Foreword
The safeguarding of supervisory control and data acquisition (SCADA) systems is a paramount cause for concern for the national security of our country and for its security professionals. SCADA systems control power, water, oil, gas, chemical, telecommunications and several other different critical and sensitive operational infrastructures that are absolutely vital to the machinery of our nation and the conduct of our day to day lives. If these essential systems were compromised and became inoperable for even a short time, the results could be costly, both in terms of financial repercussions, and the impact upon our quality and way of life.
Similar to all computer systems over the last four decades, SCADA systems have evolved. In the 1960’s, there was a time when most of these control systems were stand-alone, at a point when the network protocols and the control applications used in SCADA systems were considered to be proprietary. During those early days, a so-called “security by obscurity” aided in providing a palpable layer of cyber security defense and a general feeling of immunity from the kinds of nascent network security problems that began to emerge in the mid-1980’s, beginning with the notorious Morris Worm.
However, with the global standardization of government and corporate networks on the TCP/IP communications protocol, and during the last 20 years, with the migration of stand-alone proprietary SCADA systems to interconnected grid networks, the security risks have increased geometrically. Security managers can no longer rely on the isolated nature of these systems to provide protection. It still may be tempting to imagine that proprietary software applications provide a layer of secure abstraction, but these mission-critical applications may have unknown and untested security weaknesses. If the organization is not running home-grown/proprietary applications, in many cases, they already may have well-known and well- publicized vulnerabilities resulting from the use of off-the-shelf commercial software.
Unfortunately, the security of SCADA systems has not kept pace with advances in computer technology and the technical capabilities and intentions of adversaries. According to a 2003 report by Sandia National Laboratories, security for SCADA is typically five to ten years behind typical information technology systems. From a threat perspective, the adversarial pool has widened to include not only domestic and foreign terrorists, but nation-state actors, disgruntled insiders, organized crime, and even international competitors. This volatile convergence of globally pervasive computer networking, and the critical weaknesses in operating system and application software, is well understood by the adversaries. While a catastrophic failure is unlikely, unchecked, these risks could be highly problematic and cause disruptions in essential services and billions of dollars of losses. The SCADA world is very complex, however. No one can simply say, “Charge forward and by next year, fix all security problems and you’ll be protected!”
All is not gloom and doom, however. Some key public and private sectors have had to step up to face these seemingly daunting challenges and threats before. For example, the financial services industry moves billions of dollars each day over the public Internet, with relatively few losses or disruptions in service. Online retail organizations such as Amazon.com, eBay, and many others facilitate a steadily growing percentage of all retail transactions in a multi-trillion dollar a year industry. Many federal, state, and local governments provide rich transaction-based services to their citizens securely over the Internet. Within this framework of a set of strong business requirements to provide valuable networked services, and the backdrop of a challenging threat environment, informed security managers develop processes for assessing risk, create strategies and plans, and implement the right security control structures. This same lifecycle approach applies to the protection of SCADA systems and the work facing SCADA security managers.
I am pleased to provide this foreword to “Techno Security’s Guide to Securing SCADA,” because I believe that this book takes important steps forward in arming today’s SCADA security manager with the tools and information needed to achieve a higher level of information assurance within these critical and essential control systems. While there is no silver bullet technology or security plan that can anticipate all threats or situations, I urge you to take to heart the strategic and tactical ideas in this volume, and adapt them to your own environment.
Chairman and CEO of NetWitness Corporation