SCADA Security, Compliance, and Liability – A Survival Guide

Two hot topics in the industrial world are security and compliance. Controversy surrounds the interpretation of how to address them.

Although regulatory bodies, industry trade groups and industry participants are working to provide concise guidance, no definitive roadmap exists to achieve full compliance.

Operators face an almost overwhelming number of standards, guidelines, and best practices that require interpretation with little guidance. Operational and security requirements are often confusing, sometimes inconsistent. Security-related documents often purport to be the required standard even when they are not while security programs are not tailored for specific operations.

Addressing this requires an understanding of the requirements and development of an appropriate solution. While a one-size-fits-all solution is not possible, there is a process that aggregates the requirements and best practices available to industry, allowing each company to design and implement a solution that makes sense for its organization and facilities. This holistic approach offers a roadmap to help achieve compliance and avoids the fatal error of looking at security as simply an “add-on" issue to operations. The pitfall with that approach is that these narrowly focused security solutions may temporarily address technical requirements while failing to consider additional requirements related to compliance with evolving regulations and standards.

SCADA (Supervisory Control and Data Acquisition) systems users are the most affected by the increase in recent activity. On the security side, SCADA operators are confronted with the lingering “IT vs. SCADA”, or “them vs. us”, issue, along with the cyber-security threat debate. One faction sees a valid cyber threat to critical infrastructure. Another believes the real threat lies in other factors such as physical or human-risk issues. We believe both threats are real and need to be addressed. With compliance activity rising, operators must interpret and potentially comply with the myriad of standards, guidelines, and best practices that have been released.

Unfortunately, these documents provide little guidance on exactly which standard or best practice addresses those threats confronting operators. Even in more regulated industries, such as electric utility where definitive regulatory guidance has been established with NERC CIP, the requirements are still so vague and watered down that neither security nor compliance is assured. All of these issues have the potential to cause serious repercussions to an organization as an incident or an audit failure could result in significant financial loss. This article addresses these issues, taking the holistic approach.

Where Is The Threat Anyway?
Is there potential for an actual cyber threat or is it just media hype? In short, yes - cyber threats do exist for SCADA systems. Is the potential for cyber threats as great as some claim? Probably not. Many have asked, “If there is no hard-core evidence of a significant [outside] cyber attack on an industrial network, where is the threat?”

These types of threats are becoming more likely as SCADA systems and networks increasingly utilize commercially off-the-shelf (COTS) software, connect to the enterprise layer and move toward IP connectivity. This has contributed to higher threat levels and increased vulnerability.