Practical_modern_SCADA_protocols_-_dnp3,_60870-5_and_Related_Systems

372 Practical Modern SCADA Protocols: DNP3, 60870.5 and Related Systems
14.3.12 Utilities
14.3.13 Vendors
14.3.14 Security
American Electric Power, Ameren, Arizona Electric Power, Baltimore Gas and Electric,
Bonneville Power Authority, Boston Edison, Cinergy, City Public Service San Antonio,
Commonwealth Edison, Duke, Duquesne Light, Florida Power Corp, GPU Energy, Indianapolis
Power and Light, National Grid (England), Northern States Power, NUON/TB
(Netherlands), Ontario Power (Canada), Potomac Electric Power, Pennslyvania Power and
Light, Southern California Edison, Tampa Electric, Texas Utilities, Tennessee Valley
Authority, United Power Association, ENEL (Italy), Entergy, VEW (Germany).
ABB, Alligator Communications, Alstom (GEC), Basler, Beckwith, Bitronics, Cooper,
Cycle Software, Dascan/G&W Electric, Doble, Dranetz/BMI, GE/Multilin, Harris/GE,
Modicon/Square D, Power System Engineering, Process Systems, QEI/Kearney Switch,
Rochester Instrument Systems, SEL, Siemens Energy & Automation, Siemens Power
Transmission & Dist., Sisco, Inc, Tamarack, Inc, Tasnet, Telegyr (now a division of
Siemens), US West Communications Services, Valmet (now Neles Automation).
(This list is 2–3 years old).
Within the water industry, the American Water Works Association UCA technical
committee will meet in June, 2001 to formally approve a recommendation for the adoption
of UCA within the water industry in the US. It will be several years however before
the device object models are developed and agreed and we see UCA systems becoming
routine in the industry.
The gas industry has approved UCA and work is advanced on approving several device
object models.
Security is an important issue for UCA.
Traditional SCADA systems with proprietary protocols largely relied on ‘security by
obscurity’. As the industry has evolved towards ‘open’ protocols, the degree of security
has reduced. UCA with its open standards, and auto configuration has made this problem
worse. The plug and play nature of this allows potential attackers to simply ask devices to
describe themselves. The UCA standard specifies security services that are required to be
supported.
The IEEE are sponsoring a consultant (Herb Falk of Sisco Inc) to define the amendments
to the IEC 870 and DNP3 standards necessary to implement security in these protocols.
They have taken the unusual step of including a non IEEE standard (DNP3) within the
scope of this work because DNP3 is sufficiently widespread that ‘otherwise we would
have failed to secure the (electricity) industry’.
However security of SCADA data communications is probably a relatively small part
of the security issues relating to SCADA. Recent studies by Major Barry Ezell of
the US Army identified (by surveying a large number of water utilities world-wide) that
the biggest threat came through attacks on the SCADA master system, and that the
disgruntled ex-employee was the most likely source of threat. It also identified that many
simple measures essential to secure a system such as enforced rotation of passwords, and
removing USERIDs of staff who left the company were not routinely practised in SCADA
installations although they are commonplace in the IT world.