SCADA Management Requires A Range of Efforts
The need to address potential gaps in SCADA become apparent when one considers the breadth of critical infrastructure managed or operated by government organizations and entities.
The Bureau of Reclamation is the largest wholesaler of water in the nation. The Army Corps of Engineers’ nationwide network of dams is the country’s largest generator of hydropower. Dozens of DOD bases rely on SCADA control systems.
“Industrial control systems are essential” to managing all that critical infrastructure, says Ahmad Zoua, senior project manager at Guidepost Solutions. “Unfortunately, many of them focus on functions, convenience and increased productivity, while cybersecurity is an afterthought.”
Current events have brought the issue to the fore. CISA has developed a new “Shields Up” campaign, which warns that Russia’s invasion of Ukraine could spur “malicious cyber activity against the U.S. homeland,” including efforts to disrupt critical infrastructure.
Even before Ukraine, however, agencies were taking steps to close the gap. The Army Corps of Engineers recently upgraded controllers and modules at The Dalles Dam in Oregon, one of the largest hydropower generators in the country. The Bureau of Reclamation likewise has undertaken an update of its SCADA systems in an effort to standardize the system and collect data and alerts more quickly.
The Role of Military Power in SCADA
Meanwhile, the Army has moved aggressively on the SCADA situation. Industrial controls are a key mission enabler across the Army.
“We have a lot of control systems — in our weapon system platforms, in installations — running our most complex manufacturing processes,” Iyer says.
“These are all devices that are connected to the network in some way; they communicate with other devices or back to a server. That means they are susceptible to cyberattacks,” he says.
The May 2021 attack on a major U.S. fuel pipeline and other similar incidents highlight the urgency of addressing that potential susceptibility. “I think it's very clear just from recent incidents that have happened outside of the Army that the homeland is no longer a sanctuary. Our adversaries and cyber criminals have in the past attempted to penetrate power grids, pipelines, and so forth,” Iyer says.
Federal mandates, too, are driving a rethink. “This year, in the National Defense Authorization Act, there were at least a dozen or so requirements around protecting critical infrastructure,” Iyer notes.
How best to bring SCADA up to speed? “It starts with identifying all of the control system assets on our network, from tiny sensors all the way to huge complex systems. Identifying them, cataloging them and discovering them is the first step,” he says.
“We have an effort under way where we're actually putting sensors across our network to identify these assets, classify them, tag them, and understand their current security posture,” he says.
From there, the Army is moving to isolate these control systems from the rest of the network. “We could set up virtual networks, use things like software defined networking to isolate these things. Then we can put these devices on a separate network that's closed, isolated,” Iyer says. “They could be put behind a firewall so that they cannot be accessed from outside. That is all part of the architecting that we're doing right now.”
As with other government agencies, the Army also wants to engage with private-sector partners who have a hand in managing critical infrastructure. “These are not all government-operated installations, so we are working with industry or the contractors are that run our bases, in order to do that,” Iyer says.