Paper on SCADA

blackpanther1
StructuredreviewonSCADA.pdf
Home>Computer Science homework help>Paper on SCADA

1

What should we do? A structured review of SCADA system cyber security standards

Xiaojun Zhou∗†, Zhen Xu∗, Liming Wang∗†, Kai Chen∗ ∗State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of

Sciences, Beijing 100093, China †University of Chinese Academy of Sciences, Beijing 100193, China

Corresponding author (Email: wangliming@iie.ac.cn)

F

Abstract—SCADA (Supervisory Control and Data Acquisition) system is the core component of industrial and critical infrastructure, and cyber security of SCADA system has become the key consideration of sys- tem managers and engineers. Therefore, a great many of standards, guidelines and best practices have been developed to give reference of SCADA system cyber security, hoping to provide some instructions for system managers. Unfortunately, there is little consensus on what to do. Whats worse, it is difficult to choose the right one for a particular industrial scene. These standards are usually long and complex texts, whose reading and understanding often takes much time and effort. We provide a comprehensive and structured review of SCADA cyber security standards, guidelines and best practices with three dimensions: release time, geographic location and intended audience. Finally, we use the theory of defense-in-depth as a reference to evaluate these standards. It is concluded that no standard performs better than others on all the criteria and that we should integrate different standards to apply them to a specific industrial scene.

Keywords: SCADA security, security standards, struc- tured comparison, defense-in-depth

1 INTRODUCTION Cyber security has long been a headache for the op- erators in traditional IT field since the emergence of the Internet. With the upgrading of new technology and demand of the ICS(industrial control system), the continuous infiltration and integration of the Internet has brought great convenience, but also introduced a series of new problems which had never seen in histo- ry. SCADA (Supervisory Control and Data Acquisition) system is the core component of industrial and critical infrastructure, and cyber security of SCADA system has become the key consideration of system managers and engineers. Most SCADA protocols were designed long before network security perceived to be a problem [1]. The inventors who created the protocol in the ICS has originally recommended no security mechanism in the specification–they didnt need to consider the security problem–their ultimate goal is to connect the devices together in a local network and to realize automation.

However, the critical infrastructure has been a main target of hackers since 2010, when the Iran nuclear power plant was under attacked and thus Iran post- poned their uranium enrichment plan. And over the past two decades, industrial control systems have seen a significant increase in the use of computer networks and related Internet technologies to transfer information from the plant floor to supervisory and business computer systems [2]. Many PLC(Programmable Logic Controller), DCS(Distributed Control System), and SCADA systems use protocols based on TCP/IP, HTTP or Ethernet, lead- ing to a vulnerable interface at the cost of less isolation and cyber security. As a consequence, SCADA systems are now facing threats and attacks they have never been exposed to before. The attack of SCADA system not only has a severe impact of the system itself, but also will has a reflect on the physical world, which will cause loss of money, damage to the environment, and loss of life, which is the most severe consequence. For most companies the impact on reputation is probably far more significant than merely the cost of a production outage [3].

Therefore, the security of SCADA system has aroused the attention of all countries. The government of many countries and international organizations have partici- pated in this process. As a result, a great many of stan- dards, guidelines and best practices have been developed to give reference of SCADA system cyber security, hop- ing to provide some instructions for system managers. Up to writing this paper, more than 10 countries and in- ternational organizations have released standards, guide- lines and best practices, whose total number amounts to over 40. These countries not only include America, Germany, England, France, Japan, whose industry has developed many years, are in the upper class of the world, but also consist of China, Holland, Norway, which are newly industrialized country. The international stan- dardization organization incorporate IEEE, ISA, IEC, and so on.

978-1-5090-6465-6/17/$31.00 ©2017 IEEE

Proceedings of 2017 4th International Conference on Control, Decision and Information Technologies (CoDIT'17) / April 5-7, 2017, Barcelona, Spain

-1--1- 0605

2

Unfortunately, there is little consensus on what to do. Whats worse, so many standards leads to choosing the right one for a particular industrial scene very d- ifficult. These standards are usually long and complex texts,whose reading and understanding often takes much time and effort for the engineers and system managers. This paper provide a comprehensive and structured review of SCADA cyber security standards, guidelines and best practices with three dimensions: release time, geographic location and self-attributes and use the the- ory of defense-in-depth as a reference to evaluate these standards. The original intention is to give an insight of what to do and how to do about SCADA security. The main contributions of this paper are as follows: 1. We cover 15 standards, released by the international standardization organization and the traditional industry countries, which has a good coverage.

2. The newly released standards, guidelines and best practices, as well as these currently in use, are included, to give a view of the process of SCADA security.

3. All the standards are compared in three dimensions, i.e. release time, geographic location and intended audi- ence, to provide a deep insight of the standards.

4. In order to give a methodology of how to choose the right one for a specific scene, we employ the theory of defense-in-depth as reference, and evaluate the selected standards in this paper.

This paper is organized as follows: section 2 introduces the related work on this issue. Section 3 firstly gives the selection criterion of the standards we will research, then provides a introduction of all the selected standards and organizations. Section 4 first compares these standards in 3 dimensions, then use the theory of defense-in-depth to evaluate these standards. We will give the conclusions and future work in section 5. The acknowledgement is placed in section 6.

2 RELATED WORK SCADA security differs greatly from the traditional infor- mation security or IT (information technology)security because of the special requirements and operation en- vironment that are unique to SCADA system. As a consequence, a lot of standards, guidelines and best prac- tices have been developed to relieve the harsh security challenge in SCADA system. However, there are too many regulations to choose the right one for the spe- cific production scenarios. Some researchers have done some overviews of these standards, guidelines and best practices.Shuang Liang et al. [4] make a comparison on security standards of power supply in China and UK based on the principles of ER P2/6 and the actual situation of Nanjing nerwork, and issue a quantitative indices in Nanjing network as a pilot for other networks in China. W.Eric Wong et al. [5] have developed a set of 15 criteria(i.e. 15 questions) to evaluate each standard in terms of its usage, strengths, and limitations. Five standards are studied. However, their work focus on

the software safety, not particulary on the SCADA cyber security. Kristian Beckers et al. [6] provide a conceptual model for security standards that relies upon existing research and contains concepts and phases of security and develop a template based on this model. But Beck- ers’s work concerns about the well known international security standards ISO 27001 and Common Criteria,not the SCADA cyber security. The U.S. Department of En- ergy compared the ISO/IEC 17799, NIST PCSRF, ISA- TR99.00.01-2004 and ISA-TR99.00.02-2004 security stan- dards [7]. The authors compare terms and notions of the standards, but they don’t employ a evaluation criteria. Phillips et al. [8] analyze security standards for the RFID market: ISO/IEC 15693,ISO/IEC 10536, ISO/IEC 11784- 11785,ISO/IEC 18000-3,ISO/IEC 18000-2.The authors list the availability,integrity,and confidentiality demands of these standards.Their aims is to provide a complete set of security goals for the RFID market and not compare the standards. NIST [9]compares the standards of FIPS 140-1 and FIPS 140-2 regarding their specification of cryptographic modules. The authors also compare termi- nologies and description of cryptographic functionalities. Arora [10] compares the ISO 27001 and the COBIT standard using a template that contains the fields: focus, paradigm, scope, structure, organizational model,and certification. Both of the above two works are not focus on SCADA cyber security. Sommestad et al. [11] comare standards for cyber security of SCADA. Sommestad et al. compare a number of SCADA standards and the ISO27002 standard. The authors compare the sets of threats and countermeasures stated in the standards. Sommestad et al. divide the standard into those that focus on technical countermeasures and those that focus on organizational countermeasures and analyze their commonalities and differences. But they don’t provide a comprehensive analyze of the standards. Byres [12] points out that the Defense in Depth strategy is not something unique to ICS/SCADA security. In fact, it is not even unique to cyber security. It is a military strategy that has been around since days of the Romans. Depending upon a single defense, such as perimeter firewall, is building a security solution based on a single point of failure. Make sure that the facility has a proper Defense in Depth design where the network, control devices, and systems are collectively hardened-thereby providing reliable security for the plant floor.

3 OVERVIEW OF STANDARDS This section comprises of two phases. Firstly, we will give the criteria based which to chose the standards. Secondly, an overview of these standards is presented to provide a general impression.

3.1 Selection Criteria There are more than 10 countries and international or- ganizations have released standards, guidelines and best

Proceedings of 2017 4th International Conference on Control, Decision and Information Technologies (CoDIT'17) / April 5-7, 2017, Barcelona, Spain

-2--2- 0606

3

practices, whose total number amounts to over 40. We don’t necessarily list all of them. After a comprehensive search for documents released by standardization bodies and governmental agencies, we choose 15 standards as our objects based on the following criteria:

1. The standards are released or published by interna- tional standardization body or governmental agency.

2. The standards must focus on SCADA system cyber security, not IT or information security in general.

3. The selected standards should have a large geo- graphical distribution to provide a macro perspective.

4. The selected standards should up to date and newly released or published, and have a good reputation and acceptance.

The purpose of the first criteria is to include standards that are released by authorities in this field, and there- by makes them widely recognized. The second criteria maintains a strong relationship with SCADA cyber secu- rity, aiming to select the most representative standards that are applicable for SCADA system. The third criteria serves to preserve a large coverage. The fourth criteria helps us keep pace with the times and be aware of what is newly going on.

After large review of papers and lots of inquires of Fifteen standards are chosen in accordance with the selection criteria. These selected standards are listed in TABLE 1. In the following txt, we will use their short names for convenience.

3.2 Overview of Standards Next,we will give a short description of all the selected standards.

The SP800-82 [13] was first published in May 14, 2013. The newest version is NIST SP800-82 Rev.2(May 2015).This document provides guidance on how to se- cure Industrial Control Systems (ICS), including Super- visory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Con- trollers (PLC), while addressing their unique perfor- mance, reliability, and safety requirements. The docu- ment provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.

NISTIR 7176 [14] was first released in April 14, 2004. It has 8 sections. Section 1 provides the introductory material for the System Protection Profile. Section 2 provides general purpose and STOE description. Section 3 provides a discussion of the expected environment for the STOE. This section also defines the set of threats that are to be addressed by either the technical, operational or management controls implemented by the STOE or through the environmental controls. Section 4 identifies the risks to the STOE that have been derived from the statement of the security environment defined in section 3. Section 5 defines the security objectives for both the

TABLE 1: Selected Standards

Standards Publishers or Standardization

Guide to industrial control systems (ICS) security(SP800-82) [13]

National Institute of Standards and Technology(U.S.NIST)

System Protection ProfileCIndustrial Control Systems(NISTIR 7176) [14]

National Institute of Standards and Technology(U.S.NIST)

Guidelines for Smart Grid Cyber Security(NISTIR 7628) [15]

National Institute of Standards and Technology(U.S.NIST)

Cyber security procurement language for control systems(DHS

LANGUAGE) [16]

Department of Homeland Security(U.S.DHS)

Strategic principles for securing the internet of things(DHS

STRATEGIC) [17]

Department of Homeland Security(U.S.DHS)

21 steps to improve cyber security of SCADA networks(DOE

21STEPS) [18]

U.S.Department of Energy(U.S.DOE)

Critical infrastructure Protection(CIP)-002 – CIP-011 [19]

North American Electric Reliability Council(NERC)

Cyber security for critical infrastructure protection(GAO

Protection) [20]

U.S.Government Accountability Office(U.S.GAO)

Good Practice Guide C Process Control and SCADA Security(CPNI

PRACTICE) [21]

Center for the Protection of National Infrastructure(U.K.CPNI)

Security for Industrial Automation and Control Systems(IEC/ISA

62443) [22]

International Electrotechnical Commission(IEC),International

Society of Automation(ISA)

1686-2013-IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security

Capabilities(IEEE IEDSecurity) [23]

Institute of Electrical and Electronics Engineers(IEEE)

Industrial control system securityłPart 1-2(GB/T

30976.1-2-2014) [24]

Standardization Administration of the People’s Republic of

China(P.R.SAC)

Evaluation specification for security in industrial control network(GB/T

26333-2010) [25]

Standardization Administration of the People’s Republic of

China(P.R.SAC)

Industrial-process measurement and control–Evaluation of system

properties for the purpose of system assessment(GB/T

18272.1-8-2000) [26]

Standardization Administration of the People’s Republic of

China(P.R.SAC)

Guide to industrial control systems information security

protection(MIIT GUIDE) [27]

Ministry of Industry and Information Technology(P.R.MIIT)

STOE and the STOE environment. Section 6 contains the functional and assurance requirements derived from the Common Criteria, Part 2 and 3 [CC2, CC3], respectively that must be satisfied by the STOE. Section 7 contains guidance information for SST authors who would like to claim conformance to the SPP. Section 8 provides a ratio- nale to explicitly demonstrate that the identified risks to the STOE have been derived from the aspects identified in the security environment. It also demonstrates how the security objectives have been derived from each of the identified risks. The section then explains how the set of requirements are complete relative to the objectives, and that each security objective is addressed by one or more component requirements. Arguments are provided

Proceedings of 2017 4th International Conference on Control, Decision and Information Technologies (CoDIT'17) / April 5-7, 2017, Barcelona, Spain

-3--3- 0607

4

for the coverage of each objective. Section 8 also provides a set of arguments that address dependency analysis, strength of function issues, and the internal consistency and mutual supportiveness of the System Protection Profile requirements.

NISTIR 7628 was first published in August 2010. The content of the report has 3 volumes. Volume 1 is S- mart Grid Cyber Security Strategy, Architecture, and High-Level Requirements,including Cyber Security S- trategy,Logical Architecture,High Level Security Require- ments,and Cryptography and Key Management.Volume 2 is Privacy and the Smart Grid,including a privacy impact assessment for the Smart Grid with a discus- sion of mitigating factors. The chapter also identifies potential privacy issues that may occur as new ca- pabilities are included in the Smart Grid.Volume 3 is Supportive Analyses and References,including Vulnera- bility Classes,Bottom-Up Security Analysis of the Smart Grid,Research and Development Themes for Cyber Secu- rity in the Smart Grid,Overview of the Standards Review .

DHS LANGUAGE [16] was first released in Au- gust 2006. The newest version is 1.8, revised in Febru- ary 2008. The main contents are as follows: sys- tem harding,perimeter protection,account managemen- t,coding practices,flaw remediation, malware detection and protection,host name resolution,end devices, remote access,physical security,network partitioning.

DHS STRATEGIC [17]is released in November 15, 2016, 26 days after the massive DDoS attack blocking access to U.S. Web sites. These principles highlight ap- proaches and suggested practices to fortify the security of the IoT and will equip stakeholders to make respon- sible and risk-based security decisions as they design, manufacture, and use internet-connected devices and systems. The principles focus on the following key areas: incorporating security at the design phase; advancing se- curity updates and vulnerability management; building on proven security practices; prioritizing security based on potential impacts; promoting transparency across the IoT ecosystem; and connecting carefully and deliberately [28].

DOE 21STEPS [18]was published in 2002.The Presi- dents Critical Infrastructure Protection Board, and the Department of Energy, have developed the steps outlined here to help any organization improve the security of its SCADA networks. These steps are not meant to be prescriptive or all-inclusive. However, they do address essential actions to be taken to improve the protection of SCADA networks. The steps are divided into two categories: specific actions to improve implementation, and actions to establish essential underlying manage- ment processes and policies.

CIP-002–CIP-011 [19]was first published in 2005 when it only had 9 parts:001-009.On February 13, 2015, N- ERC submitted a petition seeking approval of Relia- bility Standards CIP-003-6, CIP-004-6, CIP-006-6, CIP- 007-6, CIP-009-6, CIP-010-2, and CIP-011-2, as well as

an implementation plan, associated violation risk fac- tor and violation severity level assignments, proposed new or revised definitions, and retirement of Relia- bility Standards CIP-003-5, CIP-004-5.1, CIP-006-5, CIP- 007-5,CIP-009-5, CIP-010-1, and CIP-011-1. The main contents are:CIP-001 Sabotage Reporting,CIP-002 Crit- ical Cyber Asset Identification,CIP-003 Security Man- agement Controls,CIP-004 Personnel and Training,CIP- 005 Electronic Security Perimeter(s),CIP-006 Physical Se- curity of Critical Cyber Assets,CIP-007 Systems Secu- rity Management,CIP-008 Incident Reporting and Re- sponse Planning,CIP-009 Recovery Plans for Critical Cy- ber Assets,CIP-010 Configuration Change Management and Vulnerability Assessments, and CIP-011 Information Protection.

GAO Protection [20]is published in 2004. It focuses on the use of cybersecurity technologies for critical infras- tructure protection(CIP).It mainly contains 3 parts.The first part(chapter2) is cybersecurity requirements of crit- ical infrastructure sectors. The second part(chapter 3) is cybersecurity technologies and standards. The third part(chapter 4) is cybersecurity implementation issues.

CPNI PRACTICE [21] is released in 2005. It is designed to impart good practice for securing industrial control systems such as: process control,industrial automation, distributed control systems (DCS) and supervisory con- trol and data acquisition (SCADA)systems and pro- vides valuable advice on protecting these systems from electronic attack.The main contents are:securing process control and SCADA systems,understanding the busi- ness risk,implementing secure architecture,establishing response capabilities,improving awareness and skill- s,managing third party risk, engaging projects, establish- ing onging governance.

IEC/ISA 62443 [22]is released in 2007. It is the most representative and has been widely discussed.It has 4 sections, up to 12 documents. 62443-1-1 introduces the concepts,models and terminology used consistent- ly throughout the series. 62443-1-2 provides a mas- ter glossary of terms and abbreviations used through- out the series. 62443-1-3 uses the foundational require- ments,system requirements and associated information to test for completeness of the specification of quanti- tative metrics. 62443-2-1 describes what is required to define and implement an effective IACS cyber secu- rity management system. 62443-2-2 describes what is required to operate an effective IACS cyber security management system. 62443-2-3 describes requirements for asset owners and product suppliers that have estab- lished and are now maintaining an industrial automation and control system(IACS) patch management program. 62443-2-4 specifies requirements for security capabilities for IACS service providers that they can offer to the asset owner during integration and maintenance activ- ities of an Automation Solution.62443-3-1 is a technical report that describes the application of various security technologies to an IACS environment.62443-3-2 describes the sagmentation of the system under consideration in

Proceedings of 2017 4th International Conference on Control, Decision and Information Technologies (CoDIT'17) / April 5-7, 2017, Barcelona, Spain

-4--4- 0608

5

terms of zones and conduits.62443-3-3 describes the sys- tem security requirements and security assurance levels. 62443-4-1 addresses the overall requirements during the development of products.As such, it is product supplier centric. 62443-4-2 contains sets of derived requirements that provide a detailed mapping of the system require- ments to subsystems and components of the system under consideration.

IEEE IEDSecurity [23] is published in 2007 and revised in 2010. It provides utilities that develop such programs the ability and assurance to procure, install, and commis- sion IEDs that do not compromise their program. This standard also provides the required suite of functions and capabilities to the various vendors who will be required to incorporate these features into their product line for customers who cite this standard.

GB/T 30976.1-2-2014 [24] is published in 2014. It con- sists of 2 parts. GB/T 30976.1 specifies the objectives of the information security assessment of industrial control systems, the contents of the assessment, the implemen- tation process and so on. This section is intended for use by system designers, equipment manufacturers, system integrators, engineering companies, users, asset owners, and assessment and certification bodies to evaluate the information security of industrial control systems. GB/T 30976.2 specifies the process, test content, method and requirements of the safety acceptance of the information security solution of industrial control system. Users of this part can add equipment or systems to improve IACS’s security.The contents of this part can be used as guidance in practical work, applicable to petroleum, chemical, power, nuclear facilities, transportation, metal- lurgy, water treatment, manufacturing and other indus- tries using control systems and equipment.

GB/T 26333-2010 [25] is published in 2010.This stan- dard is a security risk assessment method for industrial control networks. Through the safety risk assessment of the industrial control network, we can find out the hidden dangers of the network and make up the security loophole by using the corresponding security measures, so as to enhance the safety of the industrial control network. This standard specifies general methods and guidelines for safety risk assessment of industrial control networks. It describes the general steps for safety risk assessment of industrial control networks, focusing on the analysis of evaluation objects and the design of evaluation plans.

GB/T 18272.1-8-2000 [26] is published in 2000. This standard contains the following 8 parts: General and Methodology, Evaluation Methodology, System Func- tional Evaluation, System Credibility Evaluation, System Operational Assessment, System Security Evaluation, and Task-Independent System Feature Evaluation.

MIIT GUIDE [27] is released in October 17,2016. The Guidelines are formulated in order to improve the level of information security protection of industrial control systems and to ensure the safety of industrial control sys- tems.This guide applied to enterprises and institutions

engaged in industrial control system planning, design, construction, operation and maintenance and evalua- tion. Industrial control system application enterprises should do the following 11 aspects to achieve industrial safety protection:software selection, configuration and patch management,primeter protection,physical protec- tion, authentication, remote access security, monitor and response project drill,assets safety,data security,supply chain management,implementation of the responsibility.

4 COMPARISON AND EVALUATION This section has two parts. In the first place, all the standards will be compared in three dimensions: release time, geographic location and intended audience. And then we will use the theory of defense-in-depth as a reference to evaluate these standards.

4.1 Comparison in Three Dimensions We take three dimensions to make a comparison of these standards, trying to give a overview of when did we start to pay attention to SCADA cyber security, who first took action, and what the difference between these standards.

A.Release Time We mark all the selected standards on the timeline

according their release time. All the standards are shown in Fig.1.

GB/T 18272.1-8-2000

• DHS STRATEGIC

• MIIT GUIDE

• CIP-002 -- CIP-011

• CPNI PRACTICE GB/T 30976.1-2-2014

DOE 21STEPS

• NISTIR 7176

• GAO Protection

DHS LANGUAGE

• IEEE IEDSecurity

• IEC/ISA 62443

NIST SP800-82

• NISTIR 7628

• GB/T 26333-2010

2000 2002 2004

2005

2006 2007 2010 2013 2014 2016

Fig. 1: The standards sequence in accordance with release time

In the light of their release time respectively, we can figure out that SCADA security has attracted attention since as early as 2000 when there were few SCADA cyber security incidents reported. It is not before 2010 that the SCADA cyber security really came into pub- lic view and became a headache when Iran’s uranium enrichment plant was attacked by Stuxnet [29]. After that,some notorious attack incidents, such as Ukraine Blackout [30] in 2015,the DNS Amplification Attacks [31] in 2016, have occured, which arouse much panic for all the world. Standardization bodies and security agencies develop standards intensively.

B.Geographic Location

Proceedings of 2017 4th International Conference on Control, Decision and Information Technologies (CoDIT'17) / April 5-7, 2017, Barcelona, Spain

-5--5- 0609

6

In order to have a full landscape of SCADA security standards all over the world, we select the standards as widely as we can to have a large coverage. The geographical distribution is illustrated in Fig.2.

CPNI PRACTICE

CIP-002 -- CIP-011

• NIST SP800-82

• NISTIR 7176

• NISTIR 7628

• DHS

LANGUAGE

• DHS

STRATEGIC

• DOE 21STEPS

• GAO Protection

• GB/T 30976.1-2-2014

• GB/T 26333-2010

• GB/T 18272.1-8-2000

• MIIT GUIDE

International Standards

• IEC/ISA 62443

• IEEE IEDSecurity

Fig. 2: The geographical distribution of standards

In line with Fig.2 we can see that the U.S., whose automation is the most developed, paid great attention to SCADA security. Nine of the fifteen standards were released by agencies/authorities in America. CIP-002– CIP-011 can be incorporated in the U.S. as well. And China, as a developing country and whose industry are thriving, also devoted efforts to assure the SCADA cyber security, which leading to 4 related standards published and has a big range of time. While England, as the leader of the First Industrial Revolution, only one standard was widely used. The left two are released by international standardization bodies, i.e. IEEE and IEC, respectively.

C.Intended Audience We have present a general overview and the main

contents of all the standards in Section 3.2. We will make a horizontal comparison and analysis of all these standards, for the purpose of giving an insight of what’s the intended audience are of these standards. We divide the audience of these standards into four categories, which are System design and integrators, equipment manufacturers and suppliers, asset owners, assessment and certification bodies. See in TABLE 2

TABLE 2 illustrates that most of the standards are for all scope of readers, attempting to have a large coverage. As a result, some standards are not as detail as others. In the next session, we will give a quantitative evaluation to see what’s their main focus respectively.

4.2 Evaluation of Standards Kuipers et al. [32] put forward that Information infras- tructures across many public and private domains share several common attributes regarding IT deployments and data communications. This is particularly true in the control systems domain. And due to the convenience and low costs of IT architecture, many SCADA systems uses the same network to enhance business and reduce costs by increasing the integration of external,business,and control system networks. However,multi-network inte- gration strategies often lead to vulnerabilities that greatly

TABLE 2: The Intended Audience

Standards System design and

integrators

Equipment manufacturers and suppliers

Asset owners Assessment and

certification bodies

NIST SP800-82 [13]

Y Y Y Y

NISTIR 7176 [14]

N N Y Y

NISTIR 7628 [15]

Y Y Y Y

DHS LANGUAGE

[16]

Y N N Y

DHS STRATEGIC

[17]

Y Y Y Y

DOE 21STEPS [18]

N N Y Y

CIP-002 – CIP-011 [19]

Y Y Y Y

GAO Protection [20]

Y Y Y Y

CPNI PRACTICE

[21]

Y Y Y Y

IEC/ISA 62443 [22]

Y Y Y Y

IEEE IEDSecurity

[23]

Y Y Y Y

GB/T 30976.1-2-2014

[24]

Y Y Y Y

GB/T 26333-2010

[25]

N N Y Y

GB/T 18272.1-8-2000

[26]

N N Y Y

MIIT GUIDE [27]

Y Y Y Y

reduce the security of an organization. The architecture of SCADA is given in Fig.3.

Merging a modern IT architecture with an isolated network that may not have any effective security coun- termeasures is challenging. Fielder et al. [33] propose a simulation of attacks and defenders who have limited resources that must be applied to either advancing the technology they have available to them or attempting to attack(defend) the system. And they conclude that if the system has a wide spread of valuable targets, defense- in-depth is generally preferable, which is just the case in SCADA system. That’s why we choose the defense- in-depth as our evaluation criteria. Fig.4 illustrates the layers of defensive mechanisms in SCADA. According to the theory of defense-in-depth, we group the coun- termeasures of these standards to enable comparison. The countermeasures extracted from the different doc-

Proceedings of 2017 4th International Conference on Control, Decision and Information Technologies (CoDIT'17) / April 5-7, 2017, Barcelona, Spain

-6--6- 0610

7

Fig. 3: The architecture of SCADA(Supervisory Control And Data Acquisition)

Fig. 4: Illustration of Defense in Depth

uments were grouped according to their objective into 7 categories. They are: Data, Application, Host, Inter- nal Network, Perimeter, Physical, and Management. To compare these 7 groups of security recommendations, a number of key words and key phrases were associated to each group. These key words and phrases were identified through carefully reading the texts again and again using the extracted phrases as a starting point. See in TABLE 3,the detailed key words and phrases can be seen in the Appendix in [11]. After the keywords and key phrases are determined, the total number occurrences of each key word in the selected standards can be counted. Using this method, we can figure out how much attention is given to which aspect of the defense-in-depth. The statistical results are as following Fig. 5– Fig. 19

According to the above radar chart, we can have a clear

TABLE 3: Countermeasures and Key Words

Countermeasures Key Words

Data Backup,Cryptography

Application Authentication

Host Antivirus,Auditing and vulnerability scanning,Patch

Management

Internal Network Hardening, Inventory and Overview, Network Security,System

administration tools,System Resilience

Perimeter Firewall, Intrusion Detection,Separation of Network

Physical Authorization,Locks, Cameras, Alarm

Management Business Continuity and Contingency planning,Business

Management Commitment, Change Management, Incident

planning/handling,Personnel Management,Policies and

Standards, Risk Assessment and Management,Security Organization,Security

Principles,Training and Awareness,Third party

collaboration

Fig. 5: The Distribution of Focus Using Defense-in- Depth(NIST SP800-82)

Fig. 6: The Distribution of Focus Using Defense-in- Depth(NISTIR 7176)

overview of what the main contents of each standard. For a insightful understanding of these standards in a whole, we draw the bar chart in Fig. 20

Proceedings of 2017 4th International Conference on Control, Decision and Information Technologies (CoDIT'17) / April 5-7, 2017, Barcelona, Spain

-7--7- 0611

8

Fig. 7: The Distribution of Focus Using Defense-in- Depth(NISTIR 7628)

Fig. 8: The Distribution of Focus Using Defense-in- Depth(DHS LANGUAGE)

Fig. 9: The Distribution of Focus Using Defense-in- Depth(DHS STRATEGIC)

Fig. 10: The Distribution of Focus Using Defense-in- Depth(DOE 21STEPSC)

5 CONCLUSIONS AND FUTURE WORK We can draw a conclusion that all these standards have their own focus for SCADA cyber security. However, all of them put attention to the Management. That is corresponding withe the motto ”Security is 30 percent by technology, and 70 percent by management”. From a mitigation perspective, simply deploying IT security

Fig. 11: The Distribution of Focus Using Defense-in- Depth(GAO PROTECTION)

Fig. 12: The Distribution of Focus Using Defense-in- Depth(CIP002–CIP011)

Fig. 13: The Distribution of Focus Using Defense-in- Depth(CPNI PRACTICE)

Fig. 14: The Distribution of Focus Using Defense-in- Depth(IEC/ISA 62443)

technologies into SCADA system may not be a viable solution. The prioritization in traditional information security is CIA(Confidentiality, Integrity, and Availabil- ity),while in SCADA system, availability takes prece- dence, integrity rank second, and confidentiality lies last, which is typically AIC(Availability, Integrity, and Confidentiality). Byres et al. [2] point out that even where security is well defined, the primary goal in the

Proceedings of 2017 4th International Conference on Control, Decision and Information Technologies (CoDIT'17) / April 5-7, 2017, Barcelona, Spain

-8--8- 0612

9

Fig. 15: The Distribution of Focus Using Defense-in- Depth(IEEE IEDSecurity)

Fig. 16: The Distribution of Focus Using Defense-in- Depth(GB/T 30976.1-2-2014)

Fig. 17: The Distribution of Focus Using Defense-in- Depth(GB/T 26333-2010)

Fig. 18: The Distribution of Focus Using Defense-in- Depth(GB/T 18272.1-8-2000)

Internet is to protect the central server and not the edge client. In SCADA system the edge device, such as the PLC or smart drive controller, is considered far more important than central host such as a data historian server. According to the above analysis, we can conclude that no standard performs better than others on all the criteria and that we should integrate different standards to apply them to a specific industrial scene.

Fig. 19: The Distribution of Focus Using Defense-in- Depth(MIIT GUIDE)

Fig. 20: All the Standards in a Whole Using the 7 Groups of Recommendations

In order to gain a better protection of SCADA system, we recommend the following steps. Firstly, a comprehen- sive threat analysis of the system should be conducted. Secondly some measures should be taken to improve the awareness of all the employee, which will make a great difference. Thirdly, enhance the security of SCADA system itself. Last, utilize some security products on condition that they don’t affect the regular production.

An additional paper is planned for publication in the near future. It will present a method for estimating the vulnerabilities of the SCADA by deploying the standards and attempt to figure out a mitigation.

6 ACKNOWLEDGEMENT We thank our shepherdsłZhen Xu, Liming Wang in our research group, for providing insightful feedback of the draft that helped improve the final paper. We would also like to thank Kai Chen, Zelong Chen and Zhenbo Yan for their help in early discussions and providing insightful comments. This work is supported by the Strategic Pilot Project of Chinese Academy of Sciences under grants No.XDA06010701,and Research on Core Technologies of national key infrastructure security supervision platfor- m,Beijing Municipal Science & Technology Commission of China under grant No.Z161100002616032,for which we are grateful.

REFERENCES [1] Eric J Byres, Matthew Franz, and Darrin Miller. The use of attack

trees in assessing vulnerabilities in scada systems. In Proceedings of the international infrastructure survivability workshop. Citeseer, 2004.

Proceedings of 2017 4th International Conference on Control, Decision and Information Technologies (CoDIT'17) / April 5-7, 2017, Barcelona, Spain

-9--9- 0613

10

[2] Eric Byres, J Carter, A Elramly, and D Hoffman. Worlds in collision-ethernet and the factory floor. In ISA 2002 Emerging Technologies Conference, Instrumentation, Systems and Automation Society, Chicago, 2002.

[3] Eric Byres and Justin Lowe. The myths and facts behind cyber security risks for industrial control systems. In Proceedings of the VDE Kongress, volume 116, pages 213–218, 2004.

[4] Shuang Liang, Mingtian Fan, and Fan Yang. Research on security standards of power supply in china and uk. In Power System Technology (POWERCON), 2010 International Conference on, pages 1–5. IEEE, 2010.

[5] W Eric Wong, Tej Gidvani, Alfonso Lopez, Ruizhi Gao, and Matthew Horn. Evaluating software safety standards: A system- atic review and comparison. In Software Security and Reliability- Companion (SERE-C), 2014 IEEE Eighth International Conference on, pages 78–87. IEEE, 2014.

[6] Kristian Beckers, Isabelle Côté, Stefan Fenz, Denis Hatebur, and Maritta Heisel. A structured comparison of security standards. In Engineering secure future internet services and systems, pages 1–34. Springer, 2014.

[7] Robert P Evans. A Comparison of Cross-Sector Cyber Security Standards. Idaho National Laboratory, 2005.

[8] Ted Phillips, Tom Karygiannis, and Rick Kuhn. Security stan- dards for the rfid market. IEEE Security & Privacy, 3(6):85–89, 2005.

[9] Ray Snouffer, Annabelle Lee, and Arch Oldenhoeft. A compar- ison of the security requirements for cryptographic modules in fips 140-1 and fips 140-2. Technical report, DTIC Document, 2001.

[10] Varun Arora. Comparing different information security stan- dards: Cobit v s. iso 27001. Lı́nea. Disponible en Carnegie Mellon University, Qatar:( http://qatar. cmu. edu/media/assets/CPUCIS2010- 1. pdf), 2010.

[11] Teodor Sommestad, Göran N Ericsson, and Jakob Nordlander. Scada system cyber securityła comparison of standards. In IEEE PES General Meeting, pages 1–8. IEEE, 2010.

[12] Eric Byres. Defense in depth. Control Engineering Asia June 2008, 2008.

[13] Keith Stouffer, Joe Falco, and Karen Scarfone. Guide to industrial control systems (ics) security. NIST special publication, 800(82):16– 16, 2011.

[14] R Melton, T Fletcher, and M Earley. System protection profile– industrial control systems. Version 1.0, National Institute of Stan- dards and Technology, 2004.

[15] Willie May. Guidelines for smart grid cyber securi- ty(nistir 7628). http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST. IR.7628r1.pdf/. September 2014.

[16] G Finco, K Lee, G Miller, J Tebbe, and R Wells. Cyber security procurement language for control systems. Idaho National Labs, 2007.

[17] U.S. Department of Homeland Security. Strategic principles for securing the internet of things. https://www.dhs.gov/sites/ default/files/publications/Strategic Principles for Securing the Internet of Things-2016-1115-FINAL....pdf/. November 15, 2016.

[18] U.S. DOE. 21 steps to improve cyber security of sca- da networks. https://energy.gov/sites/prod/files/oeprod/ DocumentsandMedia/21 Steps - SCADA.pdf. November 15, 2002.

[19] NERC. Critical infrastructure protection(cip)-002 - cip-011. http://www.nerc.com/pa/stand/pages/project%202016-02% 20modifications%20to%20cip%20standards.aspx. January 21, 2016.

[20] U.S. GAO. Cyber security for critical infrastructure protection. http://www.gao.gov/assets/160/157541.pdf. May 2004.

[21] U.k. CPNI. Good practice guide, process control and scada security. https://scadahacker.com/library/Documents/Risk Management/CPNI%20-%20GPG%20-%2005%20Manage% 20Third%20Party%20Risk.pdf. 2005.

[22] ISA IEC. Iec/isa 62443. http://isa99.isa.org/ISA99%20Wiki/WP List.aspx. February 26, 2016.

[23] IEEE. 1686-2013-ieee standard for substation intelligent electronic devices (ieds) cyber security capabilities. http://standards.ieee. org/findstds/standard/1686-2007.html. 2013.

[24] P.R.SAC. Industrial control system securityłpart 1-2. http:// www.csres.com/detail/245872.html. 2014.

[25] P.R.SAC. Evaluation specification for security in industrial con- trol network. http://www.csres.com/detail/216083.html. 2011.

[26] P.R.SAC. Industrial-process measurement and control-evaluation of system properties for the purpose of system assessment. http: //www.csres.com/detail/115257.html. 2006.

[27] P.R.MIIT. Guide to industrial control systems information se- curity protection. http://www.miit.gov.cn/n1146285/n1146352/ n3054355/n3057656/n3057672/c5338092/content.html. 2016.

[28] U.S.DHS. Dhs releases strategic principles for securing the internet of things. https://www.dhs.gov/news/2016/11/ 15/dhs-releases-strategic-principles-securing-internet-things. November 15, 2016.

[29] Ralph Langner. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy, 9(3):49–51, 2011.

[30] Gaoqi Liang, Steven R Weller, Junhua Zhao, Fengji Luo, and Zhao Yang Dong. The 2015 ukraine blackout: Implications for false data injection attacks. IEEE Transactions on Power Systems, 2016.

[31] U.S.-CERT. Alert (ta13-088a)–dns amplification attacks. https: //www.us-cert.gov/ncas/alerts/TA13-088A. 2016.

[32] David Kuipers and Mark Fabro. Control systems cyber security: Defense in depth strategies. United States. Department of Energy, 2006.

[33] A Fielder, T Li, and C Hankin. Defense-in-depth vs. critical component defense for industrial control systems.

Proceedings of 2017 4th International Conference on Control, Decision and Information Technologies (CoDIT'17) / April 5-7, 2017, Barcelona, Spain

-10--10- 0614