01 October 2002
SCADA, PLCs vulnerable to cyberattacks
When using open systems, think security.
By William Pollock
Twenty years ago, a programmable logic controller (PLC) controlling a factory process might have been connected to a couple other PLCs on the plant floor, but that's where it ended. Even introducing distributed control systems (DCSs) didn't change that much. Their proprietary communication systems kept things pretty much isolated within their network.
That changed as PC-based supervisory control and data acquisition (SCADA) systems began to mature and became increasingly popular. Systems became more open. As standard operating systems usage grew, it became routine to connect the factory floor to the office network-an advance touted with much fanfare.
Now engineers or managers could see factory data not only from consoles on the plant floor but also from their desks or from networked desktops at plants around the world. Remote connectivity solutions rolled out, including Internet-based applications. As technology progressed, engineers could monitor alarms from home as well and ultimately from their personal digital assistant or wireless device, wherever they went.
Connectivity brought power and convenience but with a price. Viruses proliferated, system hacking became increasingly common, and 9/11 highlighted vulnerabilities. Hackers broke into corporate and government networks, so why not hack into the factory floor, plant security personnel asked themselves.
Traditional network security hasn't provided full protection for office networks, and control networks require their own specialized approach.
A recent alert issued by the Canadian Office of Critical Infrastructure Protection stated that the terrorist group al Qaeda has cyber capabilities and intends to attack the infrastructure of various countries. The report quotes Osama bin Laden as saying hundreds of Muslim scientists were with him and would use their knowledge in the effort.
A breach of a SCADA system at a utility in California was described in ZDNet News on 13 June 2001. The story underscored the danger of interconnecting plant controls to networks.
In that cyberattack, the intruder was a domestic hacker, not an international terrorist. He broke through the security of a Web server and took over two servers controlling 75% of the power in California's power grid. If an amateur could accomplish that level of success, how much greater is the risk of an attack undertaken by determined terrorists?
Open systems that allow operators to gain access from their homes also allow hackers or terrorists halfway around the world to access the same plants.
Recent efforts to protect SCADA systems have focused on water systems and power utility security. A Public Health Security and Bioterrorism Preparedness and Response Act signed into law by President Bush in June 2002 mandates all water facilities serving more than 3,300 clients have a comprehensive cybersecurity audit and plan.
So how do we in the controls and automation community respond? There are four steps to the process: audit and assess, develop an action plan, implement risk reduction, and maintain the plan.
It isn't enough to secure a system using technology. Well-defined security policies and procedures are required, consistent with the amount of acceptable risk. It's necessary to train operators and maintain the system with continual audits because those trying to penetrate are continually perfecting new techniques.
It's not realistic to have government or industry standards for cybersecurity systems because the definition and publication of procedures would provide information to the very attackers we are trying to keep out.
The process has come full circle. Open systems in the industrial world have provided great value but at the same time have increased plant vulnerability. Connectivity that provides ease of access for qualified users also provides an entryway for those we want to keep out.
Now we have to spend time and money limiting access to systems we worked so hard to open up. In the best future scenario, we will provide levels of encryption that allow access for those we approve and prevent access for those we want to keep out. IC
William Pollock, P.E., is CEO at Optimation Technology, Inc. in Rush, N.Y. Reach him at Bill.Pollock@Optimationtech.com.
Return to Previous Page