Securing SCADA systems

Information Management and Computer Security

Volumn 16, Issue 4, 2008, Pages 398-414

  Patel, Sandip C ^a   Sanyal, Pritimoy ^b  

^a MORGAN STATE UNIVERSITY   (United States)

^b MAULANA ABUL KALAM AZAD UNIVERSITY OF TECHNOLOGY   (India)

Author keywords

Data security; Electric power systems; Gas industry; Oil industry; Water supply

Indexed keywords

COMPUTER CRIME; DATA ACQUISITION; ELECTRIC GENERATORS; ELECTRIC POWER MEASUREMENT; ELECTRIC POWER SYSTEMS; ELECTRICITY; GAS INDUSTRY; GAS SUPPLY; INTERNET PROTOCOLS; LIQUEFIED PETROLEUM GAS; NETWORK PROTOCOLS; OFFSHORE OIL WELL PRODUCTION; PETROLEUM REFINERIES; SECURITY OF DATA; SOLUTIONS; WATER SUPPLY;

CONTROL AND MONITORS; CRITICAL SYSTEMS; CYBER ATTACKS; CYBER SECURITIES; DATA SECURITY; DESIGN/METHODOLOGY/APPROACH; EFFICIENT; ELECTRIC POWERS; IMPLEMENTING; IP SECURITIES; OIL INDUSTRY; OPENSSL; PRACTICAL IMPLICATIONS; PROTOCOL SECURITIES; PUBLIC DOMAINS; PUBLIC SAFETIES; SECURE SOCKETS; SECURITY APPROACHES; SECURITY MEASURES; SECURITY SOLUTIONS; SSL/TLS; SSL/TLS PROTOCOLS; SUPERVISORY CONTROL AND DATA ACQUISITION SYSTEMS; UNIVERSITY OF LOUISVILLE; UTILITY COMPANIES;

SCADA SYSTEMS;

EID: 54949110261     PISSN: 09685227     EISSN: None     Source Type: Journal    
DOI: 10.1108/09685220810908804     Document Type: Article

References (64)

1. AGA (2003), "Cryptographic protection of SCADA communications", AGA Report No. 12-1 (draft), American Gas Association, Washington, DC, March.
2. Bellovin, S. (2000), "Hackers penetrate Gazprom", The Risk Digest, Vol. 20 No. 87.
3. Bent, D. (2003), "OSSI making progress on NIST certification of OpenSSL", available at: http://dotnet.sys-con.com/author/ 2523bent.htm (accessed April, 2008), December.
4. Berket, K., Agarwal, D.A. and Chevassut, O. (2002), "A practical approach to the InterGroup protocols", Future Generation Computer Systems, Vol. 18 No. 5, pp. 709-19.
5. Boriani, D.V. (1995), "Axiomatic specification and logic programming: Fast prototyping of correct designs", ISA Transactions, Vol. 34 No. 1, pp. 53-65.
6. Byres, E. (2004), "The myths and facts behind cyber security risks for industrial control systems", news release, bcit News, October 4.
7. CERT (2003), "Advisory CA-2003-26", Carnegie Mellon University, Pittsburgh, PA, available at: www.cert.org/advisories/ CA-2003-26.html (accessed April, 2008).
8. CVE (2007), "CVE ID: CAN-2003-0543", National Cyber Security Division of Department of Homeland Security, Washington, DC, Common Vulnerabilities and Exposures, available at: http://cve.mitre.org/ cgi-bin/cvename.cgi?name=CAN-2003-0543 (accessed April, 2008).
9. Canvel, B., Hiltgen, A., Vaudenay, S. and Vuagnoux, M. (2003), "Password interception in a SSL/TLS channel", Advances in Cryptology - CRYPT'03, Lecture Notes in Computer Science, Vol. 2729, pp. 583-99.
10. DHS (2003), "Critical infrastructure identification, prioritization, and protection", US Department of Homeland Security, Washington, DC, Presidential Directive/Hspd-7 December, available at: www.whitehouse.gov/news/releases/2003/12/20031217-5.html (accessed April, 2008).
11. DHS (2006), "Homeland security advisories and information bulletins", US Department of Homeland Security, Washington, DC, August, available at: www.dhs.gov/xinfoshare/publications/ editorial_0335.shtm (accessed April, 2008).
12. DOE (2002), "21 steps to improve cyber security of SCADA network", US Department of Energy, Washington, DC, September, available at: www.oe.energy.gov/DocumentsandMedia/21_Steps_-_SCADA.pdf (accessed April, 2008).
13. DOE (2003), "Meeting brief: DOE/DHS SCADA meeting", US Department of Energy, Washington, DC, July 16, available at: www.oe.netl.doe.gov/docs/prepare/scada.pdf (accessed April, 2008).
14. DOE (2005), "OpenSSL security vulnerabilities in ASN.1 parsing", US Department of Energy, Washington, DC, Computer Incident Advisory Capability, available at: www.ciac.org/ciac/bulletins/ n-159.shtml (accessed April, 2008).
15. DOT (2007), "Safety and security", US Department of Transportation, Washington, DC, available at: http:// transit-safety.volpe.dot.gov/ (accessed April, 2008).
16. Dierks, T. and Allen, C. (1999), RFC 2246 - the TLS Protocol Version 1.0., Network Working Group, The Internet Society, Reston, VA, January.
17. Dutta, P.K., Hui, J.W., Chu, D.C. and Culler, D.E. (2006), "Securing the deluge network programming system", Proceedings of the Fifth International Conference on Information Processing in Sensor Networks, Nashville, Tennessee, April 19-21, pp. 326-33.
18. Fini, L. (2000), "Linux in embedded industrial applications: A case study", Linux Journal, Vol. 2000 No. 77, p. 12.
19. Freudenthal, E., Port, L., Pesin, T., Keenan, E. and Karamcheti, V. (2002), "Switchboard: Secure, monitored connections for client-server communication", Proceedings of the 22nd International Conference on Distributed Computing Systems Workshops, July 2-5, pp. 660-5.
20. Frost and Sullivan (2001), "European SCADA systems market in dynamic shape", company news, Frost and Sullivan, San Antonio, TX, available at: www.engineeringtalk.com/news/fro/fro144.html (accessed April, 2008), October 11.
21. Garfinkel, S. (2002), Web Security, Privacy & Commerce, 2nd ed., O'Reily & Associates, Inc., Sebastopol, CA.
22. Geer, D. (2006), "Security of critical control systems sparks concern", Computer, Vol. 39 No. 1, pp. 20-3.
23. Gellman, B. (2002), "US fears Al Qaeda cyber attacks", Washington Post, June 26.
24. Gieling, T.H., van Meurs, W.M. and Janssen, H.J. (1996), "A computer network with SCADA and case tools for on-line process control in greenhouses", Advances in Space Research, Vol. 18 Nos 1/2, pp. 171-4.
25. Graham, J.H. and Patel, S.C. (2005), "Correctness proofs for SCADA communication protocols", Proceedings of the 9th World Multi-Conference on Systemics, Cybernetics and Informatics, Orlando, FL, July 10-13, pp. 392-7.
26. Graham, J., Mostafa, S., Arazi, B., Tantawy, A., Hieb, J., Ralston, P. and Patel, S. (2007), "Improvements in SCADA and DCS systems security", Proceedings of International Conference on Computers and Their Applications, Honolulu, Hawaii, March 28-30, pp. 194-200.
27. Heng, G.T. (1996), "Microcomputer-based remote terminal unit for a SCADA system", Microprocessors and Microsystems, Vol. 20 No. 1, pp. 39-45.
28. Hieb, J.L., Graham, J.H. and Patel, S.C. (2007), "Security enhancements for distributed control systems", in Goetz, E. and Shenoi, S. (Eds), Critical Infrastructure Protection: IFIP International Federation for Information Processing Series, Vol. 253, Springer, New York, NY, pp. 55-68.
29. IEC (2003), Power System Control and Associated Communications - Data and Communication Security, The International Electrotechnical Commission, Geneva, May.
30. Kato, H., Furuya, M., Tamano-Mori, M., Kaneko, S. and Nakano, T. (2001), "Risk analysis and secure protocol design for www-based remote control with operation-privilege management", Proceedings of the IEEE International Conference on Systems, Man and Cybernetics, Vol. 2, pp. 1107-12.
31. Kegel, D. (2001), "SSL/TLS", available at: www.kegel.com/ssl/ (accessed April, 2008).
32. Kokai, Y., Masuda, F., Horiike, S. and Sekine, Y. (1997), "Recent development in open systems for EMS/SCADA", International Journal of Electrical Power & Energy Systems, Vol. 20 No. 2, pp. 111-23.
33. Kotok, A. (2002), "Utility deregulation requires effective e-business standards" White Paper, June, available at: www.disa.org/ pdfs/whitep¶er03.pdf (accessed April, 2008).
34. Majdalawieh, M., Parisi-Presicce, F. and Wijesekera, D. (2005), "Distributed network protocol security (DNPSec) security framework", Proceedings of 21st Annual Computer Security Applications Conference, Tucson, AZ, December 5-9.
35. Möller, B. (2004), "Security of CBC ciphersuites in SSL/TLS: problems and countermeasures", available at: www.openssl.org/ ∼bodo/tls-cbc.txt (accessed April, 2008), May.
36. NIPC (2002), "Terrorist interest in water supply and SCADA systems", Information Bulletin 02-001, National Infrastructure Protection Center, Washington, DC, January.
37. NISCC (2003), Vulnerability Advisory 006489/OpenSSL, UNIRAS: Computer Emergency Response Team, National Infrastructure Security Co-ordination Centre, London, November.
38. OpenSSL (2007), "OpenSSL project homepage", available at: www.openssl.org/ (accessed April, 2008).
39. Palmieri, F. (2003), "VPN scalability over high performance backbones evaluating MPLS VPN against traditional approaches", Proceedings of the Eighth IEEE International Symposium on Computers and Communication, Kemer-Antalya, Turkey, June 30-July 3.
40. Patel, S.C. (2006), "Secure internet-based communication protocol for SCADA networks", PhD dissertation, University of Louisville, Louisville, KY.
41. Patel, S.C. and Grahm, J.H. (2004), "Security considerations in DNP3 SCADA systems", Proceedings of the 17th Computer Applications in Industry and Engineering, Orlando, FL, November 17-19, pp. 73-8.
42. Patel, S.C., Bhatt, G.D. and Graham, J. (2008), "Improving the cyber security of SCADA communication networks", Communications of ACM (in press)..
43. Patel, S., Graham, J., Ralston, P. and Tantalean, R. (2005a), "Secure SCADA communications, monitoring, and control over the internet", Proceedings of the 18th Computer Applications in Industry and Engineering, Honolulu, Hawaii, November 9-11, pp. 169-74.
44. Patel, S., Tantalean, R., Ralston, P. and Graham, J. (2005b), "Supervisory control and data acquisition remote terminal unit testbed", Intelligent Systems Research Laboratory Technical Report TR-ISRL-05-01, Department of Computer Engineering and Computer Science, University of Louisville, Louisville, KY.
45. Petree, V. (1995), "SCADA-Linux still hard at work", Linux Journal, Vol. 1995 No. 10, February.
46. Petree, V. (1998), "Linux means business", Linux Journal, Vol. 1998 No. 54, October.
47. Portmann, M. and Seneviratne, A. (2001), "Selective security for TLS", Proceedings of 9th IEEE International Conference on Networks, October 10-12, pp. 216-21.
48. Poulsen, K. (2003a), "Slammer worm crashed Ohio nuke plant net", The Register, available at: www.theregister.co.uk/2003/08/20/ slammer_worm_crashed_ohio_nuke/ (accessed April, 2008).
49. Poulsen, K. (2003b), "Brits found OpenSSL bugs", SecurityFocus, September.
50. Preu, K., Le Lann, M-V., Cabassud, M. and Anne-Archard, G. (2003), "Implementation procedure of an advanced supervisory and control strategy in the pharmaceutical industry", Control Engineering Practice, Vol. 11 No. 12, pp. 1449-58.
51. Rescorla, E. (2001), SSL and TLS: Designing and Building Secure Systems, Addison-Wesley, Boston, MA.
52. Smith, T. (2001), "Hacker jailed for revenge sewage attacks", The Register, available at: www.theregister.co.uk/2001/10/31/ hacker_jailed_for_revenge_sewage/ (accessed April, 2008).
53. Su, C-L., Lu, C-N. and Lin, M-C. (2000), "Wide area network performance study of a distribution management system", International Journal of Electrical Power & Energy Systems, Vol. 22 No. 1, pp. 9-14.
54. Sun Microsystems, Inc. (2004), "Java™ Secure Socket Extension (JSSE) Reference Guide for the Java™ 2 SDK, standard edition, v 1.4.2", available at: http://java.sun.com/j2se/1.4.2/docs/guide/ security/jsse/JSSERefGuide.html (accessed Aril, 2008).
55. Tak, S., Lee, Y. and Park, E.K. (2003), "A software framework for non-repudiation service in electronic commerce based on the internet", Microprocessors and Microsystems, Vol. 27 Nos 5/6, pp. 265-76.
56. Taylor, K. and Palmer, D. (2003), "Applying enterprise architectures and technology to the embedded devices domain", Proceedings of the Australasian Information Security Workshop Conference on ACSW Frontiers 2003, Adelaide, Australia, January, pp. 185-90.
57. US-CERT (2004), "Technical cyber security alert TA04-111A: vulnerabilities in TCP", United States Computer Emergency Readiness Team, Washington, DC, September, available at: www.us-cert.gov/cas/ techalerts/TA04-111A.html (accessed April, 2008).
58. US-CERT (2007), "Advisory notes", Vulnerability numbers: VU# 255484, VU# 380864, VU#686224, VU#732952, VU#935264, and VU#104280, United States Computer Emergency Readiness Team, Washington, DC, available at: www.kb.cert.org/vuls (accessed April, 2008).
59. Varoli, J. (2000), "In bleak Russia, a young man's thoughts turn to hacking", The New York Times online, June.
60. Vaudenay, S. (2002), "Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS", Proceedings of Advances in Cryptology - EUROCRYPT'02, Amsterdam, Netherlands, pp. 534-45.
61. Ventuneac, M., Coffey, T. and Salomie, I. (2003), "A policy-based security framework for web-enabled applications", Proceedings of the 1st International Symposium on Information and Communication Technologies, Dublin, Ireland, pp. 487-92.
62. Viega, J., Messier, M. and Chandra, P. (2002), Network Security with OpenSSL, O'Reilly & Assoc. Inc., Sebastopol, CA.
63. Watts, D. (2003), "Security and vulnerability in electric power systems", Proceedings of the 35th North American, Power Symposium, Rolla, MO, October 20-21, pp. 559-66.
64. Yasinsac, A. and Childs, J. (2001), "Analyzing internet security protocols", Proceedings of the 6th IEEE International Symposium on High Assurance Systems Engineering, October 22-24, pp. 149-59.