SCADA is a technology that focuses on the automation of utilities. These utilities include items such as chemical, power, gas, water, oil and other items along these lines. The security among these types of infrastructures is imperative to the safety and security of the general public. With possible exposure to hackers or terrorist, business continuity and public safety could be jeopardized.
Initiatives such as the Open SCADA Security Project are providing open forums and networking among professionals. This organization is similar to OWASP and is currently bringing the aforesaid professionals together.
Although much of SCADA’s security is physical, the information technology behind the operations of SCADA can be the driving focal point of cyber security. With electronics such as Programmable Logic Controls (PLCs), Remote Terminal Units (RTUs), Intelligent Electronic Devices (IED) and Distributed Control Systems (DCS) (just a few devices), cyber attacks can be carried out against these devices without proper protection.
Many that use SCADA devices do not have properly trained information technology professionals securing their network. With modern PLCs, DHCP (Dynamic Host Control Protocol) can issue an ip addresses instantly which in turn makes the PLC an open node on the internal network. Because of this, security measures such as a firewall that is VPN capable, patches and updates for workstations and servers, an Access Control List of restricted users, application software updates and firmware updates are necessary. These recommendations include all aspects of information technology and networking technology regardless if the network is wired or wireless.
Small organizations that have equipment such as the PLCs listed above often use basic Windows Home Edition; have no patches, service packs or firewalls in place. Larger businesses may have maintenance personnel who install this equipment on a network and don’t make the IT personnel aware of update requirements.
Several videos are available on the internet that show SCADA controlled equipment being hacked. This type of interruption of services could be detrimental to basic needs of communities.
Information Technology professionals need to be trained in the security needs of SCADA projects. Companies often train maintenance and operational personnel on SCADA and neglect the true needs of cyber security. Companies such as InfoSec Institute and SANS offers SCADA training for Information Technology Professionals.
See the Multipart series on Network Security.