Discover the top 3 reasons SCADA software can hold you back, what technological advancements you can use to get ahead, and how merging SCADA and IT can have a powerful effect on your company.03/18/2014
Analyzing "Big Data" provides decision makers with tools to make better operational decisions impacting efficiency, costs, security, and ultimately contribute to greater profits. Download this white paper to learn the role of smart instrumentation, and find out how data is not only shaping business but changing the future of instrumentation03/18/2014
This White Paper explains:
- What the 3S CoDeSys vulnerabilities are and what an attacker can do with them
- How to find out what control/SCADA devices are affected
- The risks and potential consequences to SCADA and control systems
- The compensating controls that will help block known attack vectors
A number of security vulnerabilities in the CoDeSys Control Runtime System were disclosed in January 2012. In October 2012, fully functional attack tools were also released to the general public.
While CoDeSys is not widely known in the SCADA and ICS field, its product is embedded in many popular PLCs and industrial controllers. Many vendors are potentially vulnerable, and include devices used in all sectors of manufacturing and infrastructure. As a result, there is a risk that criminals or political groups may attempt to exploit them for either financial or ideological gain.
This White Paper summarizes the currently known facts about these vulnerabilities and associated attack tools. It also provides guidance regarding a number of mitigations and compensating controls that operators of SCADA and ICS systems can take to protect critical operations.12/26/2012
This white paper provides insight into the evolution of the modern SCADA system and looks to the very near future by discussing such timely topics as:
- Improving system efficiency and security
- Managing field data and
- Open standards
Get the highlights here. See the best of the many presentations from the November event. Topics cover everything from finding workers for tomorrow's factories to 21st-century SCADA systems, safety, sustainability and the newest products from Rockwell Automation. Download the "Smart. Safe. Sustainable" Special Report.03/05/2012
Is Moving Your SCADA System to the Cloud Right For Your Company?
Cloud computing is a hot topic. As people become increasingly reliant on accessing important information through the Internet, the idea of storing or displaying vital real-time data in the cloud has become more commonplace. With tech giants like Apple, Microsoft, and Google pushing forward the cloud computing concept, it seems to be more than just a passing trend.
Recently the focus of cloud computing has started to shift from consumer-based applications to enterprise management systems. With the promise of less overhead, lower prices, quick installation, and easy scalability, cloud computing appears to be a very attractive option for many companies.
Common questions surround this new technology: What is the "cloud"? What kind of information should be stored there? What are the benefits and risks involved? Is moving toward cloud computing right for your company?
Cloud computing is not a "fix-all" solution. It has strengths and weaknesses, and understanding them is key to making a decision about whether it's right for your company. We'll explore the major benefits and risks involved, and give you a set of factors to consider when choosing what information to put on the cloud.12/01/2011
When adding, modifying or upgrading a system, many critical infrastructures conduct a Factory Acceptance Test (FAT). A FAT includes a customized testing procedure for systems and is executed before the final installation at the critical facility. Because it is difficult to predict the correct operation of the safety instrumented system or consequences due to failures in some parts of the safety instrumented system, a FAT provides a valuable check of these safety issues. Similarly, since cyber security can also impact safety of critical systems if a system is compromised, it naturally makes sense to integrate cyber security with the FAT, a concept that brings extreme value and savings to an implementation process.
An Integrated Factory Acceptance Test (IFAT) is a testing activity that brings together selected components of major control system vendors and Industrial Control System (ICS) plant personnel in a single space for validation and testing of a subset of the control system network and security application environment in an ICS environment. Conducting an IFAT provides important advantages and benefits including: time savings, cost savings, improved ability to meet compliance requirements, and increased comfort level with integrated security solutions.
With the current trend of more intelligent ICSs and increased regulatory compliance, the best practice to achieving ICS and IT integration is by conducting an IFAT. A common problem that occurs in the industry is the unanticipated work associated with implementing security controls which can result in production issues. Performing an IFAT avoids costly redesign and troubleshooting during outage operations saving time and money that leads to an enhanced, sound security solution.07/05/2011
Analysis of the ICONICS GENESIS Security Vulnerabilities for Industrial Control System Professionals
A number of previously unknown security vulnerabilities in the ICONICS GENESIS32 and GENESIS64 products have been publically disclosed. The release of these vulnerabilities included proof-of-concept (PoC) exploit code.
While we are currently unaware of any malware or cyber attacks taking advantage of these security issues, there is a risk that criminals or political groups may attempt to exploit them for either financial or ideological gain.
The products affected, namely GENESIS32 and GENESIS 64 are OPC Web-based human-machine interface (HMI) / Supervisory Control and Data Acquisition (SCADA) systems. They are widely used in critical control applications including oil and gas pipelines, military building management systems, airport terminal systems, and power generation plants.
Of concern to the SCADA and industrial control systems (ICS) community is the fact that, though these vulnerabilities may initially appear to be trivial, a more experienced attacker could exploit them to gain initial system access and then inject additional payloads and/or potentially malicious code. At a minimum, all these vulnerabilities can be used to forcefully crash system servers, causing a denial-of-service condition. What makes these vulnerabilities difficult to detect and prevent is that they expose the core communication application within the GENESIS platform used to manage and transmit messages between various clients and services.
This White Paper summarizes the current known facts about these vulnerabilities. It also provides guidance regarding a number of possible mitigations and compensating controls that operators of SCADA and ICS systems can take to protect critical operations.
Learn more about Tofino at www.tofinosecurity.com/blog03/31/2011
The purpose of this paper is to explore the particular ways in which operators can tightly integrate wireless instrumentation networks with SCADA and realize.
Integrating wireless instrumentation with SCADA systems can drive operational efficiency and reduce deployment costs.
The use of wireless instruments in pipelines and gas production operations has been gaining momentum over the past few years. Driven by cost cutting measures and the need to gain more operational visibility to meet regulatory requirements, wireless instruments eliminate expensive trenching and cabling while providing access to hard-to-reach areas using self-contained, battery-powered instruments. However, SCADA engineers and operators are facing the challenge of integrating wireless instrumentation networks with other communication infrastructure available in the field. Managing and debugging dispersed wireless networks presents a new level of complexity to field operators that could deter them from adopting wireless instrumentation despite the exceptional savings.
This paper will look into the particular ways in which operators can tightly integrate wireless instrumentation networks with SCADA and realize the full benefits of such an integrated solution.06/29/2010
Whitelisting is described by its advocates as "the next great thing" that will displace anti-virus technologies as the host intrusion prevention technology of choice. Anti-virus has a checkered history in operations networks and control systems many people have horror stories of how they installed anti-virus and so impaired their test system that they simply couldn't trust deploying it in production.
While anti-virus systems detect "bad" files that match signatures of known malware, whitelisting technologies identify "good" executables on a host and refuse to execute unauthorized or modified executables, presumably because such executables may contain malware. This is a least privilege approach of denying everything that is not specifically approved.
In this paper the Industrial Defender team performs an independent analysis of a variety of whitelisting solutions for their applicability to control systems. The paper closes with some recommendations related to this technology and areas for further research.02/26/2010
Integrators frequently use OPC technology to connect one Industrial Automation system (PLC, DCS, SCADA, HVAC, etc) with another so data can be shared between the two systems. Because OPC technology is based on the Client/Server architecture, the challenge is that two OPC Servers cannot communicate with each other directly. A variety of vendors provide an intermediate software solution, generically called an OPC Bridge, to facilitate this sort of communication. This whitepaper discusses the concept of the OPC Bridge, the solution architecture, required software components, and various features to help Integrators differentiate between different OPC Bridge products.01/26/2009
This white paper describes how SNMP is applied to asset management and transportation of "shadow data," information on equipment maintenance and security within the SCADA system. Since SNMP has emerged as a very efficient vehicle for transportation of this information, it is feasible for addition to existing systems. The white paper includes descriptions of smart function blocks, which significantly reduce programming efforts when used with Semaphore's T-BOX RTU and Kingfisher RTU product lines.01/15/2009
The industrialized world relies on a broad spectrum of vital critical infrastructure sectors. In addition to physical safety and security, network security for critical infrastructure is crucial because of reliance on electronic systems for operational control.08/13/2007
This whitepaper is the first in a series on the security of OPC (OLE for Process Control) and focuses on providing an overview of the widely-used industrial communication standard and how it is actually used in industry.04/13/2007
This report presents evidence in support of a business case for improving security of Supervisory Control and Data Acquisition (SCADA), process control networks (PCN), and manufacturing and industrial automation systems based on an analysis of statistical trends in security incidents.03/19/2007
As enterprise systems evolve towards increasing integration, the need has increased for inherently secure process control systems. This research report describes an initial approach to PCS technical security risk assessment, with attention to the problem of effective risk communication. This document lays the foundation for advancement of a process that focuses on the methodical assessment of risk such that the assessment results will be readily and easily communicable.11/20/2006
The National Institute of Standards and Technology (NIST) has established an Industrial Control System Security Project to improve the security of public and private sector Industrial Control Systems (ICSs).11/10/2006
In this online video presentation (.wmv, 4.77 MB), industrial security expert, Rick Kaun, explains the importance of industrial security, and how plants can ensure that all security threats, especially those most commonly overlooked, are addressed.11/03/2006
This document summarizes important security principles that should be considered when designing and procuring control systems products (software, systems and networks), and provides example language to incorporate into specifications that address these concerns.08/08/2006
This White Paper is the first installment in a series intended to provide relevant cyber security information to the control systems community. It raises cyber security awareness through discussion of control system cyber security trends and provides information on Homeland Security and federal partner programs designed to enhance the cyber security posture of control systems within critical infrastructures.07/10/2006