I3P launches major SCADA security research initiative

Dec. 5, 2005
Researchers will help identify SCADA vulnerabilities and interdependencies between SCADA systems and other critical infrastructures.
THE INSTITUTE for Information Infrastructure Protection (I3P), which is managed by Dartmouth College, launched an $8.5 million research program today that will help protect supervisory control and data acquisition (SCADA) systems in the oil and gas industry and other critical infrastructure sectors.

The I3P is a research consortium funded by the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) that was established to address security issues facing the U.S. information infrastructure. The funds, spread over two years, will support basic research, as well as product-driven technology solutions, in order to better understand and mitigate high-risk SCADA flaws.

SCADA experts and officials within the U.S. government have long warned about the security issues surrounding the use of SCADA and other automation systems to manage and control everything from electric power generation plants, water systems, and oil and gas pipelines.

A research team consisting of ten I3P member institutions will help identify SCADA vulnerabilities and interdependencies between SCADA systems and other critical infrastructures. Researchers will develop metrics and models for assessment and management of SCADA security, and create next-generation SCADA systems with built-in security.

"SCADA vulnerabilities remain in deployed systems because of insecure network design and weaknesses in the host systems," said Ron Trellue, the research team's leader and the Deputy Director of the Information Systems Engineering Center at Sandia National Laboratory. "Research will focus on addressing this problem by developing tools to make current SCADA system configurations more secure, while in tandem performing basic research to develop inherently secure designs for the SCADA systems of the future."

The research team also includes security specialists from the University of Illinois Urbana-Champaign, MIT Lincoln Laboratory, the MITRE Corporation, New York University, Pacific Northwest National Laboratory, SRI International, the University of Tulsa, the University of Virginia and Dartmouth College. The I3P team is actively pursuing partnerships with industry to guide the research and develop opportunities for technology transfer.

"This project brings together some of the most experienced and talented researchers from the SCADA and cyber security domains to work jointly on one of the most critical security problems facing the nation. Solving complex SCADA security challenges requires a multi-disciplinary approach. We have assembled a team capable of helping protect critical infrastructures against cyber threats in the near-term and in decades to come," said Trellue.

Trellue's team will work closely with partners in industry and the U.S. government to improve information sharing and communication about SCADA, and to ensure that new, secure technologies are adopted by SCADA operators. The I3P research project is being coordinated with other public and private SCADA efforts around the country.

"This is a major SCADA research initiative that will have high national impact particularly aimed at protecting oil and gas SCADA systems," said Martin Wybourne, Vice Provost for Research at Dartmouth College and Chair of the I3P. "The project reflects a strong collaboration between academia, government and industry under the umbrella of the I3P Consortium," added Wybourne.

According to Douglas Maughan, I3P's program manager at the DHS's Science and Technology Directorate, SCADA technology was not originally designed with today's rigorous security requirements in mind. As SCADA systems increasingly become accessible remotely via the Internet, vulnerabilities to cyber attacks (such as computer viruses, hacking or denial of service) have been amplified.

"Securing SCADA systems is one of the most pressing cyber security priorities because successful attacks against the SCADA infrastructure could result in substantial economic consequences. DHS is helping to coordinate the nation's approach to securing SCADA; the I3P's SCADA program plays an important role in our overall strategy by working on R&D issues and, more importantly, working with industry to ensure transition of technology into existing infrastructure," said Maughan.

About the I3P
The Institute for Information Infrastructure Protection (I3P) is a national research consortium of universities, federally-funded labs and non-profit organizations. The I3P functions as a virtual national lab, bringing together experts from around the country to identify pressing problems and develop innovative approaches and technologies to help protect the U.S. information infrastructure. More information about the I3P and the I3P SCADA project can be found below.

Project Overview

Project Description
Automation systems, often referred to as process control systems (PCS) or supervisory control and data acquisition (SCADA) systems, are critical to the safe, reliable, and efficient operation of many physical processes. PCS and SCADA are used extensively in electric power, water, petroleum and natural gas infrastructures, as well as in various manufacturing operations, and their use is growing in these sectors. The government's interpretation of the term "SCADA" includes the overall collection of control systems that measure, report, and change the process. Essentially, any subsystem that electronically measures state, alters process control parameters, presents/stores/communicates data, or the management thereof, is subsumed in the consideration of SCADA.

Given SCADA's pervasive use throughout the critical infrastructure, it is imperative in the near-term that security vulnerabilities in deployed systems be identified and subsequently mitigated; in parallel, longer-term basic research must be conducted to design and implement next-generation secure SCADA systems. The I3P SCADA research project addresses this pressing need through a multi-institutional effort to identify risk management strategies for existing SCADA systems and to develop inherently secure designs for future SCADA systems.

The problem and its importance to the nation
The present state of cyber security and information assurance for SCADA is not commensurate with the threat or potential consequences. Security assessments of SCADA have identified troubling vulnerabilities in these systems; Sandia National Laboratories (SNL) has identified serious security problems revealed through its assessment experience. In addition, facilities, like the DOE funded National SCADA Testbed at SNL's Center for SCADA Security and at Idaho National Laboratory, have demonstrated significant and troubling vulnerabilities in a laboratory setting.

The reliance of infrastructure on SCADA for operation and control is pervasive, and furthermore SCADA is increasingly used as a means of communication with customers. Cyber vulnerabilities place SCADA systems at risk and adversely affect not only the directly controlled infrastructure, but also other interconnected and interdependent critical infrastructures. These include telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water-supply systems, emergency services, and continuity of government. For example, the 10 June 1999 failure of the Olympic Pipeline SCADA system led to a large-scale oil leakage that caused an increase in petroleum prices, consequently impacting the general economy of the region. This interdependency is particularly noticeable during catastrophes, for example, during and after the 11 September 2001 attacks on the World Trade Center when information technologies of all kinds were indirectly affected, and in turn, affected the ability of other critical infrastructures to function.

The Oil & Gas Sector
Supplying two-thirds of the US energy usage, the oil and gas sector is a fundamental component of our economy and national security. Its infrastructure consists of an extensive network of roughly 150 refineries, 200,000 miles of oil pipelines, and 2,000,000 miles of gas pipelines. The oil and natural gas industry spans a long chain of product processing, beginning with exploration and drilling and ending with delivery to consumers. Smaller pipelines carry crude oil from domestic wells to larger trunk lines, which transport both domestic and imported crude to regional markets where it is refined into oil products like gasoline. Another network of pipelines carries refined products like gasoline and other fuels to distribution centers, from which they are trucked to their point of consumption (e.g., service stations). The national network of natural gas pipelines is similar to the oil pipeline system, but also includes a much larger network of local distribution pipelines that carry gas directly to homes and businesses in many U.S. cities. SCADA systems are widely used throughout the sector for control of system operations and safety, including process control at refineries, monitoring the flow of oil and gas in pipelines, and regulating flow at oil pumping and natural gas compressor stations.

Project Summary
SCADA systems are important for the safety of infrastructure systems and US economic production. The dependence of SCADA on conventional IT elements and its increasing use of the Internet causes it to inherit the known and emerging cyberspace risks, such as network hacking and cyber attacks (e.g., computer viruses and malicious code). To enhance security and trustworthiness of SCADA systems, it is imperative to comprehensively identify, assess, and manage the vulnerabilities inherent in their hardware and software composition, architecture, and configuration, along with the human supervision that controls and operates the system and the environment within which they operate.

This I3P SCADA research project includes investigations that will advance SCADA security in order to improve the robustness of the nation's interdependent critical infrastructures. It will undertake necessary innovation in science and practice that would not be possible without support of the I3P. The I3P SCADA project team leader is Ron Trellue of Sandia National Laboratories. The project team includes faculty and staff from 10 institutions individually recognized for their expertise in cyber security and critical infrastructure research: the University of Illinois Urbana-Champaign (UIUC), Massachusetts Institute of Technology's Lincoln Laboratory (MIT-LL), the MITRE Corporation, New York University (NYU), Pacific Northwest National Laboratory (PNNL), Sandia National Laboratory (SNL), SRI International, the University of Tulsa (TU), the University of Virginia (UVa) and Dartmouth College.   

The I3P SCADA research project is organized into six tasks in order to execute effectively. The six tasks are as follows:

Task 1: Assess dependence on SCADA and its security
Task 2: Account for the type and magnitude of SCADA interdependencies
Task 3: Develop metrics for the assessment and management of SCADA security
Task 4: Develop inherently secure SCADA systems
Task 5: Develop cross domain solutions for information sharing
Task 6: Transfer technology of these solutions into industry

Each task will be performed by a team from several of the participating institutions, and each will have a Task Leader to coordinate the research associated with the task. SNL will coordinate activities and facilitate technical exchange across the research tasks to realize the synergistic potential of this multi-institutional effort.

The six tasks will enhance SCADA security through a combination of security engineering and basic science research, which will be grounded where appropriate to focus on SCADA issues within the oil and gas sector. The first task will bring together SCADA stakeholders – vendors, industry personnel and government officials – through workshops and working groups to aggregate information about the current state of SCADA systems. This characterization of the vulnerabilities, threats, consequences, and risks for SCADA security in the oil and gas infrastructure's facilities and operations will help shape the research requirements of subsequent tasks. The second task extends this risk analysis to identify the indirect risks of cyber attack to SCADA systems of the oil and gas sector through an improved understanding of the sector's interconnectedness with other critical infrastructures. Recognizing that we must be able to measure the efficacy of cyber security to build a business case for investment in cyber risk management, the third task will develop metrics for the systemic quantification of the value of risk prevention, mitigation and correction. SCADA vulnerabilities remain in deployed systems because of insecure configuration of physical security, network design and weaknesses in the host systems. The fourth task addresses this problem by leveraging the research team's existing cyber security capabilities to develop tools to make current SCADA system configurations more secure, while in tandem performing basic research to develop inherently secure designs for the SCADA systems of the future. The fifth and final research task will develop technologies to improve cross-domain information sharing, which could lead to economic efficiencies for operators through optimized supply chain management, and would enhance infrastructure security by enabling the development of new system-level intrusion detection systems and regional and national infrastructure monitoring capabilities for emergency response management.

A critical factor for the improvement of SCADA security is the effective transfer of security technology and knowledge out of government, academic, and vendor laboratories into component production and field integration. This requirement is met by the I3P SCADA research project's final task, which will serve as the concentration point and transition for the project's research products. As part of this task, the research project team will work closely with the oil and gas industry and the new DHS Cyber Security Research and Development Center to transfer their results through a technology demonstration program.