Assessing and improving SCADA security in the Dutch drinking water sector

doi:10.1016/j.ijcip.2011.08.002

International Journal of Critical Infrastructure Protection

Volume 4, Issues 3–4, December 2011, Pages 124-134

https://doi.org/10.1016/j.ijcip.2011.08.002 Get rights and content

Abstract

International studies have shown that information security for process control systems, in particular SCADA, is weak. Many of the critical infrastructure (CI) services critically depend on process control systems. Therefore, any vulnerability in the protection of process control systems in CI may result in serious consequences for citizens and society. In order to understand their sector-wide security posture, the drinking water sector in The Netherlands benchmarked the information security of their process control environment. Large differences in the individual security postures of the ten drinking water companies were found. Good Practices for SCADA security were developed based upon the benchmark results. This paper discusses the simple but effective approach taken to perform the benchmark, the way the results were reported to the drinking water companies, and the way in which the SCADA information security good practices were developed. Apart from some high-level indications of areas requiring more security attention, no actual security posture results are presented in this paper since the study data contain company and national sensitive information. For the same reason, the figures in this paper are based on artificial data.

Introduction

In the digital world, we want to be able to work securely. The right level of protection is the key to this. Certainly there is a need to investigate and prosecute cybercrime, but a reactive response alone is not the complete solution. Only when government, investigatory authorities, and the private sectors join forces and exchange information about new threats, society will be able to keep up with the cyber criminals. In 2006, the Dutch government and the private sectors took the first steps toward developing a successful strategy against cybercrime with the establishment of the National Infrastructure against Cybercrime programme (‘Nationale Infrastructuur ter bestrijding van Cybercrime’) or NICC³. The NICC embraced the principle of ‘learning by doing’. The NICC infrastructure consists of several components: a contact point, reporting unit, trend watching, monitoring and detection, information distribution, education, warning, development, knowledge sharing, surveillance, prevention, termination, and mitigation. The NICC further strengthens this infrastructure by hosting the Cybercrime Information Exchange, in which public and private organizations share sensitive information, and by developing and supporting practical projects and trials that both solve concrete problems and generate knowledge about cybercrime.

The Cybercrime Information Exchange information-sharing model is based on the one designed by the UK’s Centre for the Protection of National Infrastructure (CPNI). The NICC Information Exchange function can be pictured as a ‘flower’. The heart of the flower is made up of government bodies, like the police, intelligence services, GOVCERT.NL and the NICC itself. Critical infrastructure (CI) sectors and some other major industrial communities that heavily rely upon information and communication technologies (ICT) can be thought of being the petals of the flower. The different sectors chair their own ‘petal’, decide which parts of the meeting can be attended by the government bodies and decide upon which information is sharable outside their sector ‘petal’. The confidentiality of the information exchanged is governed by the set of protection and dissemination rules of the Traffic Light Protocol [1].

The current Dutch drinking water sector originates from extensive mergers of local municipally utilities. In 1952, The Netherlands society was serviced by 198 drinking water companies, a number that has reduced to ten companies by 2007 [2]. After 9/11 2001, the Dutch drinking water sector collaboratively undertook major efforts to increase the physical security of their drinking water plants and systems. When the NICC programme was established in 2006, the drinking water sector was one of the first CI sectors to sign up as a sector petal to address their ICT risk. One of the information security issues the sector put onto the NICC agenda concerns process control system/SCADA security. SCADA means Supervisory Control and Data Acquisition, a term which is used in this paper as an overarching term for all process control systems and networks that are used to monitor and control the intake of raw water, the purification process, the quality control process, and the transport and distribution process. Together with the NICC, the drinking water sector decided for a project that had to (1) investigate the current sector-wide state of SCADA information security, (2) analyze and report the results, and (3) develop a set of good practices which provides a sector-wide information security baseline for the SCADA/process control environment.

In Section 2, we discuss the development of a questionnaire that has been used to investigate the SCADA security posture of the ten companies comprising the Dutch drinking water sector. In Section 3, we highlight the analysis approach and the way the results were reported to the drinking water sector while maintaining anonymity. The individual company information and the sector-wide results are sensitive and classified. In Section 4, however, we are able to present a high level overview of the main areas of SCADA security concernsthat were identified in the Dutch drinking water sector. As requested by the drinking water sector NICC-petal, a SCADA Security Good Practices report has been developed addressing these security weaknesses. Its development is described in Section 5. Section 6 shortly discusses the use of the same questionnaire and method in other CI sectors. Section 7 contains the conclusions.

Section snippets

Investigation approach: questionnaire

As the NICC drinking water petal just had started, not all drinking water companies were represented yet. Moreover, the trust level between the first representatives of the drinking water companies was still low. On the other hand, the participating organizations were keen to experience the potential of collaboration in a trusted environment. Therefore, the initiated benchmark project to investigate the current state of SCADA information security in the drinking water sector had to deliver its

Anonymization

In parallel to filling in the questionnaires, a simple spreadsheet was developed to contain and visualize the answers given by the drinking water companies. Random assigned numbers to the ten Dutch drinking water companies gave the basis for the anonymous treatment of the returned questionnaires. A randomly assigned company number to each individual drinking water company maps their replies to the questions to a specific column in the analysis spread sheet. The mapping between the companies and

Areas of SCADA security concern

The individual companies regard their answers to the questionnaire company sensitive and confidential. They expect proper protection of their individual data.

The combined data and the sector-wide results are considered sensitive from a national security perspective. These reasons inhibit a detailed presentation of the study results. At a general level, however, we can present the SCADA security good practices and some of the concerns regarding the SCADA security posture in the Dutch drinking

Development of the SCADA security good practices

Based upon the results of the analysis described in the previous sections, security expert experiences, and the existing literature such as [3] through [21], SCADA Security Good Practices for the Drinking Water Sector were developed. Both a version in Dutch [22] and in English [23] have been developed. Translations in Japanese [24] and Italian [25] have been published in the mean time. These good practice documents start with a short introduction to SCADA and process control systems, their

Work in progress

Based upon the successful results in the drinking water sector in 2007, the same questionnaire has been used as a basis to perform SCADA information security benchmark investigations in the Dutch energy sector in the first half of 2008. Apart from the (classified) individual sector report, a small comparative study has been made of similarities and differences between the two sectors. The results depicted by the radar charts show some remarkable differences, especially regarding some of the

Conclusions

A relative straightforward and effective approach has been taken to assess, analyze, and help to improve the sector-wide SCADA and process control security posture in The Netherlands. Given time-constraints for the study and the trust-establishing requirement to involve as many companies in the drinking water sector in the study as possible, a quick-scan benchmark methodology was developed and used. After a drinking water company filled in the questionnaire, a face-to-face meeting was held to

Acknowledgments

The national study [3] on the vulnerability of process control systems at large and SCADA in particular was commissioned by the Dutch Ministry of Economic Affairs. The 2007 and 2010 studies on SCADA information security in the drinking water sector were commissioned by the National Infrastructure against Cybercrime (NICC) programme of the ICTU (www.ictu.nl).

References (25)

CPNI, Traffic Light Protocol (TLP),...
VEWIN, http://www.vewin.nl (last visited 5 Sept....
H.A.M. Luiijf, R. Lassche, SCADA (on)veiligheid, een rol voor de overheid? [SCADA (in)security, a role for the...
Department of Energy (DoE), 21 Steps to Improve Cyber Security of SCADA Networks, Office of Energy Assurance, Office of...
ISO, Code voor informatiebeveiliging/information technology–security techniques–code of practice for information...
GAO, Critical Infrastructure Protection, Challenges and Efforts to Secure Control Systems, Government Accountability...
DOE, A Summary of Control System Security Standards Activities in the Energy Sector, United States Department of...
AGA, Cryptographic protection of SCADA communications, American Gas Association, United States, January 2, 2004....
Dr. Goran Ericsson, Managing Information Security in an Electric utility, on behalf of JWG D2/B3/C2-01. On-line:...
Joe Weiss, Current status of cyber security issues for electric industry control systems, in: NISCC SCADA Conference,...

Joe Weiss, Control systems cyber security — maintaining the reliability of the critical infrastructure, Testimony of...

Joe Weiss, White Paper on the Status of Control System Cyber Security, United States, October...

Cited by (15)

Architecture and security of SCADA systems: A review
2021, International Journal of Critical Infrastructure Protection
Citation Excerpt :
The countries which have extensive SCADA systems are Finland, the United Kingdom, and the United States. We need to strengthen cyber-security measures of SCADA systems to shield them from cyber assault [60,61]. The network’s primary security mechanism applicable to IT sectors is invalid for SCADA due to legacy-inherited cybersecurity vulnerabilities and their potential exploitation.
Pipeline bursting, production lines shut down, frenzy traffic, trains confrontation, the nuclear reactor shut down, disrupted electric supply, interrupted oxygen supply in ICU – these catastrophic events could result because of an erroneous SCADA system/ Industrial Control System (ICS). SCADA systems have become an essential part of automated control and monitoring of Critical Infrastructures (CI). Modern SCADA systems have evolved from standalone systems into sophisticated, complex, open systems connected to the Internet. This geographically distributed modern SCADA system is more vulnerable to threats and cyber attacks than traditional SCADA. Traditional SCADA systems were less exposed to Internet threats as they operated on isolated networks. Over the years, an increase in the number of cyber-attacks against the SCADA systems seeks security researchers’ attention towards their security. In this review paper, we first review the SCADA system architectures and comparative analysis of proposed/implemented communication protocols, followed by attacks on such systems to understand and highlight the evolving security needs for SCADA systems. A short investigation of the current state of intrusion detection techniques in SCADA systems is done, followed by a brief study of testbeds for SCADA systems. The cloud and Internet of things (IoT) based SCADA systems are studied by analyzing modern SCADA systems’ architecture. In the end, the review paper highlights the critical research problems that need to be resolved to close the security gaps in SCADA systems.
A time-driven and event-driven approach for substation feeder incident analysis
2016, International Journal of Electrical Power and Energy Systems
Citation Excerpt :
Thus the event dispatching mechanism should be capable of recognizing the relevant RRELAY TRIP and CB OPEN messages in the event log and create the corresponding incident session. Recently, the results of many researches reveal that the need for SCADA system security is getting stronger [20–24]. For the sake of safely retrieving the event log from a SCADA system, a secure file transfer mechanism is therefore used by an incident analysis server installed in utility intranet.
Feeder incident information is quite useful for evaluating the quality of the electricity distribution system. The improving scheme can be taken based on this information as well. In this paper, an adequate way for gathering this information was developed and the related messages from SCADA historical event log were analyzed by a novel methodology. For correctly and rapidly analyzing the collected messages purpose, this paper developed a time-driven and event-driven approach in order to express the exact feeder incident affairs. The feeder fault information can be fetched precisely and efficiently according to the result of this paper. Furthermore, the outage duration of the fault feeder, excluding the load transferring condition, was computed as well. For the sake of cyber security purpose, this paper developed a low cost and secured file transfer mechanism for transferring the event log from the SCADA system to an intranet web server. Corresponding to the web-based application software based on the result of this paper was consequently developed and installed on the sever of information management department of Taiwan Power Company (Taipower) for all SCADA control centers, and the software is running successfully.
A survey of cyber security management in industrial control systems
2015, International Journal of Critical Infrastructure Protection
Citation Excerpt :
Several publications report on the results of security assessments of real or simulated industrial control system infrastructures (e.g., [124,136]). A broader, sector-wide report was published by Luiijf et al. [120], who analyzed the security postures of industrial control systems in the Dutch drinking water sector. Section 4 highlighted the absence of practical guidance on risk management and assessment methodologies.
Contemporary industrial control systems no longer operate in isolation, but use other networks (e.g., corporate networks and the Internet) to facilitate and improve business processes. The consequence of this development is the increased exposure to cyber threats. This paper surveys the latest methodologies and research for measuring and managing this risk. A dearth of industrial-control-system-specific security metrics has been identified as a barrier to implementing these methodologies. Consequently, an agenda for future research on industrial control system security metrics is outlined. The “functional assurance” concept is also introduced to deal with fail-safe and fail-secure industrial control system operations.
Identifying critical infrastructure sectors and their dependencies: An Indian scenario
2014, International Journal of Critical Infrastructure Protection
Across the globe, critical infrastructures constantly face the risk of cyber and/or other attacks from hostile and malicious entities as well as damage inflicted by natural disasters. This paper seeks to identify the critical infrastructure sectors of a country, namely India, and to explore the dependencies existing among them. The research draws on the extant literature as well as expert opinion and judgments to identify the critical infrastructure sectors. Following this, the interpretive structural modeling (ISM) technique is employed to discover the relationships and dependencies existing among the identified critical infrastructure sectors. Next, cross-impact matrix multiplication applied to classification (MICMAC) analysis is used to categorize the critical infrastructure sectors into four sub-groups based on their driving power and dependence on other sectors. Policy implications for government entities and businesses in India are also discussed.
Developing automata-based control software for water purification and normalization
2021, Proceedings - 2021 International Conference on Industrial Engineering, Applications and Manufacturing, ICIEAM 2021
Water Security Safeguarded by Safe, Secure and Smart Water Management Solutions
2021, Advanced Sciences and Technologies for Security Applications

View all citing articles on Scopus

¹: http://www.samentegencybercrime.nl.

View full text