believe that wishful thinking is a reasonable substitute for a global perspective on industry experience. If they, personally, have not (yet) been involved in a security debacle, they seem to believe that they and their organizations are immune to risks that have been documented in similarly placed organizations.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News