FEATURE
qualifications that apply to providers
joining regulated public cloud services.
This will help engender confidence that
there is adequate oversight within such a
cloud. Independent Security as a Service
offerings may also come with an audit
service as a subscription option.
Service management: An inevitable
issue with any outsourcing or public sub-
scription arrangement is how in control
of the administration of the service are the
providers? There are several aspects to this:
a) From where are the services being
administered (eg, via a global ‘follow
the sun’ arrangement)?
b) How much can you trust the service
administrators, and how competent
are they?
c) What controls are in place to manage
privileges and enable accounting of
administrator actions?
These are key points to research during
the procurement phase. Regardless of the
business requirements, there should be
some form of technical trust and privi-
lege management in place. This issue is
accentuated in virtualised environments:
administrators will have the ability to
allocate storage and processing resources,
including the ability to remove barriers
and cause data leakage between compart-
ments. It’s essential to provide a set of
rules for the segregation of duties among
administration domains: administrators
should be limited in what they can do
– eg, they may be limited to a group of
The SCADA challenge: securing
critical infrastructure
Steve Gold
With Microsoft about to unleash Windows 7, the tiny number of companies still
using legacy Windows 98 systems and software is almost certainly going to dwindle
still further. It may come as a surprise that there are organisations still using Windows
98 at all. In fact, this is generally limited to one sector – utilities. And paradoxically,
this obsolete operating system supports some highly critical operations.
It’s a seemingly incongruous fact that while
the OS, and the applications that run on it,
are now seriously outmoded, the gas, elec-
trical and water organisations using it are
regarded as a critical national infrastructure.
18
Network Security
customer assets, or a distinct datacentre
zone. And there must be full account-
ing and audit of their actions – eg, every
administrative action should be recorded
and traceable to the administrator respon-
sible. Again, with Security as a Service, a
separate security operations centre could
independently oversee and audit service
management operations.
Summary
The age of cloud and virtual comput-
ing is presenting new challenges and
the re-emergence of old challenges in
new guises. The message is twofold:
potential customers need to do their
homework and select the right solution
for their requirements; and many of the
technology issues posed by cloud com-
puting and virtualisation can be solved
by adapting traditional approaches so
that they work with the diffused nature
of cloud architectures.
Assuming that industry delivers on the
promise of cloud computing, there is no
reason to think that it is something that
should be avoided on security grounds. It
is instead a significant opportunity for the
safe and secure computing of tomorrow.
An essential enabler will be the develop-
ment of a future standard against which
this model can be secured – an equivalent
to PCI DSS, and something that will
doubtless emerge out of the emerging
work of the Cloud Security Alliance.2
Put simply, if their IT networks go
down, we, as a country, are poten-
tially in big trouble. Without power,
heating and water, the national
infrastructure that holds all our lives
References
1. Jericho Forum: ‘Position Paper –
Collaboration Oriented Architectures’,
Version 2.0, November 2008, 10 July
2009 http://www.opengroup.org/
jericho/COA_v2.0.pdf
2. http://www.cloudsecurityalliance.org
3. Cloud Security Alliance: ‘Security
Guidance – Critical Areas of Focus
in Cloud Computing’, April 2009,
10 July 2009 http://www.cloudsecu-
rityalliance.org/guidance/csaguide.
pdf
About the Author
Kevin Sloan MEng M.Inst.ISP MIET is
a principal consultant at Amethyst Risk
Management, which delivers a range of
business and technical risk management
services that help organisations identify,
understand, reduce and manage risk. He
has a background in electronics, micro-
processor applications, firmware, software,
and data communications, and specialises
in Information Assurance (IA). Kevin has
more than 28 years’ experience in the ICT
industry with information and communica-
tions security experience spanning the last 20
years. He is qualified by CESG to undertake
IA activities for many UK government cus-
tomers and has been a key player on several
significant UK transformational government
and information-sharing projects. He also
has broad experience with commercial cli-
ents in the UK and overseas.
together, including the business
world, starts to falter.
This is why many utility companies
the world over continue to use Windows
98-driven IT systems that were devel-
oped for an embedded firmware envi-
ronment in the 1990s.
Most of these systems were devel-
oped for the Supervisory Control And
Data Acquisition (SCADA) platform, a
computer control system at the heart of
August 2009

many industrial automation and tech-
nology systems.
First emerging in the 1960s and devel-
oping fully when PCs arrived in earnest
in the late 1980s, SCADA systems are
normally found in industrial uses such
as energy power plants, electricity supply
grids, chemical plants and other industrial
systems that require a high degree of com-
puterised control – but which also require
total and absolute systems availability.
Hacker attack
But defending SCADA systems – which
typically tend to be embedded operating
system-driven environments – is a tricky
task in these hacker and malware-infested
times. This is because many SCADA
systems were developed in the early days
of computing, before viruses had hit the
headlines and long before the electronic
threats we now face.
In the US, most SCADA-driven sys-
tems have had dial-up remote access/
supervisory modem connections added
to them, meaning that – with authen-
tication and encryption (eg, RADIUS)
added to the usual ID/password mix –
they are well secured against any form
of hacker attack. In the UK and Europe,
however, remote access was added to
many SCADA systems – many of which
are coded for the Windows 98 platform
– much later in the day, meaning that an
IP connection to a SCADA-based sys-
tem is much more commonplace.
Because IP connections are so inte-
gral to the internet, defending an
IP-connected SCADA environment,
often connected to a Windows 98 plat-
form, has become something of a black
art. A number of IT vendors – including
Byres Security, Check Point, Industrial
Defender, Innominate, N-Dimension
Solutions and Secure Computing – have
developed a tightly focused range of
specialised industrial firewall and VPN
solutions for IP-based SCADA networks.
August 2009
In addition, the ISA Security Compliance
Institute (ISCI) has been working to for-
malise SCADA security testing, which
should bear fruit later this year. This means
that the utility industry will soon have a set
of common benchmarks against which it
can measure its protection systems.
In parallel with these moves, the
SCADA industry has evolved a number
of private testing companies such as
the Achilles certification program from
Wurldtech Security Technologies and the
‘Music’ certification from Mu Dynamics.
Plans call for a set of standards – defined
by the ISCI’s ISA SP99 Working Group
4 – to supersede these initial industry
consortia efforts, but this will probably not
happen much before the end of 2010.
Easy customisation
According to Mike Smart, senior prod-
uct marketing manager with Secure
Computing, despite SCADA being a
highly specialised area of IT security, it is
a relatively easy task to customise exist-
ing high-availability firewall technology
to protect the IT resource.
Smart’s company – now part of
the McAfee IT security group – has
developed three signature file types for
SCADA-specific protocols into its Secure
Firewall offering, which was formerly
known as Sidewinder. As a result, says
Smart, Secure Computing is now able to
offer its firewall technology to the utility
industries, as well as to chemical compa-
nies that transport dangerous products,
allowing them to control their critical
network components.
However, while Secure Computing’s
SCADA offerings are based on the firm’s
firewall technology, Smart admits it’s a
long way from an off-the-shelf product.
“It’s a highly customised technology,”
he says, adding that the problem fac-
ing IT managers tasked with protecting
SCADA systems, is that they tend to be
based on an embedded operating system,
FEATURE
meaning the OS cannot be patched or
updated as with a conventional compu-
ter system. “This makes them vulnerable
to a number of well-known hacker and
malware toolkits, so the IT security sys-
tem protecting a SCADA-driven system
has to be 100% proof against both mod-
ern and old security threats.”
Secure Computing has developed three
sets of signatures (flavours) for its fire-
wall technology:
1. SCADA:ICCP: The Inter-Control
Centre Communications Protocol
(ICCP or IEC 60870-6/TASE.2) is
now being specified by utility firms
to support WAN-based exchanges of
data between utility control centres,
utilities, power pools, regional control
centres, and non-utility generators.
2. SCADA:MODBUS: Modbus is a
serial communications protocol for
use with SCADA-based programma-
ble logic controllers, which Secure
Computing says have become the
most common method of connecting
industrial electronic devices.
3. SCADA:DNP3.0: The DNP3.0
(Distributed Network Protocol) is a
set of communications protocols used
between components in process auto-
mation systems. Mainly used in electric-
ity and water supply grids, the technol-
ogy was developed to allow communi-
cations between various types of data
acquisition and control equipment.
An alternative approach
Check Point Software Technologies,
meanwhile, has followed Secure
Computing down the road of customis-
ing existing commercial applications,
although Dorit Dor, the company’s presi-
dent of products, says that it is important
to understand that SCADA is mainly
used for automated environments where
there are not many people involved.
“The problem then becomes one of
securing the occasional times when you
19
Network Security
 FEATURE / EVENTS
want to access that system remotely. The
question is, how do you open the system
up to remote access without compromis-
ing the security?” says Dor.
According to Dor, while every com-
pany claims that its email and internet
access is essential, maintaining uptime on
most SCADA-based systems is genuinely
essential. Check Point’s approach with
SCADA, she explains, has been to look at
the issue from two very specific angles.
“The first is, what commands are
going to traverse the gateway? Once
you know this, you can begin to pro-
tect those command streams,” she says,
adding that the second approach is to
protect a single device that is remotely
accessible across the internet. “Here
you’re talking about using VPNs,
encryption and authentication to ensure
total and utter security,” says Dor.
Dor says that most of the SCADA systems
in use in the UK and US involve legacy IT,
although around 10% of these systems each
year are being replaced with more modern –
and therefore IP-based – connections.
The US perspective
In the US, Foxborough, Massachusetts-
based specialist Industrial Defender is
one of the major players in the SCADA
protection industry and has a number
of utility and government customers
around the world, says the firm’s chief
marketing officer, Todd Nicholson.
Industrial Defender, he says, has more
than 3,000 deployments of its SCADA
IT security protection technology world-
wide and its systems now protect around
25 per cent of the UK’s electricity power
generation and grid systems.
“Many of the SCADA systems
installed in industrial applications,
including the critical energy distribution
systems, were constructed between 15
and 20 years ago, when the threat was
more physical than electronic,” he says.
As a result, he explains, many of the con-
trol systems are ‘air-gapped’, meaning that
they never originally had any form of com-
munications contact with the outside world.
Today, however, many of these older systems
are starting to be connected to the internet,
leap-frogging the dial-up modem phase, and
this is where security risks enter the frame.
20
Network Security
“Many of the SCADA
systems installed in industrial EVENTS
applications, including the
critical energy distribution CALENDAR
systems, were constructed
17 - 21 August
between 15 and 20 years ago,
SANS What Works in
when the threat was more
physical than electronic” Virtualisation and Cloud
Security Summit
As well as the usual array of hacker Location: Washington DC, USA
and malware-driven attacks, Nicholson
Website: http://tinyurl.com/lgakvb
says there is also the problem of insider
threats, including the potential for
23 - 28 August
employees to make mistakes. “We’ve
GFIRST National Conference
come across situations where an intern
Location: Atlanta, GA, USA
is updating the anti-virus signatures on a
Website: http://www.us-cert.gov/GFIRST/
main IT system and somehow manages
to get into the SCADA security side of
things. That can really mess things up 28 August - 4 September
and lower the security until the problem SANS Virginia Beach
is discovered,” he says. Location: Virginia Beach, VA, USA
Because of these issues, Nicholson Website: http://tinyurl.com/kokxev
argues in favour of carefully customised
and installed IT security systems for 30 August - 4 September
SCADA-based networks and says that, FOSAD 2009
even where a non-embedded operating Location: Bertinora, Italy
system is involved, securing a SCADA Website: http://www.ieee-security.org/
platform can still be a headache. Calendar/cfps/cfp-FOSAD2009.html
Industrial Defender’s approach, he
says, is to cover three main areas of secu- 31 August - 4 September
rity with SCADA: defend the electronic InSpec 2009
security perimeter, protect the network, Location: Auckland, New Zealand
and protect the host environment. Website: http://sesar.dti.unimi.it/
Interestingly, despite the fact that many InSPEC2009/
SCADA systems involve the use of legacy
kit, Nicholson says they are still internally 15 - 17 September
networked, typically using basic 10Mbps 5th International Conference
technology. The problem with this older on IT Security Incident
networked technology is that it tends to Management & IT Forensics
be a lot more delicate than modern net- Location: Stuttgart, Germany
working systems, which means it can be Website: http://www.imf-conference.org
knocked offline very easily, even due to
something as simple as the wrong con-
20 - 24 September
figuration files being loaded.
COSAC 2009
According to Nicholson: “The bottom
Location: County Kildare, Ireland
line is that you simply cannot tinker
Website: http://www.cosac.net/
with such systems as you would with a
modern network.”
21 - 22 September
About the author Gartner Information Security
Steve Gold has been a business journalist Summit
and tech writer for 24 years, specialising Location: London, UK
in ICT, business matters, the internet and Website: http://www.gartner.com/it/page.
communications for most of that time. He jsp?id=787512
is widely regarded as an authority on com-
munications and IT security.
August 2009