Click here to receive your FREE subscription to Campus Technology
Current News
SCADA Security and the "Most Monumental Non-Nuclear Explosion and Fire"
4/14/2004
I wish I could give you a SCADA tutorial in a single brief column, but I can't.
What I can do is give you some starting points. Everyone, each and every one
reading this, should review "21 Steps to Improve Cyber Security of SCADA
Networks," an excellent and very approachable booklet written by the Department
of Energy
( http://www.ea.d'e.gov/pdfs/21stepsbooklet.pdf
).
Assuming you want to go beyond that (and you should), the first thing you should know is that while many legacy SCADA systems were built around closed proprietary protocols, the modern trend is to use MODBUS (see http://www.modbus.org/) or FIELDBUS (http://www.fieldbus.org/), both comparatively simple open protocols, increasingly deployed over TCP/IP ethernet-based networks. To understand SCADA security, begin by understanding MODBUS and FIELDBUS.
As you do, you'll see that these are very simple protocols. Because security hasn't historically been a high priority, and because there's a very real fear that security measures may inadvertently result in a loss of positive control during a critical incident, what you'll see will remind you of where typical campus network security was five or ten years ago. (For example, end-to-end encryption is still exceedingly rare in the MODBUS and FIELDBUS world, and MODBUS-aware firewalls, except for the open source MODBUS firewall at http://modbusfw.sourceforge.net/ , are still equally scarce).
Or consider a couple of items from GAO-04-354 (pp. 18):
"…existing security technologies, as well as strong user authentication and patch management practices, are generally not implemented in control systems because control systems usually have limited processing capabilities, operate in real time, and are typically not designed with cybersecurity in mind…"
and
"…complex passwords and other strong password practices are not always used to prevent unauthorized access to control systems, in part because this could hinder a rapid response to safety procedures during an emergency. As a result, according to experts, weak passwords that are easy to guess, shared, and infrequently changed are reportedly common in control systems, including the use of default passwords or even no passwords at all…"
Not very reassuring, is it? We cannot let our critical infrastructure be deployed this way. If you wouldn't let the PCs your campus uses for word processing get deployed with that sort of security, we cannot as a nation run our critical SCADA cyberinfrastructure that way either. We need to harden our SCADA systems now, unless we want to face an "abyss" that would make Hells Canyon look like a crack in the sidewalk.
J'e St Sauver, Ph.D. (j'e@oregon.uoregon.edu) is the director of user services and network applications at the University of Oregon Computing Center.
----------------------------
This sounds like one more call for IT managers to make sure they're in regular communication with the folks who maintain that other infrastructure, you know, the physical infrastructure. There are a lot of places where the information infrastructure and the physical infrastructure meet, and it sounds like SCADA-type issues might arise there. Thanks, J'e.
About the author: Terry Calhoun is Director of Communications and Publications for the Society
for College and University Planning (SCUP). You can contact him through CT's IT Trends forum by clicking here. View more articles by Terry Calhoun.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Campus Security :: September 26, 2008
:::::: SECURITY FOCUS
: The Super Powers of Layer 7 Traffic Analysis at Wayne State
:::::: CAMPUS SECURITY NEWS
: United States Tops List of Sources for Botnet Attacks
: Malicious Code Hidden in Rich Content Files Tough To Detect, According to Finjan Report
: McAfee Set To Acquire Secure Computing, a Top Contender in Detecting Malware and Spyware
: Card Use Can Stem ID Theft, Microsoft Says
: Fayetteville State U Deploys Federal Signal Campus Safety and Security System
: Furman U Chooses ADT's Select Link Emergency Notification System
: Microsoft To Expand Security Lifecycle Expertise
: Genetec Releases New Version of IP Access Control - IT Trends :: Thursday, September 25, 2008
:::::: RESEARCH
:: Lecture Capture: No Longer Optional?
:::::: IT NEWS
:: Getting Creative on Campus: Adobe CS4 Launch
:: U Arizona To Optimize Wireless Networks on Campus
:: Dynamic Biometric Pushes for Distance Learning Student Authentication by Pen
:: LaCie To Ship 6 TB Desktop RAID
:: IBM Releases Virtual Storage Optimizer
:: Furman U Chooses ADT's Select Link Emergency Notification System
:: Microsoft's HPC 2008 Now Live - C-Level View :: September 24, 2008
:::::: EXECUTIVE VIEW
: Getting Creative on Campus: Adobe CS4 Launch
:::::: WORTH NOTING
: First Look: Adobe Creative Suite 4
: Card Use Can Stem ID Theft, Microsoft Says
: IBM Releases Virtual Storage Optimizer
: Lecture Capture Drives Academic Gains at Saint Mary's U
: Education IT Spending, Fueled by Telecom, To Top $56 Billion by 2012 - SmartClassroom :: Wednesday, September 24, 2008
:::::: INTERVIEW
: Using Classroom Clickers To Engage Every Student
:::::: NEWS and PRODUCT UPDATES
: First Look: Adobe Creative Suite 4
: Turnitin Integrates Plagiarism Tool into New Online Writing Service
: Smart Meeting Pro Expands Language Support
: Lecture Capture Drives Academic Gains at Saint Mary's U
: Echo360 Unveils Web-based Editor for Digital Lectures - News Update :: Tuesday, September 23, 2008
:::::: NEWS
: First Look: Adobe Creative Suite 4
: Universities Adopt CoWare Processor Designer as Teaching and Research Tool
: Vanderbilt U Keeps Computers in Order with Persystent
: Education IT Spending, Fueled by Telecom, To Top $56 Billion by 2012
: HP Debuts Hardware, Software To Support VMware Environments
: 2 Higher Ed Consortia Sign with Xerox for Printing and Document Management
: Zend and Adobe Partner on RIAs at PHP User Conference
: Vista Desktop Licensing Plan Has Its Virtues, Gartner Says
: Cray Unveils CX1 Supercomputer for Office Use - IT Trends :: Thursday, September 18, 2008
:::::: IT RESEARCH
:: Lumbering Global Economy Affects IT Industry
:::::: IT NEWS
:: A Victory for Becta? Microsoft Makes Concessions
:: VMware Fusion 2 Expands Hardware Support, Improves Networking
:: VMware Launches GoVirtual.org in Response to 'Massive Growth' in Academic Membership
:: Lourdes College Selects Intelliworks To Track Graduate School Contacts
:: Niigata U and Oki Collaborate in Developing Biodegradable Toner
:: Leopard Update Tackles Security, Active Directory Issues
:: Intel Rolls Out 65W, 6-core Xeon 7400 Processors
