The 350 page Handbook* offers an exhaustive analysis of what could and, to a degree, has gone wrong in the ongoing convergence of IT and process control systems. A chapter on ‘social and cultural aspects’ emphasizes the different cultures and opinions of the stakeholders. Engineers may doubt the reality or likelihood of cyber attacks on their system or, when confronted with the evidence, may just want to unplug control systems from the business network. For the authors, convergence is inevitable and unplugging is unrealistic.
The handbook is multi-authored and although the chapter titles ostensibly distinguish different facets of the problem set, there is inevitably overlap and repetition. A long chapter on ‘risk management’ is followed by a whole section on ‘governance and management. The book takes something of a ‘managerial’ view of the problem. In this reviewer’s opinion it is rather lacking in the technical detail one might expect in a ‘handbook.’
For instance, more detailed information on different scada vintages and their vulnerabilities would have been useful. But to whom? That is the problem with the whole field of security, scada or otherwise. As one of the concluding chapters has it, there are ‘issues’ with sharing information and data in that it may be used by the hacking community.
The chapter on ‘physical security’ makes a good point that security requires an enterprise approach and that the network is not ‘the center of the universe.’ This is followed by a chapter on ‘red/blue team tabletop exercises.’ All jolly good stuff but not really scada specific.
Brodsky’s chapters on communication and network topologies get more technical but that’s only about 20 pages worth! A short chapter on data management asks, ‘why do we collect and keep so much log file data,’ without giving a clear cut answer. Although an earlier chapter on integrity monitoring advocates the use of log files as an ‘oft-overlooked but critical component of a secure scada system.’
An appendix mentions a project of potential interest to Oil IT Journal readers—Linking the oil and gas industry to improve cybersecurity (Logiic), an ongoing initiative run by five major oils, the US Department of homeland security and the Automation federation.
The authors state that the Handbook is ‘work in progress.’ It is also, as far as we know, the only show in town. As such it makes a good first pass at collecting a lot of diverse information but it suffers from its multiple authorship and a governance, rather than a technology-led approach. It would have been good, for instance, to have made clearer the distinction between IT security and what is specific to scada. Readers are likely to come from either the IT camp or process control and more technical explanatory detail might facilitate communication between the two camps.
* A handbook of Scada/Control systems security by Robert Radvanovsky and Jacob Brodsky—CRC Press 2013. ISBN 9781466502260.
© Oil IT Journal - all rights reserved.