SourceFire: Securing SCADA from Cyber-attacks

Based on the contributed Securing SCADA from Cyber-attacks by By Ammar Hindi, Managing Director, Sourcefire APAC (now part of Cisco Systems).

First of all, it is interesting to take note that insurers such as Lloyd's of London are insuring companies with cyber-security risks. I have read this some times ago, yet, this trend is still no common especially in Malaysia and APAC.

The article tells that a recent study has shown that insurance companies are unwilling to cover energy firms from cyber-attacks and damages, even after thorough assessment by these firms have made such as ensuring the software are up to date and how these firms oversee their networks.
Ammar Hindi, MD, Cisco APAC.

The study further discovered that majority of these applicants were rejected by insurers due to insufficient cyber-defences on their Supervisory control and Data Acquisition (SCADA) systems. These are a few factors that make the networks vulnerable.

SCADA is the main network for industrial processes such as utilities, transportation, logistic, manufacturing and pharmaceuticals.

It consists of a network of devices such as heavy duty equipments linked together with computer systems (such as monitoring and control software). Most of the time, the SCADA network would be linked up with serial based communication channel, whilst recent trends have seen the adoption of more IP based channel.

Hence, when a network is serial based, it is usually off-the-grid because it can only be assessed internally, this is the reason why SCADA systems usually do not earn extra attention for cyber-security risks. Therefore, these process control networks are often wrongly considered inherently safe and often do not include cybersecurity basics like patching.

I do agree that most legacy SCADA systems are naked and can be easily compromised - for instance, most SCADA systems do not deploy encryption within their communication protocol.

Nonetheless, there are SCADA systems which are coined as 'military grade' and support sophisticated security requirements and robustness. The only problem lies with how much money users are willing to invest to upgrade their legacy system ?