SCADA security directions

SCADA security will continue to face potential developements such as a merging of SCADA and ICS security standards and certifications and a potential security threat to networks in Europe and the United States.

02/20/2013


ISS SourceNote: This is an excerpt from a longer blog.

January is a month I dread. It’s not the cold, the rain and the gray skies here on the west coast of Canada (although that is bad enough). And it is not the post-Christmas avalanche of credit card bills (also bad). The nightmare for me is the annual “SCADA Security Predictions for the Next Year” article I write every January.

You see, every January I make between three and five predictions for the upcoming year. Then the following December people remind me that I made those predictions 12 months ago. They then get to tell me how poorly I did. In between January and December I get to worry.

Take my predictions for 2012. I thought I had done well, getting two out of three predictions right with one still undecided. Then Sean McBride informed me that I had counted wrong. I had said there were 569 new SCADA/ICS vulnerabilities in 2012. Unfortunately (for me), this is cumulative total since 2001. Only 248 new vulnerabilities were announced in 2012. Since I predicted there would be 500 new vulnerabilities in 2012, I was way off base and only scored 0.333 for my 2012 predictions. Not so good.

Part of the problem is the industrial automation world moves glacially slow compared to sectors like home computing or communications, making predictions of any signification change a challenge. As Dale Peterson of Digital Bond has pointed out, too little has changed in the past decade when it comes to SCADA security. He is right, but it is not just security that moves slowly in this industry. Things that take years in other sectors take decades for industrial systems.

Take industrial wireless – back at the turn of the century, it was promoted as the technology that would soon dominate the plant floor. Over ten years later, Frost & Sullivan Research Analyst Anna Mazurek writes, “The market needs another 4-5 years of pilot applications and technology trials to address all pending concerns…” Industrial wireless will come, but the time scale is much longer than a year or two.

Of course, I could take the easy way out and predict what will not happen in 2013. For example, the confusion over which NERC-CIP version companies should be complying with will not get sorted out in 2013. A cyber security bill will not get passed by the US senate in 2013. And most PLC and SCADA vendors will continue to ship insecure controllers using insecure protocols in 2013.

But that is cheating, so once again I stick my neck out and make a few real predictions of events and trends in the SCADA and ICS world.

Prediction 1 – Tablets

Back in December, I blogged about a survey that asked engineers to identify their unfulfilled industrial networking desires. The number one item turned out to be “Connecting to the factory with a smart phone”. This is the year that the mainstream control system vendors will start promoting iOS apps and iPhones/iPads will start to be used for industrial applications.

As with all industrial technologies, we won’t see a full invasion of iDevices on the plant floor in 2013, but the wall will be breached. Maintenance and support will be the first applications. When your maintenance team is trying to repair that failed transmitter or troubleshoot that drive at 2 a.m., it is very nice to be able to check the inventory system for spare parts or review the online manuals for troubleshooting advice. Being able to do that right where the problem is (rather than having to go back to the office) will be a powerful driver for allowing tablet devices on the plant floor.

This won’t be pretty from a security point of view, but we will have to get used to it. Maybe it will drive the industry to deploy holistic security strategies rather than the security band-aids so often seen now.

Prediction 2 – International Security Standards

One of the issues for companies wanting to start securing their ICS is the existence of so many competing SCADA and ICS security standards. Last year the security committees at ISA and IEC joined forces and the result was the ratification of IEC/ISA 62443-2-1 – Industrial automation and control systems security management system.

This year there will be more coalescing of different industry and national documents into coherent international standards. At the same time, the usability and consistency of the standards will improve – a number of new or substantially improved documents will release – for example, a completely rewritten 62443-02-01 may be available before December.

Prediction 3 – Independent SCADA/ICS Security Professional Certifications

Today anyone who can use SCADA and security in the same sentence can call themselves a SCADA security expert. This year will see the release of certifications for SCADA/ICS Security Professionals. The best will be independent of both ICS/security vendors and the various training companies and will just focus on testing subject matter expertise.

Prediction 4 – The Industrial Safety Makes Security a Priority

A few years ago, I predicted that companies would start to combine industrial safety and industrial security analysis. It happened, but much more slowly than I expected. So I am dragging my old prophesy out again, but with a twist. This year, consultancies like TUV will make a major push into the SCADA/process security markets (of course, safety companies like exida have been doing that for a few years now). At the same time, the IEC safety standards will start to be reevaluated in terms of security. Hopefully efforts like the LOGIIC analysis of Safety Instrumented Systems will start to make headlines too and not stay hidden under a bushel.

Prediction 5 – A Big Security Event Close to Home

Last year I predicted that there would not be another major security event like Stuxnet – was I ever wrong. Flame and Shamoon, plus others like Gauss, hammered the energy industry in the Middle East. So this year, I will go the other direction and say there will be at least one major event impacting industry and it will be in either Europe or North America.

I hope I am wrong about this one.

Eric Byres is vice president and chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.



Top Plant
The Top Plant program honors outstanding manufacturing facilities in North America.
Product of the Year
The Product of the Year program recognizes products newly released in the manufacturing industries.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
September 2018
2018 Engineering Leaders under 40, Women in Engineering, Six ways to reduce waste in manufacturing, and Four robot implementation challenges.
July/Aug
GAMS preview, 2018 Mid-Year Report, EAM and Safety
June 2018
2018 Lubrication Guide, Motor and maintenance management, Control system migration
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, programming cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
Spring 2018
Burners for heat-treating furnaces, CHP, dryers, gas humidification, and more
August 2018
Choosing an automation controller, Lean manufacturing
September 2018
Effective process analytics; Four reasons why LTE networks are not IIoT ready

Annual Salary Survey

After two years of economic concerns, manufacturing leaders once again have homed in on the single biggest issue facing their operations:

It's the workers—or more specifically, the lack of workers.

The 2017 Plant Engineering Salary Survey looks at not just what plant managers make, but what they think. As they look across their plants today, plant managers say they don’t have the operational depth to take on the new technologies and new challenges of global manufacturing.

Read more: 2017 Salary Survey

The Maintenance and Reliability Coach's blog
Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
One Voice for Manufacturing
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Maintenance and Reliability Professionals Blog
The Society for Maintenance and Reliability Professionals an organization devoted...
Machine Safety
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
Research Analyst Blog
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Marshall on Maintenance
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
Lachance on CMMS
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
Material Handling
This digital report explains how everything from conveyors and robots to automatic picking systems and digital orders have evolved to keep pace with the speed of change in the supply chain.
Electrical Safety Update
This digital report explains how plant engineers need to take greater care when it comes to electrical safety incidents on the plant floor.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
Randy Steele
Maintenance Manager; California Oils Corp.
Matthew J. Woo, PE, RCDD, LEED AP BD+C
Associate, Electrical Engineering; Wood Harbinger
Randy Oliver
Control Systems Engineer; Robert Bosch Corp.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
click me