How Secure Is Our Infrastructure? Pointing the Finger at SCADA System Vulnerability

by Vance Bjorn, DigitalPersona Inc.

In 2008, the CIA confirmed that online attackers caused at least one power outage that affected multiple cities internationally. Ensuing reports revealed that multiple international regions had experienced cyberintrusions into utilities followed by extortion demands. They also noted that the attackers probably had inside knowledge of the systems used to control the power equipment.

The CIA report highlights that supervisory control and data acquisition (SCADA) systems used to control and manage critical infrastructure such as power generators, traffic signals, water and gas pipelines and dams were never designed for security. These systems were built for reliability and are capable of running 24 hours a day, 365 days a year without fail. In the face of increasing cyberattacks, however, SCADA systems have become a concern among security officials. The need to protect against internal and external threats has never been more urgent.

Passwords–Not as Secure as You Think

The private sector controls 85 percent of critical U.S. infrastructure. These companies rapidly have been adopting new, more convenient technologies including wireless and mobile computing to access SCADA systems. This has created a new breed of security vulnerability.

Additionally, energy and utilities organizations face compliance pressure ranging from adherence to North American Electric Corp. (NERC) reliability standards to Sarbanes-Oxley (SOX), which seek greater transparency and protection of personal and financial information.

To satisfy the desire for convenience and the need to fulfill government-imposed regulations, companies usually rely on passwords to safeguard access to the systems. But what safeguards SCADA systems from the users themselves?

Passwords are the most pervasive mechanism used to secure access to networks and databases and are often the weakest link in the security infrastructure. Despite information technology departments’ efforts to create stronger policies, design more complex procedures and implement new technologies, people remain fallible.

Industry analysts have found that 88 percent of employees use between five and six work-related passwords, all of which can be forgotten, stolen or shared. One user can undo all of an information technology department’s efforts by writing a password on a sticky note.

In support of passwords, other technologies including tokens or smart cards are introduced, but they, too, can be stolen or shared. Surveys also show that 44 percent of employees are believed to share passwords, tokens, smart cards or PINs with co-workers. Biometrics is the only security method that addresses this risk.

Fingerprint Biometrics–Stronger Security, Easier to Remember

Using biometrics to secure access to a SCADA system makes it difficult for intruders to break through authentication.

By deploying a fingerprint-authentication solution to SCADA system access points, organizations can immediately provide fine-grained, identity-based access control for critical cyberassets (as defined under NERC).

Biometrics can secure critical network infrastructure and applications without encumbering users or slowing down response times during critical power events. It also ensures compliance with identity security-reporting requirements for NERC CIP, Payment Card Industry Data Security Standard (PCI-DSS), SOX, ISO17799/27001 and other privacy regulations.

Fingerprint authentication provides an easy to use, natural interface. It creates network and information security with simplified, secure multifactor authentication by augmenting passwords with centralized management of identity security policies. Fingerprint identity solutions link individuals to specific actions. This provides organizations with an auditable trail and ensures that only those who should have access to SCADA systems gain entry.

Outside of guaranteeing the security of their SCADA systems, utility companies are also responsible for safeguarding an abundance of personal customer information. These companies maintain critical billing information for residents of large geographic regions or entire states.

Fingerprint authentication solutions protect access to sensitive information and reduce the risk that customers could be exposed to identity theft. A company’s customer data is as secure as its SCADA system without overextending its information technology department’s budget or the vulnerabilities of passwords, tokens and smart cards.

Authentication should be certain and simple. Unlike passwords, biometrics relies on unique, physical characteristics of users that can’t be cracked easily or forgotten, eliminating user error. Because using a fingerprint is as easy as pressing a button, the absence of training saves money.

Cyberattack threats continue to grow. Putting a finger on the pulse of the issue allows utility organizations to ensure that critical infrastructure and U.S. residents are protected from the debilitating consequences of SCADA system attacks.

Author

Vance Bjorn is the co-founder and chief technology officer at Redwood City, Calif.,-based DigitalPersona Inc. E-mail him at vanceb@digitalpersona.com. For more information, visit www.digitalpersona.com.

Previous articlePOWERGRID_INTERNATIONAL Volume 14 Issue 5
Next articleNew Mexico Gov. Bill Richardson Protests DOE Smart Grid Grant Guidelines

No posts to display