| | |  |
A well-functioning society relies heavily on well-functioning infrastructure-based services.
A most fundamental infrastructure is the delivery system for electric power. An illustrating
example of the importance of electric power delivery is the 2003 North-East American
blackout [Andersson et al., 2005]. Altogether it has been estimated that 50 million people
were affected by the blackout. The loss of electricity in homes and offices was however not
the only consequence of the blackout, many other infrastructures were also brought down.
Several million people lost water since pumps did not have backup power. This lead to
several occasions of contamination both of the water supply and of the surrounding
environment (several million people were for instance under boil water advisory); several
railroad services experienced delays or shut down; much airborne transportation was
cancelled since airports had to shut down when security could not been ensured and e-ticket
information could not be accessed; many gas stations were not able to provide fuel to
customers, which led to undelivered transports and stranded vehicles. Also the
communication services were disrupted: several cellular sites did not have enough backup
power systems. Wired telephone lines did work but were heavily burdened with an
increasing volume of traffic. The 911 emergency services were out of order at several
shorter periods of time.
The operation of critical infrastructures such as the electric power network is today highly
dependent on computerized and networked information and control systems. Owing to this,
the efficiency and capacity of the electric power network is today substantially higher than
30-40 years ago. Rapid technological development has enabled new intelligent functionality
for operating the infrastructure. These industrial control systems, often also referred to as
Supervisory, Control And Data Acquisition (SCADA) systems1, can be considered as the
central nervous system for the infrastructure. SCADA systems both control the physical
power process autonomically and they provide human operators with vital system
information for the conscious management, such as identifying emerging problems and take
preventing actions. Perhaps the most important aspect of control systems is that they need to
operate in real-time: processing cannot wait! In order to manage the power network,
immense amounts of information about the controlled processes are needed. In numbers,
often hundreds of thousands measuring points need to be continuously monitored, and the
collected information must sometimes be acted upon within milliseconds, and the control
commands must take effect simultaneously in different points of an infrastructure that is
physically distributed over vast areas. In addition to the strict timing requirements, also the
correctness of the information used for the control and decision support for operators must
be ascertained, so that it actually mirrors the actual state of the power network. Especially in
times of disturbances the real-time capacity of the SCADA system is put to the test. Under
such circumstances many ten of thousands of events occur more or less simultaneously and
in these situations the information from the SCADA system is needed at the most.
SCADA systems consist of three major parts, substation secondary equipment,
telecommunication, and the central control equipment. The substation secondary equipment
collects data from measurements units, transducers and Intelligent Electronic Devices
(IEDs) and sends control commands to these units. The telecommunication system handles
the communication between the substations and the central control system. The central
control system stores the data from the process, presents it to the operators, make advanced
1 SCADA systems are known under many names such as process control systems, digital control systems. In this
document, control systems will be used synonymously with SCADA systems and it will denote a fairly broad area of
computerized monitoring and control services.
calculations on a process model and archives data for subsequent analysis of process
behaviour.
The SCADA systems are continuously becoming more advanced and complex. Simply put,
more effective infrastructure operation requires more accurate process models, which in turn
require more advanced functionality and elaborate data collection and processing in the
control systems. The result is increased internal technical complexity of the control systems.
In addition to the external infrastructure operational requirements, the technical evolution of
the systems is also driven by the technical evolution in IT in general; new services and
solutions are constantly developed and existing ones are enhanced. This further increases the
complexity of the overall systems. However, the increasing internal complexity of the
systems is not the most challenging trend today. Instead, it is the fact that SCADA systems
are no longer isolated but that they are extensively networked with other information
systems of the company that forms the greatest challenge; for example SCADA systems
commonly connects to asset management, maintenance, and customer-relationship
management systems. Today it is accurate to speak of control systems as integrated parts of
large enterprise-wide information systems.
Due to the increasingly complex and integrated control systems, the vulnerabilities of the
systems are also continuously worsening. From a complexity point of view, the control
systems have evolved and matured for many decades but is today so advanced that it is
practically impossible to completely test the system in order to find all potential
deficiencies. From an integration point of view, the vulnerabilities of a large number of
other (complex) systems are also vulnerabilities of the control system, and consequently of
the entire critical infrastructure. This trend of systems integration implies that there are new
threats to critical infrastructures [Naedele et al., 2005a]. For instance antagonistic threats are
now a concern, i.e., that someone deliberately exploits the possibility to control processes.
This includes hackers intruding any of an organization’s hundreds of systems and to reach
potentially and eventually the control system and the physical process [Assante et al., 2006;
Byres et al., 2004; DoE, 2003]. Figure 2 illustrates a typical situation where a SCADA
system is connected to other networks and systems of the company, as well as to other
partners and to the Internet. The vulnerabilities in this situation are potentially plenty and
any ill-configured unit in this system is a potential threat to the critical infrastructure. To
exacerbate the situation, control systems are primarily designed to deliver reliable and
robust control of the power network and not to resist computer-based attacks [Naedele et al.,
2005b]. And even though the awareness of control system security has been rising during
the last decade, control systems are long lived and many old control systems are still in
operation and will continue to be in operation for years to come. Moreover, since control
systems are so complex also new products taken into operation today have a large design
legacy, reaching many years back. A recent report from the U.S. National SCADA Test Bed
[Fink, 2006], for instance, provides witness about many vulnerabilities among commercial
control system products.
SCADA system security poses major challenges for electric power distribution companies
today. Even though only a limited amount of reports are publically available regarding
incidents from adverse control system attacks, this issues is not just a conceptual and
hypothetical threat. The lack of public accounts is of course partly due to the nature of the
problem: to publically report incidents is not in the interest of the attacked party, actually it
is important that information about incidents does not leak out so that vulnerabilities are
further exploited. Available figures indicate that more than fifty percent of the reported
incidents in the U.S. are estimated to have cost more than one million U.S. dollars.
Potentially worse is that in twenty-five percent of the incidents the ability to supervise and
control were lost [SEMA, 2006]. It is today a widely accepted conception that control
systems can be maliciously manipulated by attackers with some skill and time in their
hands. Given the potentially devastating consequences, it is paramount that the resilience
and the security of the control systems are increased. This needs to be done both from a
holistic point of view where different security measures are analyzed from an enterprisewide
point of view in order to avoid sub-optimizations, but also in-depth with new
technological solutions that more efficiently support resilience and security. Specific
requirements, such as processing performance and availability, which are posed on control
systems needs to be especially addressed since solutions from other IT-security domains
cannot be reused to address them.
|
| |
|
|
|
