SlideShare a Scribd company logo

Scada security

Download as PPTX, PDF
S
sommerville-videos

SCADA systems control critical infrastructure but were historically isolated systems with obscurity for security. They are now increasingly connected to the internet and each other, exposing vulnerabilities like weak passwords and unencrypted data. This presents a serious challenge as SCADA systems have special requirements preventing standard security practices and are difficult to take offline. Government and industry are working to improve SCADA security through awareness, training, and regulation.

TechnologyBusiness
1 of 25
Downloaded 281 times
1
2
3
4
5
6
7
8
Most read
9
10
11
12
Most read
13
14
15
16
17
18
19
20
Most read
21
22
23
24
25
SCADA security, 2013 Slide 1 SCADA systems security
SCADA security, 2013 Slide 2 24/7 infrastructure availability • The infrastructure controlled by SCADA systems and PLCs often has to be continuously available and must operate as expected
SCADA security, 2013 Slide 3 Continuous operation • In some cases, it may be very disruptive to switch off PLC- controlled equipment as it is impossible to predict when the system will be required
SCADA security, 2013 Slide 4 Critical SCADA systems • Failure of controlled systems can lead to direct loss of life due to equipment failure or indirect losses due to failure of the critical infrastructure controlled by SCADA systems • SCADA must therefore be dependable – Safety and reliability – Security
SCADA security, 2013 Slide 5 SCADA safety and reliability • SCADA safety and reliability – Needs specific safety analysis techniques for PLCs because they are programmed in a different way (ladder logic) – SCADA systems are designed with redundancy and backup, which contributes to the availability of these systems
SCADA security, 2013 Slide 6 SCADA security
SCADA security, 2013 Slide 7 SCADA legacy systems • Security through isolation – SCADA systems, historically, were unconcerned with security because they were isolated systems • Security through obscurity – Non-standard programming languages and protocols used.
SCADA security, 2013 Slide 8 Security through isolation • If a system is not connected to the Internet, then it cannot be penetrated by attacks from the Internet • This is the so-called ‘air gap’ between the SCADA system and the rest of the world
SCADA security, 2013 Slide 9 Maroochy Water Breach • The Maroochy Water Breach (see video) was a cyberattack on a sewage treatment system in Australia carried out by an insider
SCADA security, 2013 Slide 10 Security through obscurity • Approach to security that is based on the fact that information about a system is not widely known or available so the assumption is that few people can successfully attack the system from outside
SCADA security, 2013 Slide 11 Security through obscurity • Susceptible to insider attack from those who know the information inside the organization • SCADA systems are sold globally – therefore information is available to other countries who may be potentially hostile • Information on SCADA systems can be stolen and used by attackers
SCADA security, 2013 Slide 12 SCADA connectivity • 3rd generation SCADA systems are now reliant on standard IT technologies and protocols (Microsoft Windows, TCP/IP, web browsers, organisational wireless networks, etc.) • Integrated with older SCADA systems
SCADA security, 2013 Slide 13 Internet-based SCADA
SCADA security, 2013 Slide 14 SCADA legacy systems • There are a huge number of 2nd generation SCADA systems that are still in use and are likely to remain in use for many years – Infrastructure systems can have a 20+ year lifetime • However, these are now being ‘updated’ with new equipment which is network-connected • These older legacy systems were developed without security awareness and so are particularly vulnerable to attack
SCADA security, 2013 Slide 15 The myth of the ‘air gap’ • Direct connections to vendors for maintenance, stock ordering etc. • Connected to enterprise systems, which in turn are on the Internet.
SCADA security, 2013 Slide 16 The myth of the air gap • PCs used by operators may be multi- functional and internet connected • Operators transfer information using USB drives
SCADA security, 2013 Slide 17 SCADA vulnerabilities
SCADA security, 2013 Slide 18 SCADA security vulnerabilities • Weak passwords • Open to port scanning to discover SCADA systems on network • Lack of input validation –buffer overflow and SQL poisoning • Unencrypted network traffic
SCADA security, 2013 Slide 19 SCADA security challenges • SCADA systems and PLC software is normally developed by engineering companies with very limited experience of developing secure systems • The system developers are usually domain experts (oil and gas engineers, power engineers, etc.) rather than software engineers. • They may have had no training in security techniques.
SCADA security, 2013 Slide 20 SCADA security challenges • Not always possible to use standard security tools and techniques: – It may not be possible to install anti-virus protection on process control systems, owing to the lack of processor power on legacy systems, the age of operating systems or the lack of vendor certification.
SCADA security, 2013 Slide 21 SCADA security challenges • Security testing on process control systems must also be approached with extreme caution – security scanning can seriously affect the operation of many control devices. • There are sometimes few opportunities to take the systems off-line for routine testing, patching and maintenance.
SCADA security, 2013 Slide 22 Improving SCADA security • Government and industry reports to raise awareness of SCADA security issues • Establishment of bodies specifically concerned with infrastructure protection who can advise on SCADA system security
SCADA security, 2013 Slide 23 Improving SCADA security • Better security education and training for SCADA developers • Need for regulators to become involved – security certification
SCADA security, 2013 Slide 24 © David Shankbone 2012
SCADA security, 2013 Slide 25 Summary • Government organisations are seriously concerned about the vulnerability of SCADA systems to cyberattacks and the consequences for our national infrastructure • SCADA systems connected to internet so vulnerable to external attack • SCADA systems are often old systems that were built without security concerns – therefore are vulnerable to external attack

More Related Content

PDF
SCADA Security Presentation
Filip Maertens
 
PDF
Securing SCADA
Jeffrey Wang , P.Eng
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
PDF
Industrial_Cyber_Security
WillianMachadoFonsec
 
PDF
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Edureka!
 
PDF
The journey to ICS - Extended
Larry Vandenaweele
 
PPTX
Security of IOT,OT And IT.pptx
MohanPandey31
 
PDF
SenseTek Stratos Micra 25 installers handbook
Hans Bronkhorst
 
SCADA Security Presentation
Filip Maertens
 
Securing SCADA
Jeffrey Wang , P.Eng
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Industrial_Cyber_Security
WillianMachadoFonsec
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Edureka!
 
The journey to ICS - Extended
Larry Vandenaweele
 
Security of IOT,OT And IT.pptx
MohanPandey31
 
SenseTek Stratos Micra 25 installers handbook
Hans Bronkhorst
 

What's hot (20)

PDF
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
PDF
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
 
PDF
Access Control System, BMS
Mohammad Azam Khan
 
PDF
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
PPTX
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
PPTX
CISSP Chapter 1 Risk Management
Karthikeyan Dhayalan
 
PPTX
Understanding cyber resilience
Christophe Foulon, CISSP
 
PPTX
Cyber security: A roadmap to secure solutions
Schneider Electric
 
PPTX
Technology Overview - Symantec Data Loss Prevention (DLP)
Iftikhar Ali Iqbal
 
PPTX
Security Operation Center - Design & Build
Sameer Paradia
 
PDF
Q radar architecture deep dive
Kamal Mouline
 
PDF
Data Center Security
devalnaik
 
PDF
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
PPTX
Introduction to ICS/SCADA security
Cysinfo Cyber Security Community
 
PPTX
Dependability and security (CS 5032 2012)
Ian Sommerville
 
PDF
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
PDF
Computer Security - CCNA Security - Lecture 1
Mohamed Loey
 
PDF
What is ISO 27001 ISMS
Business Beam
 
PPTX
CyberSecurity
divyanshigarg4
 
PDF
Cybersecurity Roadmap for Beginners
Sanjeev Kumar Jaiswal
 
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
 
Access Control System, BMS
Mohammad Azam Khan
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
CISSP Chapter 1 Risk Management
Karthikeyan Dhayalan
 
Understanding cyber resilience
Christophe Foulon, CISSP
 
Cyber security: A roadmap to secure solutions
Schneider Electric
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Iftikhar Ali Iqbal
 
Security Operation Center - Design & Build
Sameer Paradia
 
Q radar architecture deep dive
Kamal Mouline
 
Data Center Security
devalnaik
 
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Introduction to ICS/SCADA security
Cysinfo Cyber Security Community
 
Dependability and security (CS 5032 2012)
Ian Sommerville
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
Computer Security - CCNA Security - Lecture 1
Mohamed Loey
 
What is ISO 27001 ISMS
Business Beam
 
CyberSecurity
divyanshigarg4
 
Cybersecurity Roadmap for Beginners
Sanjeev Kumar Jaiswal
 
Ad

Similar to Scada security (20)

PDF
Securing SCADA
Jeffrey Wang , P.Eng
 
PPT
LIBRARY RESEARCH PROJECT cyber security control inSCAD.ppt
SonuSingh81247
 
PPT
LIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADA
SonuSingh81247
 
PDF
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
 
PPTX
Security Issues in SCADA based Industrial Control Systems
aswanthmrajeev112
 
PPTX
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Inductive Automation
 
PPTX
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Inductive Automation
 
PDF
SCADA Systems Vulnerabilities and Blockchain Technology
ijtsrd
 
PPTX
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
NiMa Bagheriasl
 
PPTX
Scada Industrial Control Systems Penetration Testing
Yehia Elghaly
 
PPTX
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Abhishek Goel
 
PPT
Cybersecurity for Control Systems: Current State and Future Vision pt.1
EnergySec
 
PDF
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Shakeel Ali
 
PPTX
Scada slide
Towfiqur Rahman
 
PDF
SCADA Exposure Will Short-Circuit US Utilities
FitCEO, Inc. (FCI)
 
PPTX
SCADA Systems and its security!
Shiv Sahni
 
PDF
IJSRED-V2I2P15
IJSRED
 
PPTX
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
North Texas Chapter of the ISSA
 
PPTX
Introducing scada
sommerville-videos
 
PDF
David Blanco ISHM 8280-2016
David Blanco
 
Securing SCADA
Jeffrey Wang , P.Eng
 
LIBRARY RESEARCH PROJECT cyber security control inSCAD.ppt
SonuSingh81247
 
LIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADA
SonuSingh81247
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
 
Security Issues in SCADA based Industrial Control Systems
aswanthmrajeev112
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Inductive Automation
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Inductive Automation
 
SCADA Systems Vulnerabilities and Blockchain Technology
ijtsrd
 
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
NiMa Bagheriasl
 
Scada Industrial Control Systems Penetration Testing
Yehia Elghaly
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Abhishek Goel
 
Cybersecurity for Control Systems: Current State and Future Vision pt.1
EnergySec
 
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Shakeel Ali
 
Scada slide
Towfiqur Rahman
 
SCADA Exposure Will Short-Circuit US Utilities
FitCEO, Inc. (FCI)
 
SCADA Systems and its security!
Shiv Sahni
 
IJSRED-V2I2P15
IJSRED
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
North Texas Chapter of the ISSA
 
Introducing scada
sommerville-videos
 
David Blanco ISHM 8280-2016
David Blanco
 
Ad

More from sommerville-videos (20)

PPTX
Architectural patterns for real-time systems
sommerville-videos
 
PPTX
Introduction to real time software systems script
sommerville-videos
 
PPTX
System of systems classification
sommerville-videos
 
PPTX
Reuse landscape
sommerville-videos
 
PPTX
Introduction to systems of systems
sommerville-videos
 
PPTX
Scaling agile
sommerville-videos
 
PPTX
Agile methods for large systems
sommerville-videos
 
PPTX
User stories
sommerville-videos
 
PPTX
Agile and plan based development processes
sommerville-videos
 
PPTX
Fundamental software engineering activities
sommerville-videos
 
PPTX
Introducing Software Engineering
sommerville-videos
 
PPTX
Why se script
sommerville-videos
 
PPTX
Ariane 5 launcher failure
sommerville-videos
 
PPTX
Airbus Flight Control System
sommerville-videos
 
PPTX
Warsaw airbus accident
sommerville-videos
 
PPTX
Stakeholders, viewpoints and concerns
sommerville-videos
 
PPTX
Requirements engineering processes
sommerville-videos
 
PPTX
Requirements engineering challenges
sommerville-videos
 
PPTX
Intro to requirements eng.
sommerville-videos
 
PPTX
Emergent properties
sommerville-videos
 
Architectural patterns for real-time systems
sommerville-videos
 
Introduction to real time software systems script
sommerville-videos
 
System of systems classification
sommerville-videos
 
Reuse landscape
sommerville-videos
 
Introduction to systems of systems
sommerville-videos
 
Scaling agile
sommerville-videos
 
Agile methods for large systems
sommerville-videos
 
User stories
sommerville-videos
 
Agile and plan based development processes
sommerville-videos
 
Fundamental software engineering activities
sommerville-videos
 
Introducing Software Engineering
sommerville-videos
 
Why se script
sommerville-videos
 
Ariane 5 launcher failure
sommerville-videos
 
Airbus Flight Control System
sommerville-videos
 
Warsaw airbus accident
sommerville-videos
 
Stakeholders, viewpoints and concerns
sommerville-videos
 
Requirements engineering processes
sommerville-videos
 
Requirements engineering challenges
sommerville-videos
 
Intro to requirements eng.
sommerville-videos
 
Emergent properties
sommerville-videos
 

Recently uploaded (20)

PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
KodekX | Application Modernization Development
KodekX
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Approach and Philosophy of On baking technology
30anthuong17
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Teaching material agriculture food technology
LiaRayya
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Encapsulation theory and applications.pdf
gurumoop
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 

Scada security

  • 1. SCADA security, 2013 Slide 1 SCADA systems security
  • 2. SCADA security, 2013 Slide 2 24/7 infrastructure availability • The infrastructure controlled by SCADA systems and PLCs often has to be continuously available and must operate as expected
  • 3. SCADA security, 2013 Slide 3 Continuous operation • In some cases, it may be very disruptive to switch off PLC- controlled equipment as it is impossible to predict when the system will be required
  • 4. SCADA security, 2013 Slide 4 Critical SCADA systems • Failure of controlled systems can lead to direct loss of life due to equipment failure or indirect losses due to failure of the critical infrastructure controlled by SCADA systems • SCADA must therefore be dependable – Safety and reliability – Security
  • 5. SCADA security, 2013 Slide 5 SCADA safety and reliability • SCADA safety and reliability – Needs specific safety analysis techniques for PLCs because they are programmed in a different way (ladder logic) – SCADA systems are designed with redundancy and backup, which contributes to the availability of these systems
  • 6. SCADA security, 2013 Slide 6 SCADA security
  • 7. SCADA security, 2013 Slide 7 SCADA legacy systems • Security through isolation – SCADA systems, historically, were unconcerned with security because they were isolated systems • Security through obscurity – Non-standard programming languages and protocols used.
  • 8. SCADA security, 2013 Slide 8 Security through isolation • If a system is not connected to the Internet, then it cannot be penetrated by attacks from the Internet • This is the so-called ‘air gap’ between the SCADA system and the rest of the world
  • 9. SCADA security, 2013 Slide 9 Maroochy Water Breach • The Maroochy Water Breach (see video) was a cyberattack on a sewage treatment system in Australia carried out by an insider
  • 10. SCADA security, 2013 Slide 10 Security through obscurity • Approach to security that is based on the fact that information about a system is not widely known or available so the assumption is that few people can successfully attack the system from outside
  • 11. SCADA security, 2013 Slide 11 Security through obscurity • Susceptible to insider attack from those who know the information inside the organization • SCADA systems are sold globally – therefore information is available to other countries who may be potentially hostile • Information on SCADA systems can be stolen and used by attackers
  • 12. SCADA security, 2013 Slide 12 SCADA connectivity • 3rd generation SCADA systems are now reliant on standard IT technologies and protocols (Microsoft Windows, TCP/IP, web browsers, organisational wireless networks, etc.) • Integrated with older SCADA systems
  • 13. SCADA security, 2013 Slide 13 Internet-based SCADA
  • 14. SCADA security, 2013 Slide 14 SCADA legacy systems • There are a huge number of 2nd generation SCADA systems that are still in use and are likely to remain in use for many years – Infrastructure systems can have a 20+ year lifetime • However, these are now being ‘updated’ with new equipment which is network-connected • These older legacy systems were developed without security awareness and so are particularly vulnerable to attack
  • 15. SCADA security, 2013 Slide 15 The myth of the ‘air gap’ • Direct connections to vendors for maintenance, stock ordering etc. • Connected to enterprise systems, which in turn are on the Internet.
  • 16. SCADA security, 2013 Slide 16 The myth of the air gap • PCs used by operators may be multi- functional and internet connected • Operators transfer information using USB drives
  • 17. SCADA security, 2013 Slide 17 SCADA vulnerabilities
  • 18. SCADA security, 2013 Slide 18 SCADA security vulnerabilities • Weak passwords • Open to port scanning to discover SCADA systems on network • Lack of input validation –buffer overflow and SQL poisoning • Unencrypted network traffic
  • 19. SCADA security, 2013 Slide 19 SCADA security challenges • SCADA systems and PLC software is normally developed by engineering companies with very limited experience of developing secure systems • The system developers are usually domain experts (oil and gas engineers, power engineers, etc.) rather than software engineers. • They may have had no training in security techniques.
  • 20. SCADA security, 2013 Slide 20 SCADA security challenges • Not always possible to use standard security tools and techniques: – It may not be possible to install anti-virus protection on process control systems, owing to the lack of processor power on legacy systems, the age of operating systems or the lack of vendor certification.
  • 21. SCADA security, 2013 Slide 21 SCADA security challenges • Security testing on process control systems must also be approached with extreme caution – security scanning can seriously affect the operation of many control devices. • There are sometimes few opportunities to take the systems off-line for routine testing, patching and maintenance.
  • 22. SCADA security, 2013 Slide 22 Improving SCADA security • Government and industry reports to raise awareness of SCADA security issues • Establishment of bodies specifically concerned with infrastructure protection who can advise on SCADA system security
  • 23. SCADA security, 2013 Slide 23 Improving SCADA security • Better security education and training for SCADA developers • Need for regulators to become involved – security certification
  • 24. SCADA security, 2013 Slide 24 © David Shankbone 2012
  • 25. SCADA security, 2013 Slide 25 Summary • Government organisations are seriously concerned about the vulnerability of SCADA systems to cyberattacks and the consequences for our national infrastructure • SCADA systems connected to internet so vulnerable to external attack • SCADA systems are often old systems that were built without security concerns – therefore are vulnerable to external attack