M
This message is a follow-up to a previous one I posted a month ago (19/06/06) titled: "HMI: COMM: An interesting article on a SCADA security vulnerability." There have been further developments which some people may find interesting.
There is a group in the USA which seems to be organised by the "US Department of Energy and the US Department of Homeland Security" called the "SCADA and Control Systems Procurement Project". They are evidently working on standards for SCADA security for "critical infrastructure" (generating plants, traffic
signals, dams, etc.).
These standards are for specification language for security which customers will be expected to use in their contracts for SCADA systems. The language covers system specifications and acceptance tests. I gather that it is expected that there will eventually be legislation requiring the system operators to implement these guidelines as minimum security standards for all new "critical" SCADA systems.
This requirement will be passed down to integrators as part of the procurement contract. It thus appears that integrators in the USA will be required to become more familiar with security if they wish to stay in the business. It is also likely that other countries will be adopting similar measures (if they have not already done so). The participants so far appear to be mainly large American electric utilities (although I am not familiar enough with the
USA to be sure who all of them are).
There is at present a draft document (PDF) available from the "SCADA and Control Systems Procurement Project" web site (see below for the link). The document is still being worked on and is at present incomplete. The group invites comment and participation, so anyone who deals with these sorts of things as part of their business may want to look at this before they find themselves having to implement something they feel is impractical.
I have skimmed over the document (48 pages), and most of it appears to concern general computer system security (including access control, network patitioning, configuration, etc.), rather than measures which are specific to
SCADA systems. In other words, it is more about the operating system and network configuration the SCADA system is hosted on than about SCADA itself.
However, the intent is very clearly that the integrators who install the SCADA systems will be required (as part of the contract and acceptance tests) to design and implement the security measures, so this isn't something that
can be fobbed off on the customer.
One thing which is quite clear at this point however is that simply buying a computer with the latest version of MS-Windows and stuffing the SCADA software CD in the drive will not even come close to meeting the minimum
requirements. The system must be stripped down to remove all unused software, operating system file access permissions must be tightend up, default accounts must be removed, account logging and auditing implemented, known
flaws patched, etc. In other words, there is a lot of system preparation work which must be done as well as ongoing maintenance.
The history of this security specification process started out with concerns about the security of critical infrastructure. However, there is no clear lower limit to what can be considered "critical". I can see this standard
being applied to water and sewage systems, process industries, food processing, etc. I rather strongly suspect that many integrators (especially the smaller ones) will be unprepared for this, and will get burned on a future contract when they find they have gotten into something over their heads.
I would be interested in any comments on the above.
Article in The Register (re-print of Security Focus version):
http://www.theregister.co.uk/2006/07/28/scada_security_push/
Original version in Security Focus:
http://www.securityfocus.com/news/11402
Web site for "SCADA and Control Systems Procurement Project"
http://www.cscic.state.ny.us/msisac/scada/
Link to draft specification (PDF, 447k):
http://www.cscic.state.ny.us/msisac/scada/documents/25-jul-06-SCADA-procurement-draft.pdf
There is a group in the USA which seems to be organised by the "US Department of Energy and the US Department of Homeland Security" called the "SCADA and Control Systems Procurement Project". They are evidently working on standards for SCADA security for "critical infrastructure" (generating plants, traffic
signals, dams, etc.).
These standards are for specification language for security which customers will be expected to use in their contracts for SCADA systems. The language covers system specifications and acceptance tests. I gather that it is expected that there will eventually be legislation requiring the system operators to implement these guidelines as minimum security standards for all new "critical" SCADA systems.
This requirement will be passed down to integrators as part of the procurement contract. It thus appears that integrators in the USA will be required to become more familiar with security if they wish to stay in the business. It is also likely that other countries will be adopting similar measures (if they have not already done so). The participants so far appear to be mainly large American electric utilities (although I am not familiar enough with the
USA to be sure who all of them are).
There is at present a draft document (PDF) available from the "SCADA and Control Systems Procurement Project" web site (see below for the link). The document is still being worked on and is at present incomplete. The group invites comment and participation, so anyone who deals with these sorts of things as part of their business may want to look at this before they find themselves having to implement something they feel is impractical.
I have skimmed over the document (48 pages), and most of it appears to concern general computer system security (including access control, network patitioning, configuration, etc.), rather than measures which are specific to
SCADA systems. In other words, it is more about the operating system and network configuration the SCADA system is hosted on than about SCADA itself.
However, the intent is very clearly that the integrators who install the SCADA systems will be required (as part of the contract and acceptance tests) to design and implement the security measures, so this isn't something that
can be fobbed off on the customer.
One thing which is quite clear at this point however is that simply buying a computer with the latest version of MS-Windows and stuffing the SCADA software CD in the drive will not even come close to meeting the minimum
requirements. The system must be stripped down to remove all unused software, operating system file access permissions must be tightend up, default accounts must be removed, account logging and auditing implemented, known
flaws patched, etc. In other words, there is a lot of system preparation work which must be done as well as ongoing maintenance.
The history of this security specification process started out with concerns about the security of critical infrastructure. However, there is no clear lower limit to what can be considered "critical". I can see this standard
being applied to water and sewage systems, process industries, food processing, etc. I rather strongly suspect that many integrators (especially the smaller ones) will be unprepared for this, and will get burned on a future contract when they find they have gotten into something over their heads.
I would be interested in any comments on the above.
Article in The Register (re-print of Security Focus version):
http://www.theregister.co.uk/2006/07/28/scada_security_push/
Original version in Security Focus:
http://www.securityfocus.com/news/11402
Web site for "SCADA and Control Systems Procurement Project"
http://www.cscic.state.ny.us/msisac/scada/
Link to draft specification (PDF, 447k):
http://www.cscic.state.ny.us/msisac/scada/documents/25-jul-06-SCADA-procurement-draft.pdf