SCADA Security Discussion 9-17-09

Yesterday Ron Southworth from the ‘SCADA Gospel’ mailing list added to the SCADA Security discussion over at the Process Automation Usability Project on ControlGlobal.com. He makes some important points about taking data out of the process control system and transferring it to the corporate enterprise computer system. While this may potentially make the control system vulnerable, he points out that there may be good business reasons for that data exchange. The question then becomes what the cost of protecting against the added risk is compared to the benefit obtained. There are methods that can be used to control the risk of interconnecting those two networks for the purpose of limited data exchange, but they need to be thought out in advance. He also makes a good point about the use of portable USB drives as a method of data transfer. Given their near universal use it is probably impractical to prohibit their use. The better option would be “to issue devices used for specific purposes to staff and have limited approved activities and locations (consoles) for which these drives can be used to port data to from”. Good discussion.