Feature

SCADA Cybersecurity Framework

Samir Malaviya, CISA,
CGEIT, CSSA, works with
the Global Consulting
Practice-GRC practice of
Tata Consultancy Services Supervisory control and data acquisition SCADA VS. IT SECURITY REQUIREMENTS
and has more than (SCADA) systems are rapidly changing from Moving to IP-based systems provides tremendous
17 years of experience in traditional proprietary protocols to Internet economic advantages in a time of intense
telecommunications, IT, and Protocol (IP)-based systems. Modern IP-based competition. Consequently, more and more
operation and information SCADA systems are now inheriting all the systems are expected to move toward IP-based
risk management. Malaviya vulnerabilities associated with IP. Attempts are systems. For example, the advantages of migrating
is currently leading an being made to fight new threats to SCADA from a proprietary radio-based network to
engagement for a large systems by players in the industrial world; an IP-based network include shared network
investment bank in New York, however, the current approach is frequently resources across multiple applications, network
USA. Malaviya can be reached reactive or compliance-based. This article improvements such as added redundancy and
at samir.malaviya@tcs.com or proposes a comprehensive model for establishing capacity across all applications, shared network
samir.malaviya@gmail.com. a framework for securing SCADA systems. The management systems, and having to maintain only
proposed framework’s components are aligned one skill set for onsite support staff. However, all
to existing IT security best practices—keeping in known vulnerabilities and threats associated with
mind the challenges and requirements unique to traditional TCP/IP are available for exploitation,
SCADA systems. making it a challenge for the SCADA security
The current trend in SCADA is Transmission community. Although all risk factors associated
Control Protocol/Internet Protocol (TCP/IP)- with IT systems apply to SCADA systems, it is not
based systems. This is a huge transformation possible to completely superimpose an IT security
from traditional proprietary protocols. The framework on SCADA systems. Figure 1
advantage of TCP/IP in terms of cost-efficiency, describes the potential differences between IT
effectiveness and interoperability will accelerate security and SCADA security.
the inevitable trend of adoption of TCP/IP for
SCADA. Since vulnerabilities in TCP/IP are GOVERNING SCADA SECURITY
widely known, governments and the general Industry organizations are developing standards
public are becoming more and more concerned for their vertical industries. These include,
about various doomsday scenarios of large-scale for example:
Do you have cyberattacks. Federal governments and industry • Electric: North American Electric Reliability
something bodies are reacting to these threats by prescribing Corporation Critical Infrastructure Protection
to say about various regulations and standards. Cyberthreats (NERC CIP)
this article? are evolving while some of the compliance • Chemicals: Chemical Industry Data
Visit the Journal programs in place provide only point-in-time Exchange/American Chemistry Council
pages of the ISACA snapshots of security postures of organizations. (CIDX/ACC)
web site (www.isaca. • Natural gas: American Gas Association
org/journal), find the SCADA SYSTEMS 12 (AGA 12)
article, and choose
Most critical infrastructure, including major • Oil and liquids: American Petroleum
the Comments tab to
utilities infrastructure, industrial networks and Institute (API)
share your thoughts.
transport systems, are controlled by SCADA • Manufacturing: International Society for
Go directly to the article: systems. SCADA systems are smart, intelligent Automation/International Electrotechnical
control systems that acquire inputs from a variety Commission (ISA/IEC 62443) (formerly ISA 99)
of sensors and, in many instances, respond to
the system in real time through actuators under
the program’s control. The SCADA system can
function as a monitoring/supervisory system,
control system or a combination thereof.

1 ISACA JOURNAL VOLUME 1, 2014 ©2014 ISACA. All rights reserved. www.isaca.org
 Figure 1—SCADA Vs. IT Security
Category Information Systems Control Systems
Risk impact • Loss of data • Loss of life, • Find more ISACA cybersecurity resources.
production
Risk management • Recover by reboot • Fault tolerance www.isaca.org/Knowledge-Center/
• Safety a nonissue essential
• Explicit hazard
Research/Pages/Cybersecurity.aspx
analysis expected
• Learn more about, discuss and collaborate on
Reliability • Occasional failures • Outages
tolerated unacceptable
cybersecurity in the Knowledge Center.
• Beta test in field
acceptable
• Quality assurance
testing expected
www.isaca.org/topic-cybersecurity
Performance • High throughput • Modest throughput
demanded acceptable However, compliance to standards/regulations does not
• High delay and jitter • High delay a serious guarantee continuous security, but it does provide a snapshot
accepted concern of required controls at a point in time.
Security • Most sites being • Priority to As new threats are identified almost daily, SCADA systems
insecure functionality and require a dynamic risk-based approach to keep pace with
• Little separation reliability
among intranets on • Tight physical evolving threat scenarios.
same site security IT security and risk professionals who have worked
• Focus on central • Information systems in traditional areas such as banking, finance or
server security network integrated
telecommunications are facing the same challenges of
with plant network
• Focus on central continuously evolving threats and risk. Most traditional IT
server as well as security frameworks are modeled on standards/guidelines
edge control from ISACA, NIST or the International Organization for
device stability
Standardization (ISO).
System operation • Generic, typical • Proprietary operating
and change operating systems systems
management • Straightforward • Software changes CONSTRUCTS OF A SCADA SECURITY FRAMEWORK
upgrades in consultation with An ideal SCADA security framework should have the
• Changes using vendors only following characteristics:
automated
deployment tools • Comprehensive and evolving to meet a changing
threat profile
Communications • Standard • Mix of proprietary
communications and standard • Meets the availability requirements of SCADA systems
protocols communication • Meets the risk management and performance requirements
• IT networking protocols typical of SCADA systems
practices • Networks requiring
the expertise of • Scalable to meet different standards and regulations
control engineers as applicable
Component lifetime • Lifetime on the order • Lifetime on the order The proposed SCADA security framework can be
of three to five years of 15-20 years subdivided into the following areas:
1. Governance, risk and compliance administrative
Some governments have come up with their own regulations controls—Utilized for setting up the rules of engagement;
and standards, e.g., the US National Institute of Standards includes policies, standards, exception management, and
and Technology (NIST), the UK Center for Protection of risk and compliance frameworks. Because these controls
National Infrastructure (CPNI) and The Netherlands Center for are not technical in nature, they are often described as
Protection of National Infrastructure (CPNI). administrative controls.

©2014 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOLUME 1, 2014 2
 2. SCADA controls—This area is designed to cater to specific the necessary funding, structure and buy-in for the SCADA
SCADA requirements. Some of the SCADA security security program. Without involvement of organizational
requirements are specific to the SCADA world. leadership, important programs such as the SCADA security
3. Data and application security—SCADA data, proprietary program cannot succeed. Security organization refers to
applications development and maintenance are covered setting up the SCADA security organization with clearly
in this area. One of most important areas covered here is defined roles and responsibilities.
change management. 2. P
 olicy, standards and exceptions—The “rules of the
4. System assurance—This area covers unique SCADA game” are set by the policies and standards. Policies and
security requirements such as system resilience and secure standards provide direction to the organization and to the
configurations. organization’s constituents and their expectations. These
5. Monitoring controls—As SCADA protocol and rules are to be followed by all with the goal to protect
applications are weak by design, monitoring becomes one the organization. The expectation is to have separate
of the important areas of the SCADA security framework. SCADA security policies and standards to complement
6. Third-party controls—Most SCADA systems are the organization’s policies and its IT security policies.
supplied by third parties, including vendors and partners, Deviations from policies and standards are recorded as
necessitating a separate area for third-party security in the exceptions. In the SCADA world, availability and stability
SCADA security framework. are the most important criteria to be considered. Deviations,
These areas of the SCADA security framework further such as security controls not being implemented on
expand into 22 subsections. The six areas and underlying 22 time, need to be recorded as an exception, and necessary
subsections are presented in figure 2. compensatory controls need to be implemented.
3. Risk assessments—The risk profile of an organization is
ADMINISTRATIVE CONTROLS gauged using this important tool, available to management.
Controls that are not implemented using tools and technology Risk assessments also help an organization to dynamically
are defined as administrative controls. The GRC framework respond to emerging threats and risk at periodic intervals.
is covered here. The following subsections are included in 4. Compliance framework—Most of the industries where
this area: SCADA systems are in use are heavily regulated. A well-
1. Organizational leadership and security organization— designed compliance framework allows an organization to
Organizational leadership takes complete ownership of meet its compliance requirements seamlessly.
SCADA security and sets the direction at the top to provide

Figure 2—SCADA Security Framework

Administrative Data and Application
Controls SCADA Controls Security System Assurance Monitoring Controls External Controls
Organizational Asset management Data security System resilience Incident management Vendor security
leadership and management
security organization
Policy, standards and Identity and access Application security Secure configuration Threat monitoring Partner security
exceptions management (development and management
maintenance)
Risk assessments Vulnerability Change management Business continuity Forensics
management and disaster recovery
planning
Education SCADA network Malicious code
and training security controls detection/prevention
Compliance Physical security
framework

3 ISACA JOURNAL VOLUME 1, 2014 ©2014 ISACA. All rights reserved. www.isaca.org
SCADA CONTROLS 2. Application security—SCADA applications present a
As described in figure 1, IT risk and SCADA security have unique challenge for security professionals. SCADA
different priorities and requirements. Some of the unique applications are often developed by third-party vendors
requirements for SCADA cybersecurity are: that have provided SCADA hardware devices. These
1. Asset management—Identification and classification of applications are often built without following standard
SCADA assets and specifically SCADA cyberassets are system development life cycle (SDLC) processes. Security
covered by this area. is not a priority for SCADA application developers,
2. Identity and access management—Account administration, whose only priority often is making the system work.
authentication and authorization, password management, The scope for SCADA security developers is to provide
and role/attribute-based access to SCADA systems are secure guidelines to vendors and to teams evaluating
covered by this area. the purchase of new SCADA devices, and to complete
3. Vulnerability management—The majority of SCADA static/dynamic analysis and penetration testing. SCADA
systems are supplied by vendors. SCADA systems are built security professionals are expected to provide guidelines
on popular operating systems (OSs), such as Windows, to application security professionals as the approach for
and use TCP/IPs, which are inherently insecure. However, SCADA vulnerability testing/pen testing needs a different
there are unique challenges faced by SCADA, including approach than traditional IT testing.
availability requirements, performance requirements 3. Change management—The challenge in change
and low bandwidth associated with SCADA systems. management for SCADA is to ensure that change does
Vulnerability management in SCADA needs to be treated not disrupt the functioning of devices, as often the impact
as a separate discipline, distinct from vulnerability can be the threat of loss of life. Due to this, change
management associated with IT in general. management is another uniquely challenging field for
4. SCADA network security controls—The SCADA network SCADA security professionals.
needs to be protected from other networks including the 4. Malicious code detection/prevention—Malicious code
corporate network. The controls that help in achieving including a virus/malware/trojan can be extremely harmful
the goal of securing a SCADA network are covered by to SCADA systems and underlying infrastructure. It is
this subsection. important to protect applications from malicious codes.
5. Physical security—SCADA systems are often connected
and spread across wide areas. Remote technical unit SYSTEM ASSURANCE
(RTU) devices are often placed at a long distance from The foremost priority for SCADA systems is to ensure
programming logic controller (PLC)/SCADA control availability of systems. With this goal in mind, the following
centers. This is a unique challenge for physical security in subsections are covered in this area:
the SCADA security framework. 1. System resilience—Ensuring that SCADA systems are always
available requires the system to be designed with a resilience
DATA AND APPLICATION SECURITY goal in mind. System resilience includes designing resilient
Well-known incidents such as Stuxnet and Flame have created architecture for SCADA systems, ensuring goals are met
widespread interest in SCADA data and application security. during normal operations, incidents and changes to systems.
This area’s subsections include the following controls for 2. Secure configuration—SCADA systems and the
data, application, change management and malicious code communication protocols are inherently insecure. Ensuring
detection/prevention controls: underlying systems are built securely is of paramount
1. Data security—SCADA data are often communicated in importance. System hardening/patches are covered by
open text without encryption. Although confidentiality is this subsection.
not a top priority for SCADA, integrity and availability are 3. Business continuity/disaster recovery planning
of concern for SCADA security professionals. Data security (BCP/DRP)—Systematic and orderly recovery from
covers availability, integrity and confidentiality controls disasters and business continuity processes is covered
associated with the protection of data. by this subsection.

©2014 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOLUME 1, 2014 4
 MONITORING CONTROLS Organizations can build upon the SCADA security
As described earlier, SCADA applications and protocols are framework to frame short-, medium- and long-term security
inherently insecure. Other known issues with SCADA systems plans, selecting appropriate tools and technology to secure
are the following challenges associated with applying patches—a SCADA networks and devices.
result of which is monitoring compensatory controls:
1. Incident management—Established and documented CONCLUSION
incident management processes are the keys to ensuring SCADA/industrial control systems come with their own
orderly handling of incidents. Most regulations also unique challenges and require a thoughtful approach for the
stress efficient processes for incident management and security community to provide a comprehensive solution to
incident reporting. meet security needs in this area. A cybersecurity framework
2. Threat monitoring—SCADA applications and protocols is an important area; however, its implementation is a first
are inherently insecure; lack of awareness and dependency step in the journey to establish a reliable and comprehensive
on vendors for applying patches, wide area networks and cybersecurity solution for SCADA systems. The next steps in
the need for segregation for SCADA networks make threat this framework include:
monitoring one of the most important sections in SCADA 1. Creation of controls mapping to each subsection with
security controls. Often, monitoring is used not only for clearly measurable goals
detection and prevention, but in many cases, it is also 2. A maturity model for benchmarking organizations’ SCADA
applied as a compensatory control. security posture
3. Forensics—Often SCADA system breaches have serious 3. A technical implementation blueprint
impact on an entire geographic area. Forensics helps in An ideal implementation of the SCADA security
unearthing and establishing incidents. framework would include a GRC tool, an identity access
management (IAM) tool set, network segmentation and security
THIRD-PARTY CONTROLS monitoring—a sound recipe for continuous control monitoring.
Third-party vendors often supply SCADA systems. For
SCADA security professionals, controls related to third REFERENCES
parties, including vendors and partners, are critical: North American Electric Reliability Corporation Critical
1. Vendor security management—Vendors play important Infrastructure Protection (NERC CIP), www.nerc.com/page.
roles in SCADA. SCADA devices and applications are php?cid=2%7C20
often supplied by vendors. Many times vendors manage the PCSF Congress of Chairs, Cyber Security Combined Glossary
infrastructure, including IT maintenance, SCADA systems, Project, “AGA 12 Series,” http://ics-cert.us-cert.gov/
IT and SCADA networks, and/or managed security service practices/pcsf/groups/d/1176393761-combined_
providers. Vendor security is an important area to establish glossary_2007_03_28.pdf
necessary controls over vendors and SCADA security for an
enterprise. One control for vendor management is contract Phinney, Tom; “ISA/IEC 62443: Industrial Network and
management, ensuring security is part of standard contracts System Security,” International Society for Automation/
and specifications for vendors and reviewing and evaluating International Electrotechnical Commission, www.isa.
vendors for security. org/autowest/pdf/Industrial-Networking-and-Security/
2. Partner security management—In today’s interconnected Phinneydone.pdf
world, organizations that rely on SCADA networks are UK Center for Protection of National Infrastructure (CPNI),
often interdependent. Partner security management, www.cpni.gov.uk/advice/cyber/Critical-controls/
in which rules of engagement between partners are
National Institute of Standards and Technology (NIST), Guide
established, caters to this area.
to Industrial Control Systems (ICS) Security, NIST SP 800-82,
http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-
SCADA SECURITY FRAMEWORK USE CASES
final.pdf
The SCADA security framework can be used by organizations
to set up their SCADA organization, SCADA security Panetta, Leon; US Defense Secretary speech reference on
policies/standards and risk control framework, which can Industrial Control Security, 2012
be further used for risk assessments and benchmarking the
organization’s SCADA security.

5 ISACA JOURNAL VOLUME 1, 2014 ©2014 ISACA. All rights reserved. www.isaca.org