Åttonde Nordiska Dricksvattenkonferensen - Svenskt Vatten
Åttonde Nordiska Dricksvattenkonferensen - Svenskt Vatten
Åttonde Nordiska Dricksvattenkonferensen - Svenskt Vatten
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Introduction<br />
This section considers the general background and issues of SCADA security.<br />
Background<br />
Industrial information and control systems are widely used for control automation to enable services,<br />
quality and efficiency of water supply to the society. These industrial information and control systems are<br />
often denoted as SCADA systems (which is the abbreviation for Supervisory Control And Data<br />
Acquisition). SCADA systems still often use legacy technologies but have gradually, during the last<br />
decades, evolved and now use more modern computer-based systems (Cegrell 1994; Johansson 1996).<br />
Previously, SCADA systems have been relatively isolated. That is, stand-alone systems without<br />
connections to other systems or networks. However, with the advancements in microprocessor<br />
technologies, data could be multiplexed and collected from field stations and transmitted to a central<br />
location for supervisory control. Radio and leased phone lines were incorporated for communication<br />
between a central control room and field stations, resulting in the adoption of unattended monitoring and<br />
control capabilities for pump stations and water pipelines.<br />
Cost tends to be the primary motivational factor in modernizations of water utility plants. As a result,<br />
spending on IT systems and security tends to be relegated to the margins. As these plants began to<br />
automate from analog systems to digital control, they embraced "plug-n-play" systems to quickly<br />
interconnect remote and distributed sites over Internet Protocol (IP) because it was cheap and<br />
interoperable. In so doing, secure architecture wasn't a primary design consideration. In fact, the design of<br />
these SCADA systems did not really consider security at all (Johansson 1996; Johansson 2009; Krutz<br />
2006; Shephard 2002; Stamp 2003).<br />
The increasing use of computer-based components, and the integration with other IT systems has also<br />
affected the organisations staffing requirements. In several places, there are today fewer individuals that<br />
maintain the water supply to society than just a decade ago. One single operator can easily monitor and<br />
remotely control the waterworks pumps, valves and the entire water supply from a central workstation in<br />
a control room. And further development have now made it possible to move this workplace, it is not<br />
necessarily bound to a specific central control room, since applications exist to manage SCADA systems<br />
from mobile devices.<br />
Moreover, the computerization enabled the digitalization of other critical data, such as information<br />
about the location of pipelines and descriptions of systems and their configurations. This simplification of<br />
communicating data increases its availability to users and systems. However, this critical information is<br />
increasingly being sent across other networks, making it possible to reach data far beyond the local water<br />
companies' premises (Johansson 2007; Johansson 2009).<br />
Increased security concern<br />
Since many critical infrastructure services, such as water supply, depend on these SCADA systems,<br />
any vulnerability in them may result in undesirable consequences for citizens and society. In the light of<br />
the security breach that occurred more than ten years ago at Maroochy Water Services in Queensland,<br />
Australia, concern has thus been expressed regarding the security of SCADA systems (NIST 2008).<br />
Despite this concern, recent practical assessments implied that, information security is still weak when<br />
it comes to SCADA systems. One could approximate from these assessments that SCADA security is<br />
lagging roughly ten years behind traditional (office) IT-security. However, those findings might be<br />
anomalies and therefore not relevant to most of the water utilities in Sweden.<br />
In order to attain better understanding of the situation regarding information security at the drinking<br />
water sector in Sweden a more comprehensive survey of the SCADA environments and their security was<br />
initiated. This paper briefly illustrates and discusses the structure and general findings of this national<br />
survey. However, the paper will not go into any details of specific critical findings.<br />
48 Session 2: Säker dricksvattenförsörjning