Security Issues in SCADA Systems

Dr. James H. Graham; Mr, Sandip C, Patel

doi:10.65301/dias.2004.1.2.194

Articles 2nd Edition of DTR Oct 2004 – Mar 2005

DOI 10.65301/dias.2004.1.2.194

Security Issues in SCADA Systems

Authors

144 Views

245 Downloads

Published 2004-04-30

Pages 51-57

Abstract

Supervisoiy Control and Data Acquisition (SCADA) networks control critical infrastructure of many countries. They perform vital functions for utility companies including electricity, natural gas, oil, water, sewage, an d railroads. The SCADA networks can he easy targets for unauthorized intrusions that can result in devastating attack s by terrorists. This research identifies threats faced by SCADA and investigates cost-efficient methods to enhance its security in the light of DNP3 protocols, which h as b eco m e a d e fa c to industry standard protocol for implementing the SCADA technology. We propose cost-effective implementation alternatives
including SSL/TLS, IPsec, object security, encryption, and message authentication object. The paper evaluates implementation details of the se solutions, and analyzes and com pares these approaches. Finally, we provide new research directions to m ore adequately secure SCADA networks an d the protocols over the long term.

References

1. American Gas Association, "Cryptographic Protection o f SCADA Communications,” Report No. 12-1, March 2003.
2. ARC Advisory Group, Market Study, “SCADA Systems for Electric Power Worldwide Outlook.” http://www.arcweb.com/research/pdfs/Study_scadapwr_ww.pdf
3. Bent, Dan, “OSSI Making Progress on NIST Certification o f Open SSL,” December 10, 2003. http:/’/www. lin uxworld. com/story/38162.htm
4. Berket, K., Agarwal, D. A. and Chevassut, O., “A Practical Approach to th e InterGroup Protocols,” Future Generation Computer
Systems, Vol. 18, No. 5, April2002, pp. 709-719.
5. CERTV ulnerability Report in TCP dated: April20,2004 http://www.us-ert.gov/cas/techalerts/TA04-ll lA.html
6. Crocker, D. and Klyne, G., “Internet Data Object Security," The G5 Messaging Forum, March 12,1998.
http://www.brandenburg.com/articles/datasecurity/
7. DNP3 ftp site, File: TD-AuthenticationObject-GG-l.doc. ftp://dnp.org/Tech%20Bulletin%20Drafts/
8. DNP3 Technical Document: “Is DNP 3.0 the Right Standard for You?, "June 2000. http://dnp. org/files/2000-06- UA-DNP.pdf
9. DNP3 Technical Document: “A DNP3 Protocol Primer,” June 2000. http://dnp.org/files/dnp3_primer.pdf
10. DOE (U. S. Department o f Energy), the Office o f Energy Assurance “21 Steps to Improve Cyber Security o f SCADA Networks,”
Reference document, http://www.ea.doe.gov/pdfs/21stepsbooklet.pdf
11. Farahmand, E, Navathe, S.B., Enslow, P.H., and Sharp, G.P., "Managing vulnerabilities o f information systems to security
incidents,” Proceedings o f the 5th international conference on Electronic commerce, Pittsburgh, Pennsylvania, September 2003, pp. 348 354.
12. Freudenthal, E.; Port, L.; Pesin, T.; Keenan, E.; Karamcheti, V., “Switchboard: secure, monitored connections for client-server
communication,” Proc. o f the 22nd International Conference on Distributed Computing Systems Workshops, 2-5 July2002, pp. 660 -665.
13. Frost and Sullivan, Company news, “European SCADA systems Market in Dynamic Shape," 11 October 2001.
http://www.engineeringtalk.com/news/fro/frol44.html IEC (The International Electrotechnical Commission) homepage.
https://domino.iec.ch/webstore/webstore.nsf/artnum/030578
14. Makhija, J. and Subramanyan, L.R., “Comparison o f protocols used in remote monitoring: DNP 3.0, IEC 870-5-101 & Modbus.”
http://www.ee.iitb.ac.in/~esgroup/es_mtech03_sem/sem03_paper_03307905.pdf
15. National Infrastructure Protection Cen ter “Terrorist Interest in Water Supply and SCADA Systems "Information Bulletin 02-001,
30 January 2002.
16. http://www.nipc.gOv/publications/infobulletins/2002/ib02-001.htm
17. News Diary, Industrial Networking, “Market Reports from ARC,” Vol. 7, No. 3, Feb. 2004.
http://www.industrialnetworking.co.uk/mag/v7-3/f_markreps.html
18. OpenSSL website, http://www.openssl.org/
19. Poulsen, K., “Brits pound OpenSSL bugs ”Security Focus, Sep 30 2003. http://www.securityfocus.com/news/7103
20. Rescorla, E., SSL and TLS: Designing and Building Secure Systems, Addison-Wesley, 2001.
21. SSUTLS Web page^by Dan Kegel, http://www.kegel.com/ssl/
22. United States General Accounting Office, Statement o f Robert F. Dacey, “CRITICAL INFRASTRUCTURE PROTECTION
Challenges in Securing Control Systems” October 1,2003. http://www.gao.gov/new.items/d04140t.pdf
23. Yasinsac, A.; Childs, J.; “Analysing Internet security protocols," Proc. o f the Sixth IEEE International Symposium on High Assurance
Systems Engineering, 22-24 Oct. 2001, pp. 149-159.

Download

PDF

How to Cite

Dr. James H. Graham , Mr, Sandip C, Patel . (2004). Security Issues in SCADA Systems. DIAS Technology Review, 1(2), 51-57.

About This Journal

DIA

DIAS Technology Review

Published by Journalskart

P-ISSN 0972-9658

✓ Citation copied to clipboard

[1] 1. American Gas Association, "Cryptographic Protection o f SCADA Communications,” Report No. 12-1, March 2003.

[2] 2. ARC Advisory Group, Market Study, “SCADA Systems for Electric Power Worldwide Outlook.” http://www.arcweb.com/research/pdfs/Study_scadapwr_ww.pdf

[3] 3. Bent, Dan, “OSSI Making Progress on NIST Certification o f Open SSL,” December 10, 2003. http:/’/www. lin uxworld. com/story/38162.htm

[4] 4. Berket, K., Agarwal, D. A. and Chevassut, O., “A Practical Approach to th e InterGroup Protocols,” Future Generation Computer

[5] Systems, Vol. 18, No. 5, April2002, pp. 709-719.

[6] 5. CERTV ulnerability Report in TCP dated: April20,2004 http://www.us-ert.gov/cas/techalerts/TA04-ll lA.html

[7] 6. Crocker, D. and Klyne, G., “Internet Data Object Security," The G5 Messaging Forum, March 12,1998.

[8] http://www.brandenburg.com/articles/datasecurity/

[9] 7. DNP3 ftp site, File: TD-AuthenticationObject-GG-l.doc. ftp://dnp.org/Tech%20Bulletin%20Drafts/

[10] 8. DNP3 Technical Document: “Is DNP 3.0 the Right Standard for You?, "June 2000. http://dnp. org/files/2000-06- UA-DNP.pdf

[11] 9. DNP3 Technical Document: “A DNP3 Protocol Primer,” June 2000. http://dnp.org/files/dnp3_primer.pdf

[12] 10. DOE (U. S. Department o f Energy), the Office o f Energy Assurance “21 Steps to Improve Cyber Security o f SCADA Networks,”

[13] Reference document, http://www.ea.doe.gov/pdfs/21stepsbooklet.pdf

[14] 11. Farahmand, E, Navathe, S.B., Enslow, P.H., and Sharp, G.P., "Managing vulnerabilities o f information systems to security

[15] incidents,” Proceedings o f the 5th international conference on Electronic commerce, Pittsburgh, Pennsylvania, September 2003, pp. 348 354.

[16] 12. Freudenthal, E.; Port, L.; Pesin, T.; Keenan, E.; Karamcheti, V., “Switchboard: secure, monitored connections for client-server

[17] communication,” Proc. o f the 22nd International Conference on Distributed Computing Systems Workshops, 2-5 July2002, pp. 660 -665.

[18] 13. Frost and Sullivan, Company news, “European SCADA systems Market in Dynamic Shape," 11 October 2001.

[19] http://www.engineeringtalk.com/news/fro/frol44.html IEC (The International Electrotechnical Commission) homepage.

[20] https://domino.iec.ch/webstore/webstore.nsf/artnum/030578

[21] 14. Makhija, J. and Subramanyan, L.R., “Comparison o f protocols used in remote monitoring: DNP 3.0, IEC 870-5-101 & Modbus.”

[22] http://www.ee.iitb.ac.in/~esgroup/es_mtech03_sem/sem03_paper_03307905.pdf

[23] 15. National Infrastructure Protection Cen ter “Terrorist Interest in Water Supply and SCADA Systems "Information Bulletin 02-001,

[24] 30 January 2002.

[25] 16. http://www.nipc.gOv/publications/infobulletins/2002/ib02-001.htm

[26] 17. News Diary, Industrial Networking, “Market Reports from ARC,” Vol. 7, No. 3, Feb. 2004.

[27] http://www.industrialnetworking.co.uk/mag/v7-3/f_markreps.html

[28] 18. OpenSSL website, http://www.openssl.org/

[29] 19. Poulsen, K., “Brits pound OpenSSL bugs ”Security Focus, Sep 30 2003. http://www.securityfocus.com/news/7103

[30] 20. Rescorla, E., SSL and TLS: Designing and Building Secure Systems, Addison-Wesley, 2001.

[31] 21. SSUTLS Web page^by Dan Kegel, http://www.kegel.com/ssl/

[32] 22. United States General Accounting Office, Statement o f Robert F. Dacey, “CRITICAL INFRASTRUCTURE PROTECTION

[33] Challenges in Securing Control Systems” October 1,2003. http://www.gao.gov/new.items/d04140t.pdf

[34] 23. Yasinsac, A.; Childs, J.; “Analysing Internet security protocols," Proc. o f the Sixth IEEE International Symposium on High Assurance

[35] Systems Engineering, 22-24 Oct. 2001, pp. 149-159.