• United States

Confab to examine security of utility, other control systems

Feb 27, 20062 mins

Professionals concerned with securing the systems that run water and electric utilities, dams, railways and other critical infrastructures are gathering this week in Florida to understand better the challenges facing them and learn how to defend their systems.

Called the Process Control and SCADA (supervisory control and data acquisition) Security Summit, the event is hosted by The SANS Institute, is paid for by the Departments of Energy and Homeland Security, and targets professionals involved with automated industrial control systems.

These systems are fundamentally different from IT networks because, instead of being focused on storing, sharing and securing data, they are designed to maximize the availability and reliability of the railroad or energy plants they run, says Rob Hoffman, manager of the cybersecurity research department at the Department of Energy’s Idaho National Laboratory, who spoke during a Webcast last week about the conference.

As organizations begin linking these control systems to their IT networks, however, they are opening the systems to the same types of security threats suffered by data-centric systems, Hoffman says.

“[SCADA] systems are generally stand-alone and were built to meet one need: automation,” he says. “They’re only being connected to back-end corporate [networks] after they’ve already been deployed, so security is at best an add-on, and quite often never designed in.”

For example, an organization running a control system linked to its IT system running Windows NT has its control system open to all the vulnerabilities found in Microsoft’s operating system, Hoffman says.

Compounding the issue is that control systems are difficult to patch, Hoffman says. “Downtime is not scheduled every week from 1 to 4 a.m., so it makes it very difficult to respond in a rapid fashion with patches to the vulnerabilities.”

In addition, many SCADA systems are the targets of not just hackers but terrorists or even nation states, Hoffman adds. He defines five types of potential SCADA system attackers: recreational hackers looking for a challenge; disgruntled engineers; activists with environmental or business concerns; terrorists; and nation states that want to access a control device and stay resident in case of future need.

“The thing that keeps me up at night is a bad guy who understands pressure volume and temperature relationships knowing the right valves and pumps to operate and is able to operate them,” says a security professional at a large energy company who asked not to be named.