Common control system vulnerabilities

Download Now


This report describes the generalized trends in vulnerabilities observed from control and automation IT systems used in critical infrastructures, as well as typical reasons for these security issues and an introduction to an effective mitigation strategy.

By Jason Stamp, John Dillinger, William Young, and Jennifer DePoy, Sandia National Labs

MOST SECURITY vulnerabilities in critical infrastructure include failures to adequately define security sensitivity for automation system data, identify and protect a security perimeter, build comprehensive security through defense-in-depth, and restrict access to data and services to authenticated users based on operational requirements. Many of these vulnerabilities result from deficient or nonexistent security governance and administration, as well as budgetary pressure and employee attrition in system automation. Also, the industry is largely unaware of the threat environment and adversary capabilities.

Automation administrators themselves cause many security deficiencies, through the widespread deployment of complex modern information technology equipment in control systems without adequate security education and training. Comprehensive mitigation includes improved security awareness, development of strong and effective security governance, and amelioration of security vulnerabilities through the careful configuration and integration of technology.

Click the Download Now button below for a .pdf version of this report.