Lessons Learned from Cyber Security: Assessments of SCADA and Energy Management Systems

by U.S. Department of Energy, Raymond K. Fink (Editor), David F. Spencer (Editor)

The U.S. Department of Energy (DOE) established the National SCADA Test Bed (NSTB) Program to help industry and government improve the security of the control systems used in the nation’s critical energy infrastructures. The NSTB Program is funded and directed by the DOE Office of Electricity Delivery and Energy Reliability (DOE-OE). A key part of the program is the assessment of digital control systems to identify vulnerabilities that could put the systems at risk for a cyber attack. This report summarizes the findings from cyber security assessments performed by Idaho National Laboratory (INL) as part of the NSTB Program. Findings are also included from INL assessments performed for the Department of Homeland Security (DHS) under the Control System Security Program, managed by INL for the DHS National Cyber Security Division. The systems that were assessed ranged in complexity from a perimeter protection device, to small digital control systems, to large Supervisory Control and Data Acquisition/Energy Management Systems (SCADA/EMS) with complex networks, multiple servers and millions of lines of code. Assessments were performed in the INL SCADA Test Bed, in an INL process control systems test bed, and in operational installations (examining non-production or off-line systems). SCADA/EMS were of the greatest interest in the assessments because of their usual interconnections to critical infrastructure control equipment ranging from valves in oil and gas pipelines to switches and breakers in the national electric grid. If compromised, these systems provide a path to many critical end devices and to other SCADA/EMS This report includes information from ten assessments performed within the DOE and DHS programs in the time period from late 2004 through early 2006. These assessments were performed under Cooperative Research and Development Agreements (CRADAs) between the system vendors or asset owners and the INL. The vendors and owners provided software, hardware, training, and technical support. The INL performed the cyber assessments and reported the results, including recommendations on ways to mitigate the vulnerabilities found. As noted above, some of these assessments were conducted at INL, others at asset owners’ sites. Under the terms of the CRADAs and associated nondisclosure agreements, proprietary information is withheld from public disclosure. Results are therefore presented in a generic fashion in order to protect proprietary information, but every effort has been made to be specific enough to benefit those who provide, use, and secure the systems controlling our nation’s critical infrastructure. The report focuses on vulnerabilities that were observed across multiple assessments. A fundamental criterion for including a vulnerability or recommendation in this report was that it is identified in at least two independent assessments. The results summarized in this report describe vulnerabilities that were found to be common in field installations, spanning different control system vendor and asset owner configurations. Asset owners can use these observations, and the corresponding recommendations for mitigation, as a basis for enhancing the security of their control systems. Control system vendors, system integrators, and third party vendors can use the lessons learned to enhance the security characteristics of current and future products.

28 pages, Paperback

Published September 1, 2006