November 12, 2013drsallyernst

Toward a whitepaper on SCADA security for directors and senior executives

A high level scan of the literature (Table 1) and brief conversations with cyber security specialists shows there appears to be a good understanding of the layers of risk in SCADA systems by professionals (Figure 1). This understanding, however, may not extend to Directors and Senior Executives – the ultimate owners of these risks and their implications.

scada

Figure 1: Some high level cyber security issues raised by the move from private serial networks to IP based networks

Relevant gaps for ‘something different’ in a whitepaper

A scan of some of the available literature shows two gaps that may be of interest:

  1. A subtle gap appears to be the area of convergence between cyber, operational and physical risks driven by the move from private serial networks to IP networks. This move is a double-edged sword increasing productivity alongside vulnerabilities.
  1. The further gap is a holistic expression of the cyber security threat to SCADA and its implications in a language Boards and C-level executives understand. Efforts at filling this gap would support key IT influencers and decision makers in their internal recommendations process to this stakeholder group.

This information would be drawn from the existing literature. Non-exhaustive, SCADA security related areas and references are tabulated below. This reference list would be fleshed-out in the whitepaper development process, including source article identification, referencing and triangulation.

SCADA security-related areas Some reference URLs
Scenarios and Cases ·     http://www.securityfocus.com/news/6767; http://www.reuters.com/article/2013/02/26/us-cyberwar-stuxnet-idUSBRE91P0PP20130226;

·     http://www.smh.com.au/news/businessinnovations/slaying-the-hackers/2008/04/14/1208025354324.html
Threat and vulnerability statistics ·     http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-scada-that-didnt-cry-wolf.pdf;

·     http://www.darkreading.com/vulnerability/scada-security-in-a-post-stuxnet-world/240049917;

·     http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ips_industrial_control_protection.pdf

·     https://www.owasp.org/index.php/OWASP_Scada_Security_Project

·     http://www.brisbanetimes.com.au/it-pro/government-it/malicious-virus-shuttered-power-plant-us-government-20130116-2cuox.html
Cyber-Physical-Operational considerations ·     http://www.pipelineandgasjournal.com/scada-security-compliance-and-liability-%E2%80%93-survival-guide?page=show
Risk assessment ·     http://www.tisn.gov.au/Documents/SCADA-Generic-Risk-Management-Framework.pdf;

·     http://www.tisn.gov.au/Documents/SCADA-Advice-for-CEOs.pdf
Patching and testing ·     http://www.darkreading.com/vulnerability/the-scada-patch-problem/240146355
Good practice guides ·     http://www.cpni.gov.uk/advice/cyber/scada/;

·     http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems/window-of-exposure-a-real-problem-for-scada-systems
Standards, documentation, regulatory and compliance, training ·     http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems/can-we-learn-from-scada-security-incidents;

·     http://www.scmagazine.com/threat-of-the-month-scada-sport-fishing/article/298547/
Differences between SCADA and traditional IT security; and compensating controls, including vendor and contract management ·     http://www.net-security.org/secworld.php?id=16065

·     http://www.cso.com.au/article/424992/auscert_2012_security_standards_air_gaps_needed_protect_scada_systems/
Future tech implications and ‘Internet of Things’ ·     http://www.sans.org/event/internet-of-things-summit

Table 1: Light touch examples of existing news articles and grey literature.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s