Environmental Engineering Reference
In-Depth Information
A survey among water utilities found that they were doing little to secure
their SCADA network vulnerabilities (Ezell, 1998); for example, many
respondents reported that they had remote access, which can allow an unau-
thorized person to access the system without being physically present. More
than 60% of the respondents believed that their systems were not safe from
unauthorized access and use, and 20% of the respondents reported known
attempts and successful unauthorized access to their systems. Yet, 22 of 43
respondents reported that they did not spend any time ensuring the safety
of their networks, and 18 of 43 respondents reported that they spent less than
10% of their time ensuring network safety.
SCADA system computers and their connections are susceptible to a vari-
ety of information system attacks and misuse, such as system penetration
and unauthorized access to information. The Computer Security Institute
and the Federal Bureau of Investigation conduct annual Computer Crime
and Security surveys (FBI, 2004). A recent survey addressed ten types of
attacks or misuse and reported that viruses and denial of service had the
greatest negative economic impact. The same study also found that 15% of
the respondents reported abuse of wireless networks, which can be com-
ponents of a SCADA system. On average, respondents from all sectors did
not believe that their organization invested enough in security awareness.
Utilities as a group reported a lower average computer security expendi-
ture/investment per employee than many other sectors such as transporta-
tion, telecommunications, and financial.
Sandia National Laboratories'
Common Vulnerabilities in Critical Infrastructure
Control Systems
described some of the common problems it has identified in
the following five categories (Stamp et al., 2003):
1.
System data
—Important data attributes for security include avail-
ability, authenticity, integrity, and confidentiality. Data should
be categorized according to their sensitivity, and ownership and
responsibility must be assigned; however, SCADA data are often not
classified at all, making it difficult to identify where security precau-
tions are appropriate.
2.
Security administration
—Vulnerabilities emerge because many sys-
tems lack a properly structured security policy, equipment and sys-
tem implementation guides, configuration management, training,
and enforcement and compliance auditing.
3.
Architecture
—Many common practices negatively affect SCADA
security; for example, although it is convenient to use SCADA capa-
bilities for other purposes such as fire and security systems, these
practices create single points of failure. Also, the connection of
SCADA networks to other automation systems and business net-
works introduces multiple entry points for potential adversaries.
