SCADA: Get the Facts

April 2007
SCADA: Get the Facts
What is SCADA?

SCADA stands for Supervisory Control and Data Acquisition. SCADA systems are computer-based
monitoring tools that are used to manage and control critical infrastructure functions, such as the
transmission and distribution of electricity, pressure and proper flow of gas pipelines, water treatment
and distribution, wastewater collection, chemical processing and railway transportation systems control,
in real time. They are just one implementation of Process Control Systems (PCS), a term commonly
used in conjunction with SCADA.

SCADA systems collect, display and store information from remotely-located data collection
transducers and sensors to support the control of equipment, devices and automated functions. They are
comprised of all hardware and software elements associated with the control and monitoring of a
system, including graphical user interfaces (GUIs), databases, sensors, relays, switches, remote terminal
units (RTU), networks and applications. A SCADA system is software that is positioned on top of
hardware to which it is interfaced, often through Programmable Logic Controllers (PLCs) or other
commercial hardware modules.

While SCADA systems are most commonly used in industrial processes such as power generation and
distribution, they are also used in experimental facilities such as nuclear fusion. A SCADA system’s
primary function is to efficiently transfer information to and from a wide range of sources and
locations, while ensuring that data integrity and appropriate updates are maintained.

How have SCADA systems evolved in recent years?

Before the 1960s, utility plants were monitored and managed by humans. For example, to turn on a
water valve, an employee had to physically come to the water plant to do so. At that time, SCADA
devices were only connected by phone lines and dedicated circuits. When computer use became
mainstream in the 1980s, SCADA systems ran on DOS, VMS and UNIX, but were traditionally
“walled-off” from the corporate networks. Today, almost all SCADA systems have moved to Windows
NT/XP or Linux operating systems and are connected to corporate TCP/IP networks. In fact, much of
the Western world’s critical infrastructures such as water, electricity and transportation systems are
completely automated and computerized, running on these electronic, software-based control systems.

Until recently, SCADA systems were often used in a reactive manner to identify system faults as they
occurred, recording system data and events for later analysis. With escalating demands on businesses
for increased efficiency, SCADA systems have been re-architected to now include data management
functionality that prevents problems, rather than recording them. Unfortunately, the security of
SCADA systems is lacking, due to the narrow focus on using the systems for increased productivity,
reliability and greater operating efficiencies.

Why is SCADA security receiving increased attention?

Because today’s SCADA systems are completely computerized and located on centralized networks,
they are a tempting target for a major physical or cyber attack. SCADA equipment often covers large
geographical areas with some equipment residing in remote locations. These remote areas are an easy
target for intruders or vandalism. Protecting these vital plants from system failures, intrusions or
terrorist attacks is critical to the viability of overall critical infrastructures. A major physical or cyber

2
attack on the control and data systems of electric power plants, or oil and gas refineries and pipelines
could potentially bring a country to a halt. The problem is compounded because private companies
control 85 to 90 percent of critical infrastructures, leaving governments few avenues to ensure that IT
systems are secure.

The increased adoption of technologies with known vulnerabilities, the widespread use of commercial-
off-the-shelf (COTS) systems and the increased connectivity of SCADA systems to the Internet are the
key reasons why the security of SCADA systems must be given higher priority. The disruption of
utilities and other critical infrastructures could be harmful to both the environment and the general
public.

What are the main threats to SCADA systems?

SCADA systems, like all computer networks, are vulnerable to hacking, intrusions, viruses, data loss,
data alteration and the like. There are four main threat categories to consider:

1. Malware – SCADA systems are vulnerable to various forms of malware, including worms,
viruses, Trojans and spyware.
2. Insider – This internal threat can be accidental or intentional; however, the latter is the greater
threat and is commonly referred to as the “disgruntled employee” scenario, where a
knowledgeable insider may be motivated to damage or corrupt the system.
3. Hacker – This is the outsider who is interested in probing and breaking into a SCADA system
because of the challenge it presents.
4. Cyber Terrorists – A SCADA system is a very appealing attack target for a well-funded
terrorist group that seeks to cause widespread damage to a large portion of the population. Al
Qaeda is one organization that has demonstrated increased interest, for example, in U.S.-based
SCADA systems.

Most utility companies are finding it difficult to deploy security measures such as anti-virus and
firewalls because of technical challenges with the current systems in place. Many older Distributed
Control Systems (DCS) and SCADA systems cannot accommodate current enterprise security solutions
that soak up central processing unit (CPU) capacity and clog connectivity. Patching vulnerable
software is a key challenge due to the network downtime that utility companies cannot afford and the
risk that security patches could interfere with the operation of existing applications. Most SCADA
systems operate in real-time and cannot be offline for lengthy upgrades or security installations, for fear
of degradation in performance. Additionally, there is too much widely-available public information
about utility companies’ corporate networks, which could be used for a more focused network attack.

Have there been any SCADA-specific attacks to-date?

A few of the most well-known, verified SCADA security incidents include:

• August 2003: The infamous SQL server worm, Slammer, infected a private computer network
at the Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring
system for nearly five hours. The worm also affected communications on the control networks
of at least five other utilities by propagating so quickly that control system traffic was
effectively blocked.
• Spring 2000: A former employee of an Australian industrial software company used a radio
transmitter to remotely hack into the controls of a sewage treatment system at Maroochy Shire,
Queensland, and release approximately 264,000 gallons of raw sewage into nearby rivers.

3
 • March 1997: A teenager in Worcester, Massachusetts, remotely disabled part of the public
switching network which disrupted telephone service to residents and the fire department and
caused a malfunction at the local airport.

Some have speculated that the blackouts across the Northeastern United States in August 2003 might
have been caused by a SCADA-related attack, as it left 50 million customers and parts of eight states
and Canada without power. The outage cost an estimated $7 billion to $10 billion in financial losses
and shut down parts of a two million barrel-per-day pipeline and airports in 13 cities.

What has the U.S. government done to address SCADA security in recent years?

Over the past few years, the U.S. Department of Homeland Security (DHS) has become increasingly
concerned over the lack of security of SCADA systems because many of these control systems are
owned by private companies and are increasingly being interconnected to improve efficiency. Because
SCADA and other types of control systems regulate critical, real-world activities, their lack of security
has worried experts for some time.

Government attention to critical infrastructure protection dates back to 1997, when the U.S. President’s
Commission on Critical Infrastructure Protection issued a report that raised considerable awareness for
the nation’s increased reliance on vulnerable, interconnected physical and cyber infrastructures. A year
later, the White House issued an important policy document, Presidential Decision Directive 63 (PDD-
63), which defined critical infrastructures as: “those physical and cyber-based systems essential to the
minimum operations of economy and government.” The directive had the goal of, by 2003, protecting
the nation’s critical infrastructures, defined as banking and finance, energy, telecommunications, water
systems, transportation and emergency services. It called for significantly increased security to
government systems by 2000, and laid the foundation for the protection of today’s critical infrastructure
SCADA systems by establishing several new communication structures, including the Information
Sharing and Analysis Centers (ISACs) and the National Infrastructure Protection Center (NIPC).

Two months after 9/11, the Critical Infrastructure Protection Act of 2001 was passed, stating that any
disruption of critical infrastructure must be “infrequent and minimally detrimental” to the nation. When
the DHS was created a year later, a Director of Information Analysis and Infrastructure Protection
(IAIP) position was created to oversee cyber and critical infrastructure protection. The IAIP was later
renamed the Directorate for Preparedness, tasked with facilitating grants and overseeing nationwide
preparedness efforts to support first responder training, citizen awareness, public health, infrastructure
and cyber security and ensuring proper steps are taken to protect high-risk targets. Homeland Security
Presidential Directive 7 (HSPD-7) was issued in December 2003 to update policies intended to protect
the country from terrorist attacks. This directive superseded PDD-63 and requires federal departments
and agencies to develop methods and technologies to protect all critical infrastructures and key
resources of the government and economic sector.

Some of the most noteworthy progress the U.S. government has made regarding SCADA security
includes:

• The creation of the Energy Policy Act (EPACT): In August 2005, President Bush signed this
Act which authorized the creation of an electric reliability organization (ERO) to enforce
compliance with regulatory standards in the energy sector. Almost a year later, the North
American Electric Reliability Council (NERC) was established.

4
 • The “Cyber Storm” Exercise: In early 2006, DHS performed a “Cyber Storm” exercise which
involved both the government and industry in the simulation of a cyber attack that included
elements of a SCADA protocol attack that spread throughout the critical infrastructure. This
attack involved 115 organizations in the U.S., Canada, the U.K., Australia and New Zealand.
Public agencies and private companies also participated. One of the scenarios involved a
simulated attack on the computer systems at an electric utility, causing widespread power
outages. The results, released in September 2006, found that DHS is ill-prepared to take on a
serious cyber attack and that many agencies were unable to link multiple attacks across
disparate systems and lacked processes, tools and technologies to handle incidents. DHS will
conduct a Cyber Storm II exercise in early 2008.
• Establishment of a National SCADA Test Bed: Funded by the Department of Energy, the
national SCADA test bed, co-located at the Idaho National Laboratory and Sandia National
Laboratory, was developed to systematically analyze, test, and improve cyber security features
in the control systems that operate the nation’s electric power grid.
• Creation of the Control Systems Security Center (CSSC): The National Cyber Security
Division (NCSD) of DHS established a National Cyber Alert System that is a clearinghouse for
information about control systems security and vulnerabilities under the U.S. Computer
Emergency Readiness Team (US-CERT) and Idaho National Laboratory. The Center aims to
reduce the risk of cyber attacks on control systems through assessments, educations and
incident support. The first vulnerabilities were reported in 2006.
• The Linking the Oil and Gas Industry to Improve Cyber Security (LOGIIC) Project: Funded by
DHS’ Science and Technology Directorate, this program brought together 14 organizations to
identify ways to reduce cyber vulnerabilities in SCADA systems. The goal of the project was
to identify new types of security sensors for process control networks. For the past 12 months,
Sandia National Laboratories based in Albuquerque, New Mexico, has served as the lead
national laboratory in project LOGIIC.

What has the European Union done to-date regarding SCADA security?

In June 2004, the European heads of state and government asked the Commission to prepare an overall
strategy to enhance the protection of critical infrastructures. In response, the Commission transmitted a
Communication entitled “Critical Infrastructure Protection in the Fight against Terrorism,” putting
forward a number of suggestions to enhance European prevention, preparedness and response to
terrorist attacks involving critical infrastructures.

The Commission's intention to propose a European Programme for Critical Infrastructure Protection
(EPCIP) and a Critical Infrastructure Warning Information Network (CIWIN) was accepted by the
European heads of state and government in December 2004. Throughout 2005, intensive work was
done on the elaboration of EPCIP. Two European seminars on critical infrastructure protection and a
number of informal meetings were held, bringing together experts from all EU Member States. This
work culminated in the Commission’s adoption of the Green Paper on a European Programme for
Critical Infrastructure Protection (COM (2005) 576 final) on November 17, 2005.

The Green Paper provided options on how the Commission could respond to the request by the Member
States to establish EPCIP and CIWIN and constituted the second phase of a consultation process
concerning the establishment of EPCIP. Furthermore, it provided an indicative list of critical
infrastructure sectors and services which includes SCADA. In addition, the Green Paper foresaw a
number of funding sources for activities related to the protection of critical infrastructures in Europe.

5
As a result, the European Commission launched the Pilot Project on the Fight against Terrorism which
invited interested parties to submit proposals covering one or more of the following themes:

1. Enhancement of protection measures for critical infrastructure;

2. Vulnerabilities and resilience of critical infrastructure, including developing
methodologies;
3. Risk mitigation strategies and threat assessments for critical infrastructure;
4. Development of contingency plans;
5. Development of common security standards and innovative technologies for protection of
critical infrastructure; and
6. Trans-national projects, which must involve partners in at least two Member States, or at
least one Member State and an applicant country.

In December 2006, the European Commission put forward its proposals for the creation of a European
Action Programme for Critical Infrastructure Protection. The proposals consist of:

• A Directive of the Council on the identification and designation of European Critical

Infrastructure and the assessment of the need to improve their protection. The proposed
Directive establishes a procedure for the identification and designation of European Critical
Infrastructures (ECI), and a common approach to the assessment of the needs to improve the
protection of such infrastructure.
• Non-binding measures designed to facilitate the implementation of EPCIP including an EPCIP
Action Plan, the CIWIN, and the use of CIP expert groups at EU level, CIP information sharing
processes and the identification and analysis of interdependencies.
• Support for Member States concerning National Critical Infrastructures (NCI) which could
optionally be used by the Member States.
• Accompanying financial measures and, in particular, the proposed EU programme on
"Prevention, Preparedness and Consequence Management of Terrorism and other Security
Related Risks" for the period 2007-2013, which will provide funding opportunities for CIP-
related measures having a potential for EU transferability.

These proposals will now be reviewed by the EU Member States for their approval.

Aside from these initiatives, the European Commission has funded CIP research activities through its
Preparatory Action on Security Research and will continue funding these through the new 7th Research
Framework Programme (2007-2013), which includes a joint initiative between ICT & Security Themes
on Critical Infrastructure Protection. The focus of the ICT part will be on building secure, resilient,
responsive and always available information infrastructures linking critical infrastructures to build
secure and resilient SCADA systems.

Are there any standards for securing SCADA systems?

The U.S. Federal Energy Regulatory Commission selected the NERC to set and enforce mandatory
Critical Infrastructure Protection (CIP) security standards for the energy sector. The CIP rules cover
areas such as reporting sabotage, ensuring physical security, monitoring and running antivirus controls,
and doing patch updates on all critical assets, including control centers, substations and SCADA
systems. The power industry is considered further along in SCADA security than other critical
industries.

6
What is CSIA’s position on SCADA security?

Although some progress has been made recently, CSIA believes that critical infrastructure protection
and SCADA security are important issues that have not been given enough attention globally by
governments or the private sector. In the U.S., the appointment of Greg Garcia to oversee
implementation of the National Strategy to Secure Cyberspace is an important first step to addressing
SCADA security. Preparedness exercises, such as Cyber Storm I and II, are also useful; however,
NCSD and DHS must use the lessons learned and rapidly turn them into solutions. Establishing
programs that mitigate attacks and forming a clearer plan for an early warning program are essential for
better security across agencies. CSIA urges President Bush to form a task force of key government
agencies, appropriate regulators, experts in the cyber security field and representatives from across all
utilities and suppliers, to meet and recommend concrete actions to improve the security of control
systems supporting critical infrastructure.

In addition, CSIA has three key recommendations for DHS concerning cyber security preparedness and
response:
• Situational Awareness – The private sector and the government must share information in order
to gain cyber and telecom situational awareness. DHS must develop a more robust capability to
monitor the overall health of critical functions supporting information systems and the Internet
that combines data from sources under government control, including the intelligence
community and law enforcement. Organizing this information into a “dash board” will give the
Department much greater insight of the functioning of the information infrastructure. DHS
should seek to bring a dedicated system on line within two years as it will be central to
coordinating response and recovery to cyber disaster.
• Establish an Emergency Communications System – DHS must ensure the United States has
back-up systems and plans in place to ensure that we can contain or lessen the impact of a cyber
attack or disruption, as well as recover and reconstitute in a converged environment involving
both circuit switched and IP-based networks. DHS should establish an aggressive set of goals
and supporting programs that will ensure we have a resilient emergency communications
system in place by 2010.
• Recovery and Reconstitution – DHS should describe how it will work with the private sector to
respond to and recover from a massive information infrastructure attack or disruption. This
requires a clear “chain of command” in case of such an incident. This is especially important
since the private sector owns and operates most of the nation’s critical information
infrastructure.

Additional Resources:

U.S. Department of Energy – Control Systems Security

http://www.oe.energy.gov/randd/css.htm

The Center for SCADA Security – Sandia National Labs

http://www.sandia.gov/scada/home.htm

Idaho National Laboratory – National SCADA Test Bed Program

http://www.inl.gov/scada/

Pacific Northwest National Laboratory (PNNL)

http://homeland-security.pnl.gov/cip.stm

7
National Institute of Standards and Technology (NIST) – Guide to SCADA and Industrial Control
Systems Security
http://csrc.nist.gov/publications/drafts/800-82/Draft-SP800-82.pdf

Federal Energy Regulatory Commission (FERC)

http://ferc.gov/default.asp

The Process Control Systems Forum

https://www.pcsforum.org/

The Institute for Information Infrastructure Protection (The I3P)

http://www.thei3p.org/

British Columbia Institute of Technology (BCIT)

http://www.bcit.ca/appliedresearch/security/

About the Cyber Security Industry Alliance

The Cyber Security Industry Alliance is the only advocacy group dedicated exclusively
to ensuring the privacy, reliability and integrity of information systems through public
policy, technology, education and awareness. Led by CEOs from the world’s top
security providers, CSIA believes a comprehensive approach to information system
security is vital to the stability of the global economy. Visit our web site at
www.csialliance.org.

Members of the CSIA include Application Security, Inc.; CA, Inc. (NYSE: CA); Bharosa
Inc.; BSI Management Systems; Crossroads Systems, Inc. (OTCBB Pink Sheets:
CRDS.PK); Entrust, Inc. (NASDAQ: ENTU); F-Secure Corporation (HEX: FSC1V);
IBM Internet Security Systems Inc. (NYSE: IBM); iPass Inc. (NASDAQ: IPAS); MXI
Security; PGP Corporation; Qualys, Inc.; RSA, The Security Division of EMC (NYSE:
EMC); Secure Computing Corporation (NASDAQ: SCUR); Surety, Inc.; SurfControl
Plc (LSE: SRF); Symantec Corporation (NASDAQ: SYMC); TechGuard Security, LLC;
and Vontu, Inc.

Cyber Security Industry Alliance

2020 North 14th Street, Suite 750 • Arlington, VA 22201 • (703) 894-CSIA • www.csialliance.org

© Copyright 2007 Cyber Security Industry Alliance. All rights reserved.

CSIA is a trademark of the Cyber Security Industry Alliance. All other company, brand and
product names may be marks of their respective owners.