SCADA CERT practice guide

ENISA has released a good practice guide for CERTs that are tasked with protecting industrial control systems  (SCADA).

The European Union Agency for Network and Information Security (ENISA) publishes a lot of advice and recommendations on good practice in information security. Necessarily, it has a European focus, but almost all the advice is applicable to systems in any region.

This SCADA CERT practice guide focuses on how Computer Emergency Response Teams should support Industrial Control Systems (ICS).The terms ‘ICS’ and ‘SCADA’ (Supervisory Control and Data Acquisition) are pretty much interchangeable.

SCADA systems were around before the Internet. The first systems were driven by mainframes and installed to control water and electricity networks. Since then, SCADA has become ubiquitous and systems that were initially designed to work on independent networks have been connected to the Internet.

Connecting SCADA to the Internet has many advantages. It increases system availability and reduces costs of connecting geographically disparate systems. At the same time, connecting SCADA to the Internet decreases system confidentiality and more importantly in this situation, system integrity.

CC Worldbank photo collection

Industrial Control Systems support every aspect of our daily lives. Photo CC WorldBank Photo Collection

The ENISA ICS guide tries to put together in one document, a guide for CERTs that are required to protect SCADA/ICS systems. Importantly, it doesn’t just focus on the technical capabilities required for operations, but also organisational capabilities and what it terms ‘co-operational capabilities’. This last part is important as computer emergency response teams can forget that they are part of a system and the system is only as strong as the weakest link. It is important to remember that preparation for things going wrong involves identifying people, resources and stakeholders that will be required. Developing relationships with other organisations will always pays dividends when an emergency occurs. This is where the ENISA advice is in some ways superior to the advice from the US DOE, although I acknowledge the attractive simplicity of some of their guidance.

It is good that the authors acknowledge that this area is one where there is limited experience and that the guide should be considered a ‘living document’. As usual in cyber-security protection, both technical expertise and organisational /management guidance are required.

 

More information available from ENISA

US DOE SCADA guide

 

 

This entry was posted in Crime, Cybersecurity, Organisations and tagged , , , , , , , , , by Alex Weblng. Bookmark the permalink.

About Alex Weblng

BSc, BA (Hons), Gdip Comms, GdipEd, ZOP Alex has 20 years of experience in the Australian Government working in the fields of national security, information and cyber-security, counter-terrorism, , nuclear science, chemical and biological security, protective security and critical infrastructure protection, identity security, biometrics, and resilience. Alex was the foundation Director of the Australian Government computer emergency response team, GovCERT.au (later CERT Australia). He developed and project managed a world first program to train CERTs in developing APEC countries. Alex set up the Trusted Information Sharing Network Resilience Community of Interest in 2008 and produced the first Australian Government Executive Guide to Resilience. Head of Protective Security Policy in 2010, Alex was responsible for launching the revised Protective Security Policy Framework and the single information classification system for the Australian Government. Alex has both significant experience and tertiary qualifications in the CBRN (Chemical, Biological, Radiological and Nuclear) area. He was head of the Chemical Security Branch of the Attorney-General’s Department; responsible for nuclear policy during the construction of the Australian OPAL reactor; and represented the Attorney-General’s Department in the Security Sensitive Biological Agents development process, bringing to it a pragmatic, risk driven approach. As Director of Identity and Biometric Security Policy, Alex was responsible for developing the successful proposal to expand the Australian Document Verification Service into the private sector in 2012. Alex has been a member of the Australasian Council of Security Professionals since 2011 and a registered security professional in the area of Security Enterprise Management with the Security Professionals Register of Australasia.