Cyberspace meets the Plant?! So what? No Magic in SCADA Security Management.

Posted on May 6, 2013 by


Whenever a discussion is on-going about a rather complex and multi-layer subject, it is preferable that the participants agree on terms and definitions, hence meaning the same thing when using professional terms.
SCADA is such a term nowadays that is frequently used in public (security) discussions – but unfortunately, not everybody seems to mean the same thing when using it.

Well, at least the abbreviation itself is clear: supervisory control and data acquisition – but that is already where it ends. Depending on the source of wisdom (consultancy white paper, security vendor leaflets, NIST Standard, ISA Standard, Wikipedia, industrial systems vendor manuals, etc. pp.)  the term SCADA sometimes is referred to as a type of industrial control system (ICS), sometimes  as an ICS subset,  sometimes it is – together with Programmable Logic Controls (PLCs)  and Human Machine Interfaces (HMIs) – considered to be an element of a Manufacturing Execution System (MES), and sometimes HMIs and PLCs are considered SCADA subsystems themselves. Some sources  speak of SCADA systems primarily  in the context of highly distributed systems  spread out over large distances and areas monitoring (critical) infrastructure , such as power grids, and other sources already consider a single, local instance of implementation of, let’s say, a Siemens WinCC system to be a SCADA presence. Last but not least, many sources seem to use the term SCADA mostly from a hardware/infrastructure prospective, while, as a matter of fact, pretty much any standard IT system can be become a SCADA system “just” by software (example: ClearView SCADA server), provided the system has access to the industrial data, to the industrial network.

The most precise definition of what falls into the category of SCADA system – and what not – seems to be the model and terminology used by the International Society of Automation (ISA) in its ISA 88/95 and the ISA 99 security standard series, respectively. The ISA model and terminology is in the enterprises and industrial process control systems world what the OSI network layer model is in the computer network world.

Well, anyway, Stuxnet gave the child its now publicly well-known birth-name: SCADA security, likely because the most popular Stuxnet victims were Siemens WinCC and PCS7 products, PCS7 being a process control system and Simatic WinCC being (by Siemens definition) a SCADA system.

My point here is:  From an IT Security and Information Security Management point of view it actually does not even matter if the term SCADA is used technically correctly or not. Let’s face it, we , the InfoSec community, can be (and are) happy to have a term that meanwhile all levels of management – and engineering – know and have an idea about when put on the agenda of meetings, email subject lines, power-point presentations titles …

What is important, what does matter  is that the InfoSec professional – and eventually senior management – understands that “SCADA security” is not only about SCADA systems. It is about the full spectrum of Industrial IT. It is about the rapid computerization of the shop floor, about the change of shop floor IT towards standard operating systems and standard network protocols and services. It is about cyber space risks coming to the industrial floor. It is about the necessity of the extension of the full security program from the office to the plant.

Posted in: Observation, Opinion