SCADA securitySCADA systems’ vulnerability key weakness in Smart Grid deployments

The discovery of the Stuxnet worm in 2010 shone a harsh light on the fragility of industrial control systems (ICS), such as supervisory control and data acquisition (SCADA) systems, and has created a new urgency among security vendors and utility managers alike. Nearly overnight, ICS security went from being a non-issue to being critical. 

Because of this rapid change in perception of the vulnerability of SCADA systems, ramp-up time has been short, with little or no time for an industry to consider what is needed and how to develop a manageable approach to the security of control system which run critical infrastructure.

Cleantech research group Pike Research notes that what complicated the issue was that at nearly the same time, the American Recovery and Reinvestment Act of 2009 caused many utilities and vendors to submit requests quickly in order to obtain some of the funding the stimulus package offered.  Many of those requestsstated a list of infrastructure components, without adequate consideration of cyber security requirements.

“As a result of these two developments, the utility industry now has a large installed base of smart grid components, but little idea how to secure them. No clear or shared vision exists of what to build,” Pike Research says.

According to a recent report from Pike Research, such risks to the electrical grid will require utilities to make major new investments in cyber security for ICS in the coming years.  The cleantech market intelligence firm forecasts these investments will total $4.1 billion during the years between 2011 and 2018.

“Many SCADA systems were deployed without security in the belief that SCADA would always be isolated from the Internet,” says senior analyst Bob Lockhart.  “But it’s not, and even when it is, attacks such as Stuxnet can circumvent the isolation by using USB memory sticks to spread.  And SCADA security has different objectives than IT security.  The familiar ‘confidentiality, integrity, and availability’ is replaced with ‘safety, reliability, and integrity.’  This is nearly impossible to accomplish with the infrastructure-only approach taken by most information security products.”

A Pike Research release notes that one of Stuxnet’s more noticeable effects was to cause nearly every security vendor to create an Energy Business Unit.  Security vendors have taken one of three approaches to entering the smart grid market.

A few security vendors have focused on ICS security since their founding.

Some of the relative newcomers to ICS security have hired long-time energy industry veterans to run their energy business.

Others have simply rebranded existing products as “smart grid ready” and sell based upon the widespread adoption of their products in IT environments.

Pike Research’s report, “Industrial Control Systems Security,” analyzes and forecasts the market for ICS security for smart grids, with an assessment of the major risks facing smart grid ICS environments.  Risks were identified through a combination of primary research and mapping the environments against key security baselines such as NIST Special Document 800-82, Guide to Industrial Control Systems Security, and ISO27002:2005, Information technology – Security techniques – Code of practice for information security management.  An Executive Summary of the report is available for free download on the firm’s Web site.