Supervisory control and data acquisition (SCADA)
Almost all critical industrial infrastructures and processes are managed remotely from central control rooms, using computers and communications networks. The flow of gas and oil through pipes, the processing and distribution of water, the management of the electricity grid, the operation of chemical plants, and the signalling network for railways. These all use various forms of process control and 'supervisory control and data acquisition' - known as SCADA technology.
Until recently the terms 'process control' and 'SCADA' were unknown outside a niche area in industry. Today it is one of the key issues for national infrastructure protection.
CPNI is helping the UK national infrastructure to understand and mitigate electronic attack risks to these systems and facilitates this effort through a focussed programme of work. This includes:
- CPNI-funded vulnerability and protection research
- SCSIE, an information exchange forum that meets regularly to share information on SCADA threats, incidents and mitigation
- E-SCSIE, similar to the SCSIE but with a focus on European government and industry efforts to protect process control and SCADA systems
- a close working relationship to the security programs being developed in USA, Canada, Australia, New Zealand and Europe.
Process control and SCADA security - good practice guidelines
CPNI's recommendations for process control and SCADA security are essentially contained within the following nine good practice guidance documents:
Process control and SCADA security - General Guidance
An overarching summary to the following guidance documents.
Process control and SCADA security guide 1 - Understand the Business Risk
The first step in improving the security of process control systems is to gain a thorough understanding of the business risk in the context of electronic security. Business risk is a function of threats, impacts and vulnerabilities. Only with a good knowledge of the business risk can an organisation make informed decisions on what should be the appropriate levels of security protection.
Process control and SCADA security guide 2 - Implement Secure Architecture
Designing a secure architecture for a control system can be a difficult exercise as there are so many different types of systems in existence and so many possible solutions, some of which might not be appropriate for the process control environment. Given limited resources it is important that the selection process ensures that the level of protection is commensurate with the business risk and does not rely on one single security measure for its defence.
Firewall deployment for SCADA and process control networks
This guide, produced by the former NISCC, documents the pros and cons of architectures used to separate the SCADA and process control network from the Enterprise network. These range from hosts with dual network interface cards to multi-tiered combinations using firewalls, switches and routers.
Process control and SCADA security guide 3 - Establish Response Capabilities
The capability to respond to both alerts and incidents is an important part of a process control security framework. Obtaining management support, determining responsibilities, establishing communication channels, drafting policies, and procedures, identifying pre-defined actions, providing suitable training and exercising the whole process prior to incidents enables a quick, effective and appropriate response which can minimise the business impacts and their cost, possibly avoiding such incidents taking place in the future.
Process control and SCADA security guide 4 - Improve Awareness and Skills
Raising awareness is potentially the single most valuable action in the ongoing task of process control security. Raising awareness endeavours to ensure all relevant personnel have sufficient knowledge of process control system security and the potential business impact of lapses in security. Personnel need to know what to do to prevent attacks and what to do in the event of an incident.
Process control and SCADA security guide 5 - Manage Third Party Risk
The security of an organisation's process control systems can be put at significant risk by third parties, e.g. vendors, support organisation and other links in the supply chain, and therefore warrants considerable attention. Technologies that allow greater interconnectivity, such as dial-up access or the internet, bring new threats from outside of the organisation. Third parties must therefore be engaged as part of the process control security programme and steps should be taken to reduce the associated risk.
Process control and SCADA security guide 6 - Engage Projects
Process control systems are usually installed with an expectation of a long service life and minimal changes to these systems during their lifetime. However saying this for all control systems in use is probably an over generalisation. In many organisations there are often a number of process control system related projects underway at any point in time, any of which could have security implications.
Process control and SCADA security guide 7 - Establish Ongoing Governance
Formal governance for the management of process control systems security will ensure that a consistent and appropriate approach is followed throughout the organisation. Without such governance the protection of process control systems can be ad-hoc or insufficient, and expose the organisation to additional risk.
This text is normally replaced by the Flash content. Please update your flash player here: flash player update