Thursday, July 30, 2009
Practical SCADA Security
There is an interesting article over on ControlEng.com about the efforts that Air Liquide has taken to protect its industrial control systems network. Many of the details described are well over the head of people that are not control systems engineers (and that certainly includes me), but it does provide some insight into the types of efforts that need to be made to secure complicated control system networks. There are a couple of items in the article that should be of interest to anyone in the chemical security community that works with plants with automated control systems. The first is found in the opening paragraph of the article. It is a description of the existence of common software security gaps in two commercially available control system packages, CitectSCADA and Areva's e-terrahabitat. Buffer overflow vulnerabilities are well understood openings in software security processes that allow an outsider to gain control of the system. The presence of such software holes makes it much easier to penetrate system security. The second item of interest is their discovery of a number of compromised computers on their network. While the article does not mention the use of those slaved computers to manipulate the control system, it does indicate the level of system penetration that can be achieved when there are inadequate system protections in place. Finally, the article notes the importance of including security system engineers in the development and deployment of a security system. The article author has been working in industrial control system design and development for a large number of years. Most high-risk chemical facilities do not have that level in-house of systems engineering experience available. They will have to rely on cyber security experts to an even greater extent. I do hope that the author will report the history of compromised computers on the industrial network to the team over at SecurityIncidents.org; they would be valuable data points to include in the RISI data base.