New funding for automation security research

The Department of Homeland Security believes that improving the security of distributed control and SCADA systems is an important part of securing our country's critical infrastructure.

1 of 2 < 1 | 2 View on one page
 By Dale Peterson, CISSP


he need to secure DCS and SCADA systems essential to running the critical infrastructure has been well-documented in industry publications (see “Securing Control Systems: What You Need to Know,” Feb. ’04, p43) and recently published GAO reports. So why hasn’t this problem been solved?

One major reason is appropriate security solutions are not available. Inadequacies exist in hardware and software solutions as well as the protocols and underlying architectures that are commonly deployed. Realizing the need for new solutions, the Department of Homeland Security (DHS) issued a solicitation “seeking innovative ideas to protect SCADA systems from attack” under the Small Business Innovation Research (SBIR) program. The solicitation also requested proposals to secure DCS, and the term SCADA is used to refer to SCADA, DCS, and other process control systems in this article.

“DHS believes that improving the security of distributed control and SCADA systems is an important part of our overall effort to improve the security of the country’s critical infrastructure,” said Dr. Peter Miller, program manager in the Science and Technology Directorate of DHS. “Congress confirmed the importance of this effort with the release in March 2004 of the GAO report ‘Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems.’ Through the SBIR awards, HSARPA [Homeland Security Advanced Research Projects Agency] is supporting innovative research in areas such as authentication and intrusion detection that offer the possibility of significantly advancing the state-of-the-art in the area of distributed control and SCADA systems security.”

Lucky 13
Thirteen small businesses were awarded Phase I contracts under the SBIR program. Limited to $100,000 in funding, Phase I programs have a 6-month duration. During Phase I the researchers create a formal design of the proposed concept and present the results in a preliminary design review with the DHS.

Interestingly, many of the funded projects are trying to solve the same problem with very different technical approaches. This demonstrates these programs are research and it is unclear which approach or combination of approaches will be the best solution to each security problem.

Securing Field Communications
The protocols used in control center-to-PLC/RTU communications are highly insecure because encryption, authentication, and other security measures were not designed into the protocols. An adversary could exploit this flaw by inserting false commands and responses or modifying legitimate communication. This problem will be around for a long time given the life span of field devices is measured in decades, so security solutions are required for both legacy systems and new deployments.




While most of the Department of Homeland Security’s Small Business Innovation Research (SBIR) programs apply to SCADA systems in general, three of the research projects are focused solely on electric power systems.

Many existing field devices use 8-bit microprocessors with limited computing power. Asier Technology Corp. has developed encryption algorithms for low power, 8-bit microprocessors and will attempt to integrate their software code into currently available PLCs and RTUs. If successful, this would provide an inexpensive upgrade path for secure field communications as opposed to wholesale replacement.

Dunti LLC will combine network interface technology with encryption and other security protection to create a secure network interface card or module for PLCs. This solution would eliminate any impact of security on PLC microprocessors, memory, and other components. Remote management will enable upgrades as security algorithms and standards change. The initial solution will include a separate box at each PLC, but the end goal would be to integrate a card or module into the PLC.

Middleware vendor Starthis, Inc.’s software allows an IBM, BEA, Oracle or any other application server that uses the Java 2 Platform Enterprise Edition (J2EE) environment, to communicate with industrial controllers. During its research project Starthis plans to add encryption and other security protection to this communication by leveraging the security capabilities in J2EE. A small encryption box is likely to be required at the PLC in the project’s initial phase, however the software could also be integrated into a PLC.

Field Communication Encryption
The Right Stuff of Tahoe, Inc. will also investigate adding encryption to field communications in a small box for legacy systems and directly into an RTU for new systems. While replacing RTUs can be expensive, having secure RTU solutions available for new systems is an important step to eventually securing field communications. Initial efforts will include support for the American Gas Association security standard effort (AGA 12-1) for low-speed serial links and existing industry standard security protocols for higher-speed IP connections.

1 of 2 < 1 | 2 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments