Until quite recently, SCADA systems were traditionally 'walled off' from other systems operating independently from the network. Prior to the awareness of possible attacks, this seemed to provide all the protection the SCADA system required. However, over time they have become integrated into larger company networks as a means of exploiting their valuable data to increase plant efficiency.

The result of this development is that now their security is often only as strong as the security of the overall network.

The process of protecting SCADA networks starts with the creation of a written security policy.

Failure to have a policy in place exposes the company to attacks, loss of revenue and legal action.

The security policy should also be a living document, not a static policy created once and then shelved.

The management team needs to draw very clear and understandable objectives, goals, rules and formal procedures to define the overall position and architecture of the plan.

It should also cover the following key components:.

* Roles and responsibilities of those affected by the policy.

* Actions, activities and processes that are allowed, and those that are not allowed.

* Consequences of non-compliance.

Prior to completing the written policy a vulnerability assessment must be undertaken to identify both the potential risks associated with the different aspects of the SCADA-related IT infrastructure, and the priority of the different aspects of the infrastructure.

In addition, the vulnerability assessment also acts as a mechanism to identify holes or flaws in the understanding of how a system is constructed (ie its architecture) and where threats against the system may originate.

To successfully complete a vulnerability assessment, a physical audit of all the computer and networking equipment, associated software and network routings needs to be performed.

A clear and accurate network diagram should be used to present a detailed depiction of the infrastructure following the audit.

The results would typically be presented in a hierarchical manner, which, in turn, sets the priority to address security concerns and the level of related funding associated with each area of vulnerability.

For example, within a typical SCADA environment, key items and the related hierarchy could be as follows:.

* Operational Availability of Operator Stations.

* Accuracy of Real Time Data.

* Protection of System Configuration Data.

* Interconnection to Business Networks.

* Availability of Historical Data.

* Availability of Casual User Stations.