Security in the electric power industry: Riptech Report of 2001

This is another in a series of articles looking at security issues in the electric power industry. Today I review a baseline report from almost a decade ago that remains important for everyone studying these issues. In light of the Stuxnet worm attacks on tens of thousands of Siemens supervisory control and data acquisition (SCADA) systems around the world.

* * *

In January 2001, Riptech, a high-tech security firm providing managed security services which was acquired by Symantec in 2002, published a brief report on security vulnerabilities in SCADA systems. The authors presented three “Common Misconceptions about SCADA System Security” which are summarized below:

Misconception No.1 – "The SCADA system resides on a physically separate, standalone network."

Although the early SCADA systems were indeed independent of corporate data processing systems and networks, the situation has changed. The Riptech authors write, "First, the demand for remote access computing has encouraged many utilities to establish connections to the SCADA system that enable SCADA engineers to monitor and control the system from points on the corporate network. Second, many utilities have added connections between corporate networks and SCADA networks … to allow corporate decision makers to obtain instant access to critical data about the status of their operational systems."

The authors explain that there is evidence that many such connections have limited security.

Misconception No.2 – "Connections between SCADA systems and other corporate networks are protected by strong access controls."

Wrong. Research findings in the field consistently find serious weaknesses in the security of SCADA systems.

Misconceptoin No.3 – "SCADA systems require specialized knowledge, making them difficult for network intruders to access and control." [The following points from the original report have been edited and reformatted as bullet points for clarity.]

• "… utility companies represent a key component of one of the nation's critical infrastructures… [and] are likely targets of coordinated attacks by cyber-terrorists,…[not] disorganized [criminal] hackers.

• Such attackers are highly motivated, well-funded, and may very well have insider knowledge.

• Further, a well-equipped group of adversaries focused on the goal of utility operations disruption is certain to use all available means to gain a detailed understanding of SCADA systems and their potential vulnerabilities.

• …[T]he increasing availability of information describing the operations of SCADA systems [increases the risk]. …[S]everal standards for the interconnection of SCADA systems and remote terminal units (RTU) have been published, as have standards for communication between control centers, acceptance of alarms, issuance of controls, and polling of data objects. Further, SCADA providers publish the design and maintenance documents for their products and sell toolkits to help develop software that implements the various standards used in SCADA environments.

• Finally, the efforts of utility companies to make efficient use of SCADA system information across their company has led to development of "open" standard SCADA systems. As a result of this development, SCADA system security is often only as strong as the security of the utility's corporate network.

The Riptech report summarized the "common security vulnerabilities affecting SCADA systems" with the following three headings:

• Public information availability

• Insecure network architecture

• Lack of real-time monitoring.

The authors expanded on this last point with descriptions of two particularly important problems:

• "Vast amounts of data from network security devices overwhelm utility information security resources rendering monitoring attempts futile.

• Even when intrusion detection systems are implemented, network security staff can only recognize individual attacks, as opposed to organized patterns of attacks over time."

Riptech proposed a three step approach to securing SCADA systems (quoting directly from the paper with elisions … and minor [capitalization] changes):….In addition to assessing operational systems, corporate networks, Web servers, and customer management systems should also be assessed to reveal unintended gaps in security, including unknown links between public and private networks, and firewall configuration problems.….[F]irewalls, IDSs and VPNs can all help protect networks from malicious attacks, improper configuration and/or product selection can seriously hamper the effectiveness of a security posture. In order to minimize risks associated with network architecture design, utilities should work with information security professionals to ensure that evolving network architectures do not compromise information security.As companies deploy network security technologies throughout their networks, the need to properly manage and monitor these devices is becoming increasingly complex. Unfortunately, the implementation of "technology-only" solutions without close monitoring and management significantly weakens the effectiveness of security devices. Hiring experienced IT security professionals to monitor network security devices can help to mitigate risk; however this option is cost-prohibitive for most, if not all, utility companies. As a result, many organizations are outsourcing the management and monitoring of security devices to highly specialized, managed security companies. Managed security services ensure that all security devices are configured properly and fully patched, while monitoring the actual activity on each device to detect malicious activity in real time. Managed security services enable corporations to maintain a realtime security monitoring capability at a relatively low cost, and simultaneously increase the value of existing information security devices by enhancing their performance and capabilities.1. Regular vulnerability assessments2. Expert information security architecture design3. Managed security [by which they meant outsourcing security to an organization that would provide "real-time security monitoring capability at a relatively low cost"]

I think that Riptech's work a decade ago holds valuable lessons for us in today's increasingly critical SCADA security landscape.

Learn more about this topic

Cyber situational awareness for the electric power industry 

Electric power industry as critical infrastructure 

Attacks on power systems: Data leakage, espionage, insider threats, sabotage 

Attacks on power systems: Hackers, malware 

Attacks on power systems: Industry/government consensus 

Increasing security of SCADA systems in power industry 

A laundry list of power industry incidents to learn from 

SCADA security: A real-world case study

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.