The future of SCADA-control security

If you're a CXO overseeing a critical infrastructure that contains SCADA (supervisory control and data acquisition) controls, a chief concern is how to protect the infrastructure against terrorist attacks. Changes in control software will continue to accelerate until the most critical infrastructure weaknesses (oil refineries, electrical power plants, water treatment facilities) are addressed worldwide. But it may take years to replace all of the controls.

In order to address some of these concerns, networking vendors are deploying solutions to monitor network traffic between the management systems of these controls to determine the validity of its state. They can plan on implementing authentication and access controls on the sessions that communicate with the controls. As a newer generation of controls is deployed, authentication and authorization features will be built into the controls themselves. All access can be logged to determine if there is any tampering.


But there are other concerns associated with the electrical power, refinery, chemical plant, water treatment, and nuclear power industries that deploy these new controls. There will be a great need for custom simulation software for specific vertical industries like the ones listed above. Simulations will be needed to determine what will happen if a new set of policies (control states) are implemented.

The control settings (policies) need comprehensive testing. It will be too difficult to determine all of the various states of the controls and their interaction with other controls via spreadsheets. The dangers could be catastrophic, such as chemical or waste spills, so the software will need to be very sophisticated to manage the various good and bad control permutations.

This SCADA simulation software reminds me of the live/dead analysis that goes on within Energy Management Systems used by electrical power companies to manage their multi-state electrical grids. Live/dead analysis simulates the response to an electrical line change to a portion of the grid. The change can then be implemented if the simulation shows it is safe.

What are the difficulties associated with this new simulation software? It will be difficult to create software that properly models control systems, such as an oil refinery. It is likely that the software will be customized for different corporation's refineries. These customizations will need thorough testing before the simulation software is fully deployed. Software errors in the simulation software could also lead to disasters so the software may need to pass a certification process before being deployed in a refinery's private network.

Other concerns include the internal network's wireless connectivity to these controls. I'm concerned about the wireless connectivity between the simulation system, the live network, and the controls. This may require a hardened and/or specialized wireless network designed only for communication with critical infrastructure systems.


In the next few years, critical industries will shore up their SCADA control weaknesses. There will likely be standard software for different vertical industries, like oil refineries, which is then customized for a given company. There will be a need for better simulation testing due to having more complex controls. This core complex software (without the customizations) for each vertical industry may need to be certified for safety reasons. Lastly, an intelligent collection/alteration of SCADA control data may require specialized, hardened, wireless communications for protection from terrorists.

Join the CSO newsletter!

Error: Please check your email address.

More about Siemens

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregory Machler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts