International Journal of Critical Infrastructure Protection
Assessing and improving SCADA security in the Dutch drinking water sector
Introduction
In the digital world, we want to be able to work securely. The right level of protection is the key to this. Certainly there is a need to investigate and prosecute cybercrime, but a reactive response alone is not the complete solution. Only when government, investigatory authorities, and the private sectors join forces and exchange information about new threats, society will be able to keep up with the cyber criminals. In 2006, the Dutch government and the private sectors took the first steps toward developing a successful strategy against cybercrime with the establishment of the National Infrastructure against Cybercrime programme (‘Nationale Infrastructuur ter bestrijding van Cybercrime’) or NICC3. The NICC embraced the principle of ‘learning by doing’. The NICC infrastructure consists of several components: a contact point, reporting unit, trend watching, monitoring and detection, information distribution, education, warning, development, knowledge sharing, surveillance, prevention, termination, and mitigation. The NICC further strengthens this infrastructure by hosting the Cybercrime Information Exchange, in which public and private organizations share sensitive information, and by developing and supporting practical projects and trials that both solve concrete problems and generate knowledge about cybercrime.
The Cybercrime Information Exchange information-sharing model is based on the one designed by the UK’s Centre for the Protection of National Infrastructure (CPNI). The NICC Information Exchange function can be pictured as a ‘flower’. The heart of the flower is made up of government bodies, like the police, intelligence services, GOVCERT.NL and the NICC itself. Critical infrastructure (CI) sectors and some other major industrial communities that heavily rely upon information and communication technologies (ICT) can be thought of being the petals of the flower. The different sectors chair their own ‘petal’, decide which parts of the meeting can be attended by the government bodies and decide upon which information is sharable outside their sector ‘petal’. The confidentiality of the information exchanged is governed by the set of protection and dissemination rules of the Traffic Light Protocol [1].
The current Dutch drinking water sector originates from extensive mergers of local municipally utilities. In 1952, The Netherlands society was serviced by 198 drinking water companies, a number that has reduced to ten companies by 2007 [2]. After 9/11 2001, the Dutch drinking water sector collaboratively undertook major efforts to increase the physical security of their drinking water plants and systems. When the NICC programme was established in 2006, the drinking water sector was one of the first CI sectors to sign up as a sector petal to address their ICT risk. One of the information security issues the sector put onto the NICC agenda concerns process control system/SCADA security. SCADA means Supervisory Control and Data Acquisition, a term which is used in this paper as an overarching term for all process control systems and networks that are used to monitor and control the intake of raw water, the purification process, the quality control process, and the transport and distribution process. Together with the NICC, the drinking water sector decided for a project that had to (1) investigate the current sector-wide state of SCADA information security, (2) analyze and report the results, and (3) develop a set of good practices which provides a sector-wide information security baseline for the SCADA/process control environment.
In Section 2, we discuss the development of a questionnaire that has been used to investigate the SCADA security posture of the ten companies comprising the Dutch drinking water sector. In Section 3, we highlight the analysis approach and the way the results were reported to the drinking water sector while maintaining anonymity. The individual company information and the sector-wide results are sensitive and classified. In Section 4, however, we are able to present a high level overview of the main areas of SCADA security concernsthat were identified in the Dutch drinking water sector. As requested by the drinking water sector NICC-petal, a SCADA Security Good Practices report has been developed addressing these security weaknesses. Its development is described in Section 5. Section 6 shortly discusses the use of the same questionnaire and method in other CI sectors. Section 7 contains the conclusions.
Section snippets
Investigation approach: questionnaire
As the NICC drinking water petal just had started, not all drinking water companies were represented yet. Moreover, the trust level between the first representatives of the drinking water companies was still low. On the other hand, the participating organizations were keen to experience the potential of collaboration in a trusted environment. Therefore, the initiated benchmark project to investigate the current state of SCADA information security in the drinking water sector had to deliver its
Anonymization
In parallel to filling in the questionnaires, a simple spreadsheet was developed to contain and visualize the answers given by the drinking water companies. Random assigned numbers to the ten Dutch drinking water companies gave the basis for the anonymous treatment of the returned questionnaires. A randomly assigned company number to each individual drinking water company maps their replies to the questions to a specific column in the analysis spread sheet. The mapping between the companies and
Areas of SCADA security concern
The individual companies regard their answers to the questionnaire company sensitive and confidential. They expect proper protection of their individual data.
The combined data and the sector-wide results are considered sensitive from a national security perspective. These reasons inhibit a detailed presentation of the study results. At a general level, however, we can present the SCADA security good practices and some of the concerns regarding the SCADA security posture in the Dutch drinking
Development of the SCADA security good practices
Based upon the results of the analysis described in the previous sections, security expert experiences, and the existing literature such as [3] through [21], SCADA Security Good Practices for the Drinking Water Sector were developed. Both a version in Dutch [22] and in English [23] have been developed. Translations in Japanese [24] and Italian [25] have been published in the mean time. These good practice documents start with a short introduction to SCADA and process control systems, their
Work in progress
Based upon the successful results in the drinking water sector in 2007, the same questionnaire has been used as a basis to perform SCADA information security benchmark investigations in the Dutch energy sector in the first half of 2008. Apart from the (classified) individual sector report, a small comparative study has been made of similarities and differences between the two sectors. The results depicted by the radar charts show some remarkable differences, especially regarding some of the
Conclusions
A relative straightforward and effective approach has been taken to assess, analyze, and help to improve the sector-wide SCADA and process control security posture in The Netherlands. Given time-constraints for the study and the trust-establishing requirement to involve as many companies in the drinking water sector in the study as possible, a quick-scan benchmark methodology was developed and used. After a drinking water company filled in the questionnaire, a face-to-face meeting was held to
Acknowledgments
The national study [3] on the vulnerability of process control systems at large and SCADA in particular was commissioned by the Dutch Ministry of Economic Affairs. The 2007 and 2010 studies on SCADA information security in the drinking water sector were commissioned by the National Infrastructure against Cybercrime (NICC) programme of the ICTU (www.ictu.nl).
References (25)
- CPNI, Traffic Light Protocol (TLP),...
- VEWIN, http://www.vewin.nl (last visited 5 Sept....
- H.A.M. Luiijf, R. Lassche, SCADA (on)veiligheid, een rol voor de overheid? [SCADA (in)security, a role for the...
- Department of Energy (DoE), 21 Steps to Improve Cyber Security of SCADA Networks, Office of Energy Assurance, Office of...
- ISO, Code voor informatiebeveiliging/information technology–security techniques–code of practice for information...
- GAO, Critical Infrastructure Protection, Challenges and Efforts to Secure Control Systems, Government Accountability...
- DOE, A Summary of Control System Security Standards Activities in the Energy Sector, United States Department of...
- AGA, Cryptographic protection of SCADA communications, American Gas Association, United States, January 2, 2004....
- Dr. Goran Ericsson, Managing Information Security in an Electric utility, on behalf of JWG D2/B3/C2-01. On-line:...
- Joe Weiss, Current status of cyber security issues for electric industry control systems, in: NISCC SCADA Conference,...
Cited by (15)
Architecture and security of SCADA systems: A review
2021, International Journal of Critical Infrastructure ProtectionCitation Excerpt :The countries which have extensive SCADA systems are Finland, the United Kingdom, and the United States. We need to strengthen cyber-security measures of SCADA systems to shield them from cyber assault [60,61]. The network’s primary security mechanism applicable to IT sectors is invalid for SCADA due to legacy-inherited cybersecurity vulnerabilities and their potential exploitation.
A time-driven and event-driven approach for substation feeder incident analysis
2016, International Journal of Electrical Power and Energy SystemsCitation Excerpt :Thus the event dispatching mechanism should be capable of recognizing the relevant RRELAY TRIP and CB OPEN messages in the event log and create the corresponding incident session. Recently, the results of many researches reveal that the need for SCADA system security is getting stronger [20–24]. For the sake of safely retrieving the event log from a SCADA system, a secure file transfer mechanism is therefore used by an incident analysis server installed in utility intranet.
A survey of cyber security management in industrial control systems
2015, International Journal of Critical Infrastructure ProtectionCitation Excerpt :Several publications report on the results of security assessments of real or simulated industrial control system infrastructures (e.g., [124,136]). A broader, sector-wide report was published by Luiijf et al. [120], who analyzed the security postures of industrial control systems in the Dutch drinking water sector. Section 4 highlighted the absence of practical guidance on risk management and assessment methodologies.
Identifying critical infrastructure sectors and their dependencies: An Indian scenario
2014, International Journal of Critical Infrastructure ProtectionDeveloping automata-based control software for water purification and normalization
2021, Proceedings - 2021 International Conference on Industrial Engineering, Applications and Manufacturing, ICIEAM 2021Water Security Safeguarded by Safe, Secure and Smart Water Management Solutions
2021, Advanced Sciences and Technologies for Security Applications