SCADA Missing from Cyber Certification Regime

By Joshua Walker

Photo: iStock

“The United States cannot afford to be islands of light with regard to SCADA control systems. We must bring together allies and industry leaders to develop a standardized set of cybersecurity requirements and implementation timelines that allow for us to identify critical services and develop strategies to protect them from potential threats both foreign and domestic,” explained Michael Kleeman, a senior fellow at the University of California San Diego.

The threats to domestic and government support systems are growing more complex and dangerous every day. Last year’s release of the interim rule, DFARS Case 2019-D041, partially implementing the Cybersecurity Maturity Model Certification, provided a new foundation for future cooperation and coordination between government and industry.

However, the program has been criticized by industry leaders for lacking clarity related to Supervisory Control and Data Acquisition (SCADA) networks, which are found in utility systems and other critical infrastructure. This lack of clarity could lead to defense industrial base susceptibility to bad actors.

SCADA enables the direct interaction between devices to monitor and process data in real time at local and remote sites. These control systems are essential for establishing efficiency, making better decisions, and establishing communication between systems to increase reliability for critical infrastructure like electricity, water, telecommunications, and even space station systems. CMMC has the potential to serve as an important model for continued cooperation and coordination between private and public sectors to effectively manage the transition toward a utility and industrial base under digital control from limited single-facility actors.

The complexities of utility networks remain of paramount interest to successfully mitigating the current difficulty of spotting and protecting the most valuable networks from bad actors. As the central control for utility networks, the importance of SCADA can be seen in the fact that security investments and practices at one firm influence other relevant private and public entities, which provides for the necessity of cooperation and coordination to manage risk within critical infrastructure networks effectively.

In this sense, understanding the complexities of SCADA and related critical infrastructure networks is key to addressing the concerning rise in cyber-related attacks and threats.

The threats to SCADA networks are multi-layered, which creates a great deal of complexity for defense officials to mitigate and protect against. But a lack of clarity related to the systems provides a great deal of confusion and related costs for industry stakeholders and government officials. Therefore, it is of the utmost importance for industry and government leaders to continue working together to incorporate SCADA complexities and utility networks more effectively into future cybersecurity requirements.

Defense industry trade associations, other defense industry leaders, and technology firms have issued several recommendations to ensure that the standards required by CMMC do not introduce new risks for SCADA and other defense systems. A multi-association letter, which included the Information Technology Industry Council, Computing Technology Industry Association and others, recently explained that they “encourage DoD to work with providers of these systems … to develop and apply appropriate methods for verifying and certifying alternate controls and their implementation.”

Without such appropriate methods for certifying alternate controls at a consistent pace with the dramatic shift toward digital control, modernized SCADA systems within the defense industrial base are at increased risk of attack.

Additionally, those crafting CMMC requirements should keep in mind the importance of accelerating the restoration of such networks as part of a response to incidents that impact critical infrastructure. With the development of a digital system of control, labor should be organized to provide for some employees to be “first responder” security professionals that can react at a moment’s notice.

Along with included first responder professionals, backup technology and safeguards must be provided to sites to allow for the rapid restoration of essential critical information systems. Kleeman explained that — with proper clarity as to the importance of resilience and accelerated restoration of SCADA network systems — “a robust, modern system could ride out disturbances that would cause major problems to today’s stressed system.”

Lastly, further clarification should be provided for physical protection of SCADA networks to include the strengthening of substations and control centers. The current CMMC model does not provide enough specificity with regards to substations and other relevant control centers that are required because “any telecommunication link that is even partially outside the control of the system operators is a potentially insecure pathway into operations and a threat to the grid,” Kleeman said.

With SCADA control systems, it is required that relevant substations be also maintained as key elements of the security and long-standing safety of our vulnerable network systems.

The complexities surrounding the current vulnerabilities require further cooperation and coordination between the Defense Department and the industrial base to create a CMMC final rule that clarifies the real and present threats posed by a one-size-fits-all approach to cybersecurity.

While CMMC provides a useful foundation to build on, much work by government and industry needs to be completed to clarify and ensure that the cybersecurity model is robust and effective when concerning SCADA control systems.

Joshua Walker is an NDIA junior fellow.

Topics: Cyber, Cybersecurity, Infotech

Comments (1)

Re: SCADA Missing from Cyber Certification Regime

One more important topic that I would like to point out is that our society is entirely scope-locked on cyberattacks only. There should be some sensibility in reasoning that, although attacks are important to protect against for our society, their existence is similar to an Occam's Razor scenario - less < 3% of the incidents are confirmed attacks. Attacks are far and few in between the *real* threat to our society - the remaining 97% which are due to operator error, process error, human ignorance or failure to perform a scheduled process, hardware or software failures, configuration failures, mismanagement, etc.

I would strongly encourage all of you to visit and take a look at some of the incident cases identified. I am constantly adding more cases - daily - and it is a very slow and tedious process. This site is highly experimental; however, it meant more so to demonstrate the overwhelming number of cyber incidents that exist that are *not* attack-based. Please remember that.

Bob Radvanovsky at 2:25 PM
Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.