WTF?!? NDIA Policy Points: SCADA Missing from Cyber Certification Regime

Housecarl

On TB every waking moment
Posted for fair use.....

NDIA Policy Points: SCADA Missing from Cyber Certification Regime

4/16/2021
By Joshua Walker

“The United States cannot afford to be islands of light with regard to SCADA control systems. We must bring together allies and industry leaders to develop a standardized set of cybersecurity requirements and implementation timelines that allow for us to identify critical services and develop strategies to protect them from potential threats both foreign and domestic,” explained Michael Kleeman, a senior fellow at the University of California San Diego.

The threats to domestic and government support systems are growing more complex and dangerous every day. Last year’s release of the interim rule, DFARS Case 2019-D041, partially implementing the Cybersecurity Maturity Model Certification, provided a new foundation for future cooperation and coordination between government and industry.

However, the program has been criticized by industry leaders for lacking clarity related to Supervisory Control and Data Acquisition (SCADA) networks, which are found in utility systems and other critical infrastructure. This lack of clarity could lead to defense industrial base susceptibility to bad actors.

SCADA enables the direct interaction between devices to monitor and process data in real time at local and remote sites. These control systems are essential for establishing efficiency, making better decisions, and establishing communication between systems to increase reliability for critical infrastructure like electricity, water, telecommunications, and even space station systems. CMMC has the potential to serve as an important model for continued cooperation and coordination between private and public sectors to effectively manage the transition toward a utility and industrial base under digital control from limited single-facility actors.

The complexities of utility networks remain of paramount interest to successfully mitigating the current difficulty of spotting and protecting the most valuable networks from bad actors. As the central control for utility networks, the importance of SCADA can be seen in the fact that security investments and practices at one firm influence other relevant private and public entities, which provides for the necessity of cooperation and coordination to manage risk within critical infrastructure networks effectively.

In this sense, understanding the complexities of SCADA and related critical infrastructure networks is key to addressing the concerning rise in cyber-related attacks and threats.

The threats to SCADA networks are multi-layered, which creates a great deal of complexity for defense officials to mitigate and protect against. But a lack of clarity related to the systems provides a great deal of confusion and related costs for industry stakeholders and government officials. Therefore, it is of the utmost importance for industry and government leaders to continue working together to incorporate SCADA complexities and utility networks more effectively into future cybersecurity requirements.

Defense industry trade associations, other defense industry leaders, and technology firms have issued several recommendations to ensure that the standards required by CMMC do not introduce new risks for SCADA and other defense systems. A multi-association letter, which included the Information Technology Industry Council, Computing Technology Industry Association and others, recently explained that they “encourage DoD to work with providers of these systems … to develop and apply appropriate methods for verifying and certifying alternate controls and their implementation.”

Without such appropriate methods for certifying alternate controls at a consistent pace with the dramatic shift toward digital control, modernized SCADA systems within the defense industrial base are at increased risk of attack.

Additionally, those crafting CMMC requirements should keep in mind the importance of accelerating the restoration of such networks as part of a response to incidents that impact critical infrastructure. With the development of a digital system of control, labor should be organized to provide for some employees to be “first responder” security professionals that can react at a moment’s notice.

Along with included first responder professionals, backup technology and safeguards must be provided to sites to allow for the rapid restoration of essential critical information systems. Kleeman explained that — with proper clarity as to the importance of resilience and accelerated restoration of SCADA network systems — “a robust, modern system could ride out disturbances that would cause major problems to today’s stressed system.”

Lastly, further clarification should be provided for physical protection of SCADA networks to include the strengthening of substations and control centers. The current CMMC model does not provide enough specificity with regards to substations and other relevant control centers that are required because “any telecommunication link that is even partially outside the control of the system operators is a potentially insecure pathway into operations and a threat to the grid,” Kleeman said.

With SCADA control systems, it is required that relevant substations be also maintained as key elements of the security and long-standing safety of our vulnerable network systems.

The complexities surrounding the current vulnerabilities require further cooperation and coordination between the Defense Department and the industrial base to create a CMMC final rule that clarifies the real and present threats posed by a one-size-fits-all approach to cybersecurity.

While CMMC provides a useful foundation to build on, much work by government and industry needs to be completed to clarify and ensure that the cybersecurity model is robust and effective when concerning SCADA control systems.

Joshua Walker is an NDIA junior fellow.
 

Knoxville's Joker

Has No Life - Lives on TB
SCADA is used in nuclear power plants, power distribution centers, and specifically nuclear centrifuges in Iran.

Basically this says that until there is a certification for that system the utilities will have crippling security issues...
 

BadMedicine

Would *I* Lie???
"Until you centralize your security, until you comply with OUR standard of safety protocol.. until we know how you secure your security, you will continue to be at risk..." -they say.

or maybe..

"BECAUSE we continue to resist standardization, BECAUSE we refuse to 'collaborate' on what security protocol is, WE HAVE security protocol...."

"This is the lock everyone uses. this is the lock the criminals know. don't you want to use this lock?"

the biggest criminal enterprises in the world, are governments, THE BIGGEST OF THE BIGGEST ARE NON-STATE GOVERNMENTS...... the Illuminate...NWO...genociders..
 

Bps1691

Veteran Member
SCADA is used in nuclear power plants, power distribution centers, and specifically nuclear centrifuges in Iran.

Basically this says that until there is a certification for that system the utilities will have crippling security issues...
And water purification plants, sewer purification plants, coffee processors .... that's just a few that I've worked on contracts to interface business systems with the physical control systems through the years that use SCADA.

It's the easiest way to shut down things without actually breeching the physical locations. Values, sensors, relays, you name it are tied into SCADA networks and without them what ever physical control systems they are attached to is toast.
 

Lone_Hawk

Resident Spook
The situation is worse than that. I hired the first SCADA engineer who was processed for a TS-SCI clearance. He worked for me for almost a year, and his reports scared the shit out of the govies. They made him an offer he couldn't refuse and he went to work for them.

Back years ago it was not unusual for SCADA devices to be installed everywhere with their default passwords in place. Everything, electrical power grid, industry, large buildings, water treatment, you name it. It was all wide open for manipulation.
 

Millwright

Knuckle Dragger
_______________
I've seen near disasters when people within the company have access to SCADA systems.

Idiots clicking buttons on the computer screen are dangerous.

We had someone in Belgium try to start a production line in the Houston plant.

Lockout/Tagout is a life safety procedure and it should be followed religiously.
 

Knoxville's Joker

Has No Life - Lives on TB
The situation is worse than that. I hired the first SCADA engineer who was processed for a TS-SCI clearance. He worked for me for almost a year, and his reports scared the shit out of the govies. They made him an offer he couldn't refuse and he went to work for them.

Back years ago it was not unusual for SCADA devices to be installed everywhere with their default passwords in place. Everything, electrical power grid, industry, large buildings, water treatment, you name it. It was all wide open for manipulation.

eek. I think the lack of cyber security certification is an unwritten admission that NO ONE HAS SUFFICIENTLY SECURED THIS TECHNOLOGY, EVER! Basically you are looking at long term government employees getting canned for gross incompetence when it comes out that they were not doing their job and they created a liability situation. Unions will not protect you too much if you create a situation where you endanger the bond and surities of the organization. The threat of closing down permanently or let so and so go tends to be a no choice situation.
 

Hfcomms

EN66iq
Leave it to the government to attempt to shut the barn door when the horse is long gone. SCADA systems have invited disaster for many years. You don't need to have the infamous EMP that people are scared about. Hacking into several major SCADA systems and the cascading failures arising from the initial trips will do the job quite nicely.
 

Knoxville's Joker

Has No Life - Lives on TB
Leave it to the government to attempt to shut the barn door when the horse is long gone. SCADA systems have invited disaster for many years. You don't need to have the infamous EMP that people are scared about. Hacking into several major SCADA systems and the cascading failures arising from the initial trips will do the job quite nicely.

The other thing is that SCADA systems are extremely old school. It is only in the past couple of decades that they are now all internet connected and security first was never a mindset for them. Most of your engineering folks are not IT gurus and proper security is not a thing. This will start to slowly change.
 
Top