About ten years or so ago, I was very much into a BBC television series called 'Bugs' which sketched the lives of a couple of skilled high tech crime investigators. It always dealt with spectacular physical machines (think radio guided cars & airplanes) controlled by computers, because this obviously makes the dry subject a bit more vivid.
Recent history proved them right that there is something more physical out there than OSI layer 1. In many cases, the data we as security professionals need to protect has an impact on the physical lives of others. Nowhere is this division as thin as with SCADA and DCS equipment.
SCADA systems - Supervisory Control and Data Acquisition - control physical processes centrally by collecting data from measurement devices local or in remote locations. Decisionmaking is generally centralized. Distributed Control Systems (DCS) generally control more localized systems in which feedback loops are extensively used between monitoring equipment and actual physical control point.
These types of systems have always been built trying to solve a specific problem. In the case of SCADA, protocols needed to link in often remote power and utility stations to a central coördination point. Obviously, this would result in very different implementations based on geography - SCADA in densely populated Western Europe is something completely as opposed to the United States or Australia. Whereas European telcos can provide a phone link virtually everywhere, even in relatively urban areas Australia may need to resort to radio links.
Some of the many security issues with these systems include:
As SCADA/DCS security is not something that affects only the main utility providers,but also many industrial environments (ports, transport and factories), here's an overview of some great resources. Mail us if you have other ones to add to the list:
SANDIA Labs' Center for SCADA Security
Aug 7th 2007
1 decade ago