Take steps to secure SCADA systems, NIST Director warns

SCADA system security issues are receiving increased attention lately, in part thanks to last summer’s power blackout in the Northeast. In a recent keynote address at a National Science Foundation (NSF) workshop, the director of the National Institute of Standards & Technology (NIST) cited the organization’s ongoing work with a number of industry-led standards-development organizations to produce guidelines for implementing SCADA security

By Control Engineering Staff November 13, 2003

SCADA system security issues are receiving increased attention lately, in part thanks to last summer’s power blackout in the Northeast. In a recent keynote address at a National Science Foundation (NSF) workshop, the director of the National Institute of Standards & Technology (NIST) cited the organization’s ongoing work with a number of industry-led standards-development organizations to produce guidelines for implementing SCADA security.

Dr. Arden Bement, addressing the NSF Workshop on Critical Infrastructure Protection for SCADA & IT in October, observed that the August power failure was a ”wake-up call only if you had somehow managed to sleep through all the others.” While the blackout probably was not the result of a deliberate act, Bement said, it did highlight the fragility of a critical part of the nation’s infrastructure.

SCADA systems are designed for performance and reliability. Response time is often a critical factor, which complicates the task of adding cryptographic modules and other security features. Measurements and standards, said Bement, can play a vital role in improving the security of systems used in industry to monitor and control major, widely dispersed operations such as power generation and distribution systems, water and gas utilities, and large chemical plants and refineries. Although much work remains to be done, he continued, many actions could be taken immediately, including creating basic security policies, closing system ”back doors,” and making better use of existing standards.

Bement noted there are hundreds of thousands of legacy SCADA systems in the field that need to be secured. He also cited building automation and control systems as an often-overlooked segment of process controls that are increasingly being integrated with each other and IT networks for the exchange of information amongst many sources. ”Without proper security,” he said, ”the potential for havoc is awe-inspiring.”

To read the entire text of Bement’s address, click here.


—Jeanine Katzel, senior editor, Control Engineering, jkatzel@reedbusiness.com