ICS-SCADA Security Concerns Spur Increased Funding

Monday, December 12, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

Spending to bolster security for industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks will total as much as $14.0 billion between 2011 and 2018.

ICS-SCADA systems provide operations control for critical infrastructure and production networks including manufacturing facilities, refineries, hydroelectric and nuclear power plants.

One of the main challenges in protecting these networks is the fact that these systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality.

“Many SCADA systems were deployed without security in the belief that SCADA would always be isolated from the Internet. But it’s not, and even when it is, attacks such as Stuxnet can circumvent the isolation by using USB memory sticks to spread," said analyst Bob Lockhart.

The Stuxnet virus is a highly sophisticated designer-virus that is thought to have caused severe damage to Iranian uranium enrichment facilities, setting back the nation's nuclear weapons program by as much as several years.

While the task of securing a network is inherently similar regardless of the systems' functionality, securing those that govern critical infrastructure can be considered to have a unique set of fundamental goals in comparison to other IT security endeavors.

"SCADA security has different objectives than IT security. The familiar ‘confidentiality, integrity, and availability’ is replaced with ‘safety, reliability, and integrity.’  This is nearly impossible to accomplish with the infrastructure-only approach taken by most information security products," said Lockhart.

Market analysis and consulting provider Pike Research recently released a report examining the current state of utility cyber security, and the prognosis is far from comforting.

The report, titled Utility Cyber Security - Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond, concludes that although a great deal of attention has shifted to protecting systems that govern infrastructure over the past eighteen months, utilities have a long way to go in protecting critical networks.

Of particular concern in the Pike report is the ability to protect the nation's electric grid as it is converted to "smart" networks with greater reliance on modern two-way information systems.

The American Recovery and Reinvestment Act of 2009 incentivized many vendors and public utilities to implement new infrastructure projects at a rapid pace in an effort to capitalize on the influx of funding provided in the economic stimulus package.

The end result was the mass deployment of technologies with little in the way of adequate security for the networks.

"The utility industry now has a large installed base of smart grid components, but little idea how to secure them. No clear or shared vision exists of what to build," the Pike report indicates.

Pike's report assesses the threats and vulnerabilities that confront smart grid technologies, to arrive an analysis of the most significant cyber security investments and market opportunities.

The report includes a detailed examination of key market drivers and barriers, along with profiles of key industry players and global forecasts, segmented by region and application area, for smart grid cyber security revenue through 2018. An Executive Summary of the report is available for free download on the firm’s website.

Possibly Related Articles:
17796
Network->General
SCADA Budgets Vulnerabilities Utilities Stuxnet Smart Grid Headlines Network Security Infrastructure ICS Industrial Control Systems
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.