Computerized process-control systems run some of the most critical infrastructures in the United States , such as power utilities, water treatment plants, chemical plants and mass-transit systems. The security of legacy Supervisory Control and Data Acquisition (SCADA) systems has come under intense scrutiny as a result of homeland security initiatives being put in place to protect the Nation’s critical infrastructure. Presidential Decision Directive 63 and a number of more recent government and industry efforts have put pressure on the electric, water, and gas utility industry to develop and implement policies and solutions to protect against the threat of cyber attack, as little attention, until recently, was given to securing these systems from a cybersecurity. SCADA networks are vulnerable to cyber attacks that can result in public safety concerns and serious disruptions to the Nation’s economy. Improving the security of legacy SCADA systems against cyber attack requires flexible solutions that are easy to install and do not impact system performance and operations. While many SCADA systems today have some form of authentication function for access control, this is typically the only security measure employed, and thus systems remain vulnerable to interception, alteration, and replay of data that can allow an intruder to circumvent these and effectively seize operations.

Thales understands the demands of critical SCADA networks. The Datacryptor® SA encryption solution for unprotected SCADA networks offers the following key security solutions.

• Robust security using NIST approved AES cryptography
• Designed to FIPS 140-2 Level 2 and IEEE 1613
• Compatible with industry’s standard communications protocols; MODBUS and DNP
• Designed to protect both SCADA communications and maintenance ports of vulnerable RTUs and IEDs
• Flexible point-to-point, multi-drop, and mixed-mode operation and secure remote management

Target Applications

• The Datacryptor SA enables utilities, their SCADA operators to deploy vital safeguards for their networks and implement security policies that can restrict access to critical resources for secure management and monitoring throughout the entire network.

Remote Access Control Application

Authentication is a critically important issue when accessing maintenance port of fielded devices. As field technicians frequently use mobile computer platforms to remotely access devices and perform routine operations such as changing parameter or setting thresholds used to monitor and automatically control operational processes, it is imperative to employ Role Based Access Control (RBAC) mechanisms to ensure only authorized users with the proper rights can perform these operations. In these remote operational scenarios, the Datacryptor SA’s client software is installed in the field technician’s mobile platform (such as a notebook computer), and through a dial-up modem, a secure connection is achieved with the remote site’s Datacryptor SA. To ensure both authenticated access and encryption, two-factor authentication requiring a USB token and a password are used. Removal of the token during connection automatically disables the connection.

Regulatory Compliance

Because the critical infrastructure is typically owned and controlled by both the private sector and government, both industry recommendations and government legislation are forming part of the framework for future regulations describing processes, procedures, and technology implementations to protect SCADA networks.

The development of retrofit solutions that can provide robust cyber security to existing fielded SCADA systems has been of particular interest to industry organizations such as the North American Electric Reliability Council (NERC), the Gas Technology Institute (GTI), and the Instrumentation Systems and Automation Society (ISA). Since SCADA systems typically have useful lives of over 15 years, retrofit solutions are expected to play a key role in addressing cyber security concerns and enable fielded systems to be brought into compliance while embedded security features are designed and made available to the market as part of future more robust SCADA systems.

The efforts of these organizations are yielding security recommendations including NERC (CIP-002 through -009), and the American Gas Association (AGA-12) standard that provide guidelines on the establishment of security policies and procedures including the use of retrofit cryptographic devices.