Click here to receive your FREE subscription to Campus Technology
Current News
SCADA Security and the "Most Monumental Non-Nuclear Explosion and Fire"
4/14/2004
I wish I could give you a SCADA tutorial in a single brief column, but I can't.
What I can do is give you some starting points. Everyone, each and every one
reading this, should review "21 Steps to Improve Cyber Security of SCADA
Networks," an excellent and very approachable booklet written by the Department
of Energy
( http://www.ea.d'e.gov/pdfs/21stepsbooklet.pdf
).
Assuming you want to go beyond that (and you should), the first thing you should know is that while many legacy SCADA systems were built around closed proprietary protocols, the modern trend is to use MODBUS (see http://www.modbus.org/) or FIELDBUS (http://www.fieldbus.org/), both comparatively simple open protocols, increasingly deployed over TCP/IP ethernet-based networks. To understand SCADA security, begin by understanding MODBUS and FIELDBUS.
As you do, you'll see that these are very simple protocols. Because security hasn't historically been a high priority, and because there's a very real fear that security measures may inadvertently result in a loss of positive control during a critical incident, what you'll see will remind you of where typical campus network security was five or ten years ago. (For example, end-to-end encryption is still exceedingly rare in the MODBUS and FIELDBUS world, and MODBUS-aware firewalls, except for the open source MODBUS firewall at http://modbusfw.sourceforge.net/ , are still equally scarce).
Or consider a couple of items from GAO-04-354 (pp. 18):
"…existing security technologies, as well as strong user authentication and patch management practices, are generally not implemented in control systems because control systems usually have limited processing capabilities, operate in real time, and are typically not designed with cybersecurity in mind…"
and
"…complex passwords and other strong password practices are not always used to prevent unauthorized access to control systems, in part because this could hinder a rapid response to safety procedures during an emergency. As a result, according to experts, weak passwords that are easy to guess, shared, and infrequently changed are reportedly common in control systems, including the use of default passwords or even no passwords at all…"
Not very reassuring, is it? We cannot let our critical infrastructure be deployed this way. If you wouldn't let the PCs your campus uses for word processing get deployed with that sort of security, we cannot as a nation run our critical SCADA cyberinfrastructure that way either. We need to harden our SCADA systems now, unless we want to face an "abyss" that would make Hells Canyon look like a crack in the sidewalk.
J'e St Sauver, Ph.D. (j'e@oregon.uoregon.edu) is the director of user services and network applications at the University of Oregon Computing Center.
----------------------------
This sounds like one more call for IT managers to make sure they're in regular communication with the folks who maintain that other infrastructure, you know, the physical infrastructure. There are a lot of places where the information infrastructure and the physical infrastructure meet, and it sounds like SCADA-type issues might arise there. Thanks, J'e.
About the author: Terry Calhoun is Director of Communications and Publications for the Society
for College and University Planning (SCUP). You can contact him through CT's IT Trends forum by clicking here. View more articles by Terry Calhoun.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- News Update :: Tuesday, August 26, 2008
:::::: NEWS
: Report: Green Efforts Improving on Campuses
: Polytechnic Institute of NYU Deploys Array Networks Equipment for Access Control
: Oracle Releases Student Administration Integration Pack
: Red Hat Hacked, Company Issues Security Advisory
: Sun Open Sources Mobile Toolkit LWUIT
: Vulnerability Management Needed for Security, Study Says
: Microsoft Details SharePoint-SQL 2008 Integration
: Higher Ed Growing into BI, Data Warehousing
: LectureShare Updates Free Course Management System - Campus Security :: August 22, 2008
:::::: CASE STUDY
: Corralling Identity Management
:::::: CAMPUS SECURITY NEWS
: Vulnerability Management Needed for Security, Study Says
: Wayne State Deploys Q1 Labs QRadar to Manage and Secure Network
: KU Medical Center Installs Real-time Beacon System
: Virginia Tech Tries 'Compliance Sheriff' To Improve Web Site Accessibility
: Microsoft, BearingPoint Team Up To Provide Risk-Based Compliance Solution
: Collaboration Key to Security, Microsoft Says
: IBM Unveils New Software Designed To Streamline eDiscovery
: Security Woes Up, as PHP and OSS Make the List - IT Trends :: Thursday, August 21, 2008
:::::: INTERVIEW
:: Higher Ed Growing into BI, Data Warehousing
:::::: IT NEWS
:: Microsoft Changes Virtualization Licensing Rules
:: Vorex Upgrades Web-based Data Collection Tool for Schools
:: AT&T 'Big Mobile' Grant Extended
:: U Illinois Implements New StorMagic SAN in 15 Minutes
:: OOXML Reaffirmed, ISO/IEC Reject Appeals
:: Butler U Deploys Virtual Proofpoint Messaging Security Gateway
:: Linux Application Checker Brings Distro Help - SmartClassroom :: Wednesday, August 20, 2008
:::::: INTERVIEW
: The Power of Wikis in Higher Ed
:::::: NEWS and PRODUCT UPDATES
: Sakai 2.5.2 Gets Performance Boost; New Modules Released
: Georgia Virtual Tech Moves to Angel LMS for Web-based Instruction
: Video Spotlight: Campus Technology 2008 Keynote Address
: AT&T 'Big Mobile' Grant Extended
: Colorado State Launches New Online School - Web 2.0 :: Wednesday, August 20, 2008
:::::: THE BUZZ
: Digital Arrays for Evidence-Based Learning
:::::: WEB 2.0 IN ACTION
: "That Which Weaves Together:" The NSF Cyberlearning Report
:::::: PRODUCTS AND APPS
: Sakai 2.5.2 Gets Performance Boost; New Modules Released
: Vorex Upgrades Web-based Data Collection Tool for Schools
: Colorado State Launches New Online School
: Collexis' Lawriter Debuts Social Network for Law Students - News Update :: Tuesday, August 19, 2008
:::::: NEWS
: Video Spotlight: Campus Technology 2008 Keynote Address
: Report Finds Dip in Microsoft's Browser Share
: Butler U Deploys Virtual Proofpoint Messaging Security Gateway
: VMware's Updates Cause Problems, CEO Apologizes
: Intel Releases Interface for USB 3.0
: Linux Application Checker Brings Distro Help
: Wayne State Deploys Q1 Labs QRadar to Manage and Secure Network
: SunGard HE Releases New Unified Digital Campus
: Higher Education Fertile Ground for 802.11n WiFi, ABI Reports
