Finding detailed, organized, and educational material that relates traditional IT and cybersecurity to the challenges of SCADA and the Grid can be a very time consuming activity. There are multiple higher-level documents, and/or very detailed documents, (Here, here, and here, as examples) that help to describe the expanding threat surface that IT enablement and pervasive internetworking will bring -- but finding meaningful and relatively detailed information on the topic can be daunting.
For my own bootcamp/bootstrap education, I have been consuming first, "Securing SCADA Systems" by Kurtz, and then "Cybersecurity for Scada Systems" by Shaw. But these are probably more dense than is neccessary for those who are looking for a more readily consumable description of challenges and recommendations. In trying to find that level of content for you, our valued readers, I stumbled upon course material from some extremely helpful folk at Idaho National Labs. Don't let the nuclear tone and front page announcement of graphite testing fool you; there is a four-hour course and an eight-hour course here, and they have a raft of good content inside.
One of the slides was especially excellent, and I present it here by way of both introduction to our newer readers, and as validation for those who have, with us, been working to highlight and hopefully increase the level of IT/cybersecurity discussions that are surrounding the Smart Grid.
Here it is:
It is hard for anyone to deny that the worlds of modern internetworked information technology and of the existing SCADA-driven grid are merging. That said, this diagram, which while using information derived in 2007, shows the manifest disconnect in security practices and priorities between the two communities as they operate today. This data is directly in support of much of what we are seeing, and clearly reinforces some recent feedback we have gotten. In moderating a panel at the recent IQPC Scada and Control System Security Summit, Andy and I got a question relating to the new burdens that the Smart Grid is placing on the existing grid for things such as antivirus/anti-malware software, Intrusion Detection/Protection, and more. It became clear that these arguably baseline technologies were not yet deployed broadly within the utility community, and that the introduction of the Smart Grid was causing people to finally start to view them as important, if not required. This was not to say that they wanted it, or that they felt comfortable that they could accommodate the additional load on their systems. But the perceived connectivity of the Smart Grid is causing them to consider this, for the first time, as a priority.
Coming from an IT perspective, this was surprising. According to members of the audience, the Windows XP Service Pack 2 BIOS security change that occurred years ago had disrupted multiple SCADA systems, as have more recent instances of corruption and malware, as reported in the media. Considering that, it is almost unthinkable that basic security technologies have not been deployed, even if only in response to the unacceptable vulnerability conditions. Unthinkable or not, we need to start thinking hard about it, because clearly it is happening.
Some of the reasons for this lack of progress are well-known. The overtaxed nature of both the systems and the individuals charged with their operation, the proprietary nature of some of this infrastructure, and the cost-averse nature of many utility commissions all conspire to a preference for the pretense that these are isolated, and therefore inviolable networks.
This slide points out, with vivid clarity drawn from analysis of these control systems, how far there is to go, and how different the drivers and fears of the organizations are from those who typically and aggressively pursue security at a proactive or holistic level.
We are just now beginning to recognize and recommend the need for a balanced approach to IT and cybersecurity in the new and existing grids. The work done at INL is extremely helpful in creating a bridge between the existing and incoming grid and Smart Grid communities, and I recommend that you take the time to examine it to the purpose of expanding the group that can speak in, and be concerned with, the colliding challenges of internetworked computing, security, expertise, stability, and staffing.
.
Jack Danahy and Andy Bochman are authors of the Smart Grid Security Blog.
.
More on SGN ...
Smart Grid security channel
Why Cyber Risks to the Grid Are – and Are Not – MAD
Smart Grid Fallout: Lessons to Learn from PG&E’s Smart Meter Lawsuit
Smarter Grid ... Struggling SCADA?
.
Stay connected with SGN …
· Get LinkedIn with Jesse
· Be a Fan on Facebook
· Follow Us on Twitter
· Try our RSS feed
· Get our weekly email digest
Twitter
Facebook
Linkedin
RSS
