Advances in Security Technology and Procedures to Safeguard Reclamation SCADA Systems
Over the past decade, information and computer systems security has become increasingly critical in protecting Reclamation resources. Elevated threats to our infrastructure have necessitated new and improved methods to ensure secure management of water and power resources. The cyber security of Reclamation's Supervisory Control and Data Acquisition (SCADA) systems presents unique challenges. The control and data collection characteristics of SCADA pose special security risks that must be assessed accurately. This project proposes to answer several security questions. What new security technologies and methods are available to ensure the security of our critical SCADA system operations? What standardized, cost-effective solutions can be deployed at facilities across Reclamation to enhance the security of these systems? And finally, what protections do these solutions provide, what are their vulnerabilities, and will they satisfy Reclamation IT Security policies?
Need and Benefit
In the face of continued advances in computer technology, information security has become increasingly critical for protecting systems from unauthorized interference. Elevated threats continually must be met with improved technology to ensure the uninterrupted operation of systems that are used daily for routine management. Consequently, security technologies have advanced as businesses rely more heavily on the Internet for enhancing market development. Methods of applying these technologies also are required. Improved, cost-effective methods need to be developed to efficiently protect Reclamation facilities and equipment.
As energy continues to be a vital part of the quality of life in our society, the need to protect Reclamation's infrastructure makes it imperative that new and improved methods of information security be used to ensure the scheduled delivery of water and power resources. And, while Federal legislation and Reclamation's focus on improved security the past several years have produced a wealth of comprehensive safeguards and policy guidelines, there continue to be problems with the implementation of new and practical security technologies for many of our systems. Security technology costs are high within Reclamation, particularly for some of the older SCADA systems. Many of these older systems do not have security solutions available, nor the staffing support to keep up with advances in security technology. This project proposes to fill this gap by providing solutions that can be implemented practically to protect the information that has become a vital part of ensuring the success of Reclamation's mission.
Also within Reclamation, there is a need to develop standard, cost-effective solutions for risk assessment and security of SCADA systems. Four facilities in particular, Shasta, Grand Coulee, Hoover, and Glen Canyon, have been identified as National Critical Infrastructure sites. Protection of the SCADA systems at these sites is a high priority for national security. Also, new SCADA systems must meet the requirements of an accreditation process prior to initiating operation, and existing systems must be accredited and reviewed on a periodic basis. Consequently, developing security controls is a critical element for the field staff supporting Reclamation's essential SCADA operations. The procedures and technologies being used to secure these systems are complex and costly. There also is a need to develop cost-effective solutions for the large number of smaller facilities that require protection. This research will be focused on improving the development of security controls to address risk accurately, minimize cost, and satisfy Information Technology Security policies. Benefits from this research target two areas. The first goal is to provide solutions to field sites that will maintain security at a level of minimized risks. There continue to be vulnerabilities at all Reclamation SCADA sites. This work examines issues that have the broadest application across Reclamation associated with the highest risk areas. The second goal is to lower the cost of securing SCADA systems. Costs to perform security-related accreditations, define and implement improvements, complete assessments, and perform on-going reviews easily can be $100k to $200k per year at some sites. Costs associated with initial implementation of security controls can be three to five times this amount. With strategic reasearch, these costs can be reduced while at the same time ensuring the security of Reclamation SCADA systems with improved security technology.