Panel: SCADA System Security: Challenges and Future Directions

Moderator:Irfan Ahmed, University of New Orleans

Panelists:

• Chris Sistrunk, Mandiant

• Tommy Morris, Mississippi State University

• Eric J. Byres, Tofino Security

• Zach Tudor, SRI International

Abstract

Supervisory control and data acquisition (SCADA) system is critical for industrial automation to facilitate effective monitoring and control of physical processes such as power generation and transmission, oil and gas refining and steal manufacturing. Early SCADA systems were isolated and not designed to deal with cyber attacks. Over the years, SCADA systems evolve and (indirectly) connect to corporate network and Internet for seamlessly integrate SCADA information and external information, e.g. corporate mail systems or weather data. The reachability of SCADA systems from a much wider network brings threats that were unimagined at the time when those systems were conceived such as vulnerable SCADA protocols and applications.

The panel seeks to discuss the current security challenges on SCADA system, and debate on any possible future directions to deal with these challenges. The panel brings the viewpoint from both industry and academia.

Position Statements

Eric Byres: Since the discovery of the Stuxnet worm in 2010, there has been exponential growth in government security alerts regarding Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) products. Now thanks to new open source test tools, industry is about be faced with a storm of security vulnerabilities in SCADA equipment. SCADA vendors are unlikely to be able to keep up with these vulnerability disclosures - according to one analyst, less than half of the of product vulnerabilities listed by ICS-CERT have patches. Even patched, most control protocols are completely unauthenticated, so in the words of Dale Peterson, "control systems are insecure by design.” While replacing all the PLCs, RTUs and IECs in the world with new products might be the answer for some, most engineers will have to make do with the equipment they already have, regardless of the flaws. For these unfortunate but real world professionals, the only answer is to be deploying compensating security controls while they wait for the day of the perfectly secure ICS equipment to arrive.

Zach Tudor: Some of the areas I’m concerned about are the integration of safety systems with control systems, provably secure systems, software assurance methodologies for SCADA and control systems.  Understanding risk for SCADA systems and critical infrastructures is still insufficient: likelihood of attack is a major variable in the risk equation, but we haven’t come close to determining that value for cybersecurity.

About the Panelists:

Chris Sistrunk is a Senior Consultant in Mandiant’s Strategic Solutions Consulting practice, focusing on cyber security for industrial control systems (ICS) and critical infrastructure. Prior to joining Mandiant, Chris was a Senior Engineer at Entergy (over 11 years) where he was the Subject Matter Expert (SME) for Transmission & Distribution SCADA systems. Chris has 10 years of experience in SCADA systems with tasks such as standards development, system design, database configuration, testing, commissioning, troubleshooting, and training. He was the co-overseer of the SCADA, relay, and cyber security labs at Entergy Transmission for 6 years. Chris is a registered professional engineer in Louisiana, a senior member of IEEE, IEEE PES, DNP Users Group, and the DNP Technical Committee. Chris is an experienced team leader, loves problem solving, and enjoys engineering unique solutions. He is currently researching deeper into SCADA cyber security and Industrial Control Systems security in general. Chris enjoys out-of-the box thinking to solve difficult or complex problems. He also enjoys networking with his peers in the SCADA community across the globe. “I love breaking and fixing things. To make things work well, you must break them.”

Dr. Tommy Morris currently serves as Associate Director of the Distributed Analytics and Security Institute (DASI) and Associate Professor of Electrical and Computer Engineering at Mississippi State University. He also currently serves as director of the MSU Critical Infrastructure Protection Center (CIPC) and is a member of the MSU Center for Computer Security Research (CCSR). Dr. Morris received his Ph.D. in Computer Engineering in 2008 from Southern Methodist University in Dallas, TX with a research emphasis in cyber security. His primary research interests include cyber security for industrial control systems and electric utilities and power system protective relaying. His recent research outcomes include vulnerability and exploit taxonomies, intrusion detection systems, virtual test beds, and a relay setting automation program used by a top 20 investor owned utility. He has authored more than 40 peer reviewed research conference and journal articles in these areas. Dr. Morris’s research projects are funded by the National Science Foundation, Department of Homeland Security, Pacific Northwest National Laboratory, NASA, the US Army Corps of Engineers Engineering Research Development Center (ERDC), Pacific Gas and Electric Corporation, and Entergy Corporation. Prior to joining MSU, Dr. Morris worked at Texas Instruments (TI) for 17 years in multiple roles including circuit design and verification engineer, applications engineer, team leader, and program manager.

Eric Byres is one of the world's leading experts in the field of SCADA security. Eric’s background as a process controls engineer allows him to bring a unique combination of deep technical knowledge plus practical field experience to his role as Chief Technology Officer at Tofino Security, a Belden Brand. Before starting Tofino Security, Eric founded the British Columbia Institute of Technology (BCIT) Critical Infrastructure Security Centre. He shaped it into one of North America's leading academic facilities in the field of SCADA cyber security, culminating in a SANS Institute Security Leadership Award in 2006. Eric held the Advanced Systems Institute (ASI) fellowship for industrial network security research from 2002 to 2005. In 1999, he was the winner of the Best Paper Award at the Institute of Electrical and Electronic Engineers (IEEE) Pulp and Paper Industrial Applications Conference and in September 2000 he won the IEEE Outstanding Industry Applications Article award for his paper on ICS security. Eric has been responsible for numerous standards for data communications and security in industrial environments. This has included chairing the ISA-99 Security Technologies Working Group, which is responsible for the standardization of security technologies for Industrial Automation and Control System. He served as the chair of the ISA99 Task Group 2, conducting an analysis of ISA/IEC-62443 standards with respect to Stuxnet. He is also the Canadian representative for IEC TC65/WG13, a standards effort focusing on an international framework for the protection of process facilities. His contributions to security standards was formally recognized in Oct 2009 when the International Society of Automation (ISA) awarded him the rare honor of ISA Fellow for his outstanding achievements in science and engineering. In November 2013 he was awarded second time, receiving the ISA Excellence in Leadership, the society’s highest honor.

Zach Tudor, a Program Director in the Computer Science Laboratory at SRI International, serves as a management and technical resource for operational and research and development cyber security programs for government, intelligence, and commercial projects. He supports DHS’s Cyber Security Research and Development Center (CSRDC) on projects including the Linking the Oil and Gas Industry to Improve Cybersecurity (LOGIIC) consortium, and the Industrial Control System Joint Working Group (ICSJWG) R&D working group. He is member of (ISC)2’s Application Security Advisory Board, the Nuclear Cyber Security Working Group, is the past Co-Chair of the Institute for Information Infrastructure Protection (I3P), and represents SRI in the International Information Integrity Institute (I-4), a world forum for senior information security professionals. Prior to SRI, Zach led a team of cyber security engineers and analysts directly supporting the Control Systems Security Program (CSSP) at DHS, whose mission is to reduce the cyber security risk to critical infrastructure systems.  Past assignments include on-site deputy program manager for the NRO’s world-wide operational network, information security manager for OSD CIO’s Enterprise Operations Support Team, security management support for the Centers for Medicare and Medicaid Services, and several senior-level consulting positions including Vice President of SAIC’s Enabling Technology Division, and Senior Manager for Department of Defense programs at BearingPoint's Security Practice.  He is a retired U.S. Navy Submarine LDO Electronics Officer and Chief Data Systems Technician. Mr. Tudor holds an M.S. in Information Systems from George Mason University, where he was also an adjunct professor teaching graduate courses in information security. His professional credentials include the Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Computer Professional (CCP).