NCASSR Project: SCADA Protocol Authentication Project

Energy infrastructures (electric power grids and pipelines) and other industries are becoming increasingly dependent upon information systems, and rely on supervisory control and data acquisition (SCADA) systems to operate. Standardized protocols are replacing more obscure vendor-specific SCADA protocols. Interconnectivity of SCADA systems to other information networks is becoming more prevalent. These trends create new vulnerabilities that increase the risk to infrastructure operations. Compromises in the confidentiality, availability, or especially integrity of these systems can potentially impact the reliability of infrastructure operations.

SCADA Theme
This area will focus on developing unique authentication mechanisms that can be integrated within a larger cryptographic framework for system security. In contrast to other research into securing SCADA systems that focus on encryption technology with its associated difficulties associated with latency, reliability, and interoperability issues, this novel approach resolves these issues by providing a secure means for authenticating the signal, thereby enhancing the integrity of supervisory control and data acquisition functions.

SCADA Organization
The focus of this research area is to develop a secure method for authenticating valid control signals and data acquisition functions without full signal encryption. This technology will enhance infrastructure security for systems that rely on SCADA in diverse computational environments with demanding functional requirements, specialized software and hardware systems, and a mixture of state-of-the-art and legacy equipment.

Specifically we will focus on enhancing SCADA system security at the protocol and hardware level. It will engage a multidisciplinary team (Pacific Northwest National Laboratory (PNNL), University of Illinois at Urbana-Champaign, InfoAssure) to develop the methods for securing these systems. PNNL will lead and manage the effort on behalf of the team.

Currently, many SCADA networks are vulnerable to attacks from insiders and sophisticated adversaries. As deregulation continues and the use of shared communication channels increases, the risk of compromising SCADA networks increases. Research in this area is needed to mitigate the threat posed by the current trend of interweaving multiple, diverse systems over shared communication systems. Government and industry research into secure SCADA is focusing on encryption technology. However, this approach has difficulties associated with latency, reliability, and interoperability. This approach addresses these issues by providing a secure means for authenticating the signal, thereby preserving the integrity of supervisory control and data acquisition functions.

The research will include the development of technology for protecting against disruption, unauthorized control, or intrusion into real-time energy control systems. The solution will have minimal negative impact on the end user. Most infrastructures utilize SCADA as an integral part of their command and control systems, including especially the energy infrastructures (electric power, natural gas, other petroleum, and other gaseous or liquid fuels). The initial focus of this research and development effort will focus on these sectors.

This research will focus on enhancing SCADA system security at the protocol and hardware level. It will engage a multidisciplinary team (Pacific Northwest National Laboratory (PNNL), University of Illinois at Urbana-Champaign, InfoAssure) to develop the methods for securing these systems. PNNL will lead and manage the effort on behalf of the team.

Industry is presently developing proprietary solutions for certain facets of SCADA security, such as protocol encryption; however, a system level security solution that is suitable for general application has proven elusive. This project focuses on developing "Smart Card" based hardware and system operator authentication mechanisms that are capable of integrating within a larger more efficient cryptographic framework for system security. This research will provide an important step to mitigate in a utility environment both the insider and external threats.

The prototype device mounts at the field device and is hard-wired to an input/output card on the chassis. The generated code could then be read over the normal operator interface channels as a real number in a register. This number is always changing and synchronized to the operator interface. In the future, these Smart Cards could be manufactured as a unit that plugs into existing control systems and be made available commercially.