New funding for automation security research

ControlGlobal.com

The Department of Homeland Security believes that improving the security of distributed control and SCADA systems is an important part of securing our country's critical infrastructure.

 By Dale Peterson, CISSP

he need to secure DCS and SCADA systems essential to running the critical infrastructure has been well-documented in industry publications (see “Securing Control Systems: What You Need to Know,” Feb. ’04, p43) and recently published GAO reports. So why hasn’t this problem been solved?

One major reason is appropriate security solutions are not available. Inadequacies exist in hardware and software solutions as well as the protocols and underlying architectures that are commonly deployed. Realizing the need for new solutions, the Department of Homeland Security (DHS) issued a solicitation “seeking innovative ideas to protect SCADA systems from attack” under the Small Business Innovation Research (SBIR) program. The solicitation also requested proposals to secure DCS, and the term SCADA is used to refer to SCADA, DCS, and other process control systems in this article.

“DHS believes that improving the security of distributed control and SCADA systems is an important part of our overall effort to improve the security of the country’s critical infrastructure,” said Dr. Peter Miller, program manager in the Science and Technology Directorate of DHS. “Congress confirmed the importance of this effort with the release in March 2004 of the GAO report ‘Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems.’ Through the SBIR awards, HSARPA [Homeland Security Advanced Research Projects Agency] is supporting innovative research in areas such as authentication and intrusion detection that offer the possibility of significantly advancing the state-of-the-art in the area of distributed control and SCADA systems security.”

Lucky 13
Thirteen small businesses were awarded Phase I contracts under the SBIR program. Limited to $100,000 in funding, Phase I programs have a 6-month duration. During Phase I the researchers create a formal design of the proposed concept and present the results in a preliminary design review with the DHS.

Interestingly, many of the funded projects are trying to solve the same problem with very different technical approaches. This demonstrates these programs are research and it is unclear which approach or combination of approaches will be the best solution to each security problem.

Securing Field Communications
The protocols used in control center-to-PLC/RTU communications are highly insecure because encryption, authentication, and other security measures were not designed into the protocols. An adversary could exploit this flaw by inserting false commands and responses or modifying legitimate communication. This problem will be around for a long time given the life span of field devices is measured in decades, so security solutions are required for both legacy systems and new deployments.

						KEEP THE LIGHTS ON
						While most of the Department of Homeland Security’s Small Business Innovation Research (SBIR) programs apply to SCADA systems in general, three of the research projects are focused solely on electric power systems.

Many existing field devices use 8-bit microprocessors with limited computing power. Asier Technology Corp. has developed encryption algorithms for low power, 8-bit microprocessors and will attempt to integrate their software code into currently available PLCs and RTUs. If successful, this would provide an inexpensive upgrade path for secure field communications as opposed to wholesale replacement.