SCADA SYSTEM CYBER SECURITY – A COMPARISON OF STANDARDS TECHNICAL PAPER

SCADA SYSTEM CYBER SECURITY – A COMPARISON OF STANDARDS TECHNICAL PAPER
Authored by: Teodor Sommestad, Göran N. Ericsson, Senior Member, IEEE, Jakob Nordlander

ABSTRACT - Cyber security of Supervisory Control And Data Acquisition (SCADA) systems has become very important. SCADA systems are vital for operation and control of critical infrastructures, such as the electrical power system. Therefore, a number of standards and guidelines have been developed to support electric power utilities in their cyber security efforts. This paper compares different SCADA cyber security standards and guidelines with respect to threats and countermeasures they describe. Also, a comparison with the international standard ISO/IEC 17799 (now ISO/IEC 27002) is made. The method used is based on a comparison of use of certain key issues in the standards, after being grouped into different categories. The occurrences of the key issues are counted and comparisons are made. It is concluded that SCADA specific standards are more focused on technical countermeasures, such as firewalls and intrusion detection, whereas ISO/IEC 17799 is more focused on organizational countermeasures.

INTRODUCTION - SCADA (Supervisory Control And Data Acquisition) systems have been in use more than 30 years, and have become more advanced and complex as computer technology has advanced. They are today vital for operating critical infrastructures, such as electric power systems. The development of SCADA system started before the wide-spread use of Internet, in a period of time when the need for IT-security mostly consisted of protecting the physical access to the computers of the system. During the last ten years, the number of connections to SCADA systems and the use of internet-based techniques have increased rapidly. SCADA systems have also moved from using proprietary protocols and software to using the same standards and solutions as administrative IT systems. This trend is also likely to continue as Electric Power Utilities (EPUs) move towards the vision of a smart grid. As a consequence, SCADA systems are now being exposed to threats and vulnerabilities they have never been exposed to before, and to a much greater extent than earlier. In addition, conventional security solutions are not always applicable to SCADA systems, since performance and availability requirements differ for administrative IT systems and SCADA systems.

CONCLUSIONS - This paper has presented a quantitative evaluation of SCADA standards and the comparison to ISO/IEC 17799. It can be concluded that with this ranking method, more than every fourth countermeasure mentioned in the SCADA standards concern cryptography or authentication. Furthermore, the threats most frequently mentioned are those relating to malicious code or denial of service attacks, which together make up 50 percent of the total occurrences of keywords associated with threats. There is also a strong focus on countermeasures in the SCADA standards, hence less focus on threats. Moreover, it was found that compared to SCADA standards ISO/IEC 17799 focus more on management and organizational issues, and less on technical issues. These results suggest that electric power utilities solely using standards similar to ISO/IEC 17799 for security management should complement its efforts by adapting this to SCADA specific security requirements. In particular should firewalls, system administration tools, antivirus, and intrusion detection be considered.

TO VIEW THE COMPLETE DOCUMENT!