SCADA Security: Bridge the Gap

Last Updated on April 15, 2011

Utilities and Security Vendors are taking very seriously the events of Stuxnet and they’re consequently running for cover. Although due to natural events, the dramatic facts of Fukushima have shown to the entire World (and likely to Cyber-terrorists) how close we are to the abyss of a nuclear meltdown, with the consequent fear that a simil-Stuxnet malware could give the final push (even if according to some urban legends Stuxnet might have played a role in the failure of cooling systems afterward the Tsunami of March 11, 2011).

In a previous post, I identified the Smart Grids (and more in general SCADA systems) as possible targets of Cyber-Attacks. Not only because they constitute one of the means through which the western world is trying to mitigate the effects on the energy bills of the chronic instability of the oil-producing countries and also the dependency from nuclear energy, but also because Smart Grids (and similar technologies based on Supervisory Control And Data Acquisition) will be the core of the promising Green Smart City initiatives promoted by several important IT players.

Taken for granted the many benefits, in terms of flexibility and resilience, deriving from the adoption of an IP-based approach, from a security perspective one must consider that a smart grid is generally composed by IP-Enabled heterogeneous technologies, 15/20 years old (this is the typical life cycle of the components). These technologies, often not even of last generation, unfortunately were not created to ensure the security made necessary by the adoption of an open-world Internet approach. While, on one hand, the IP protocol provides the intelligence that allows the different nodes to think as a single entity, on the other hand, the adoption of such a “single ecosystem model” comes with the price of having to accept (and mitigate) the threats hidden inside the IP packets.

But not only IP: in terms of connectivity, Smart Grids represent a leap into the unknown, since, to further worsen the picture, control systems of Smart Grid are based on the reviled Supervisory Control and Data Acquisition, which will have to necessarily reach a meaningful level of complexity to manage the proliferation of smart grids and the huge amount of data collected (the only thought of privacy issues makes me feel a subtle shudder), “old-school that’s SCADA Been Bolted Into Some sort of a newer technology“. Moreover utilities have hundreds of different standards and protocols, and teams that typically operate and maintain the infrastructures own very few IT skills. This also makes it difficult the convergence between different disciplines: the convergence between power distribution and IP-based control technologies is not supported by an analogous convergence between management infrastructures. This is also the outcome of a cultural gap: who manages the utilities does not completely (if not at all) trusts who comes from the IT world because of the hands-on approach of the latter, and hence tends to hide the management details of their closed world.

As a consequence energy utilities are “de facto” building a new Internet, a real parallel universe, as defined by the National Institute of Standards and Technology (NIST), which, in the wake of security concerns has promoted appropriate standards and specifications concerning smart grid cyber security of control systems. Analogously further support in this direction will be provided by NERC CIP (North American Electric Reliability Corp. ‘s Critical Infrastructure Protection Plan), recently updated which contains more than 100 standard and establishes requirements for protection of the critical elements of a Smart Grid. Security of Smart Grid Infrastructure is the Starting point and key element of the program.

It is not a coincidence that a recent report by market research firm Pike Research states that Smart grid cybersecurity will increase 62% between 2010 and 2011, and by 2015, the annual worldwide market spending will reach $1.3 billion. According to Pike Research senior analyst Bob Lockhart.

“Smart grid cybersecurity is significantly more complex than the traditional IT security world. It is a common misperception that IT networks and industrial control systems have the same cyber security issues and can be secured with the same countermeasures. They cannot. To successfully secure the electrical grid, utilities and their key suppliers must design solutions that effectively bridge the worlds of information and operations technology.”

Vendors are moving quickly to bulid the bridge and make SCADA premises secure. McAfee has recently announced a strategic partnership with Wind River (another Intel Subsidiary) for embedded devices, with particular focus on industrial control, energy management, automotive, national infrastructure, defense, networking and smartphones as well as emerging segments including smart grid, connected home health care, home gateways and tablets. In the same time, exactly on April, the 13th, the Security Manufacturer of Santa Clara announced a strict joint product certification initiative with Siemens-Division Industry Automation (the manufacturer of Industrial Control Systems hit by Stuxnet). In my opinion the latter press release is not important for the single product involved in the compatibility tests, but rather it states undoubtedly the fact that not only SCADA and IP technologies are converging in Smart Grids, but also security is converging and hence traditional IT focused security vendors are developing new initiatives to face these two sides of the coin. It is likely that similar initiatives will become more and more frequent in the security landscape, and the predictions contained in the Pike Research report will presumably act as a catalyzer.