Assessing and Improving SCADA Security in the Dutch Drinking Water Sector
International studies have shown that information security for process control systems, in particular SCADA, is weak. As many critical infrastructure (CI) services depend on process control systems, any vulnerability in the protection of process control systems in CI may result in serious consequences for citizens and society. In order to understand their strengths and weaknesses, the drinking water sector in The Netherlands benchmarked the information security of their process control environments. Large differences in their security postures were found. Good Practices for SCADA security were developed based upon the study results. This paper will discuss the simple but effective approach taken to perform the benchmark, the way the results were reported to the drinking water companies, and the way in which the SCADA security good practices were developed. Figures shown in this paper are based on artificially constructed data since the study data contain company and national sensitive information.
KeywordsDrinking Water Information Security Critical Infrastructure Process Control System Information Security Management
Unable to display preview. Download preview PDF.
- 1.CPNI, Traffic Light Protocol (TLP) (2005)Google Scholar
- 2.VEWIN, http://www.vewin.nl (last visited March 24, 2008)
- 3.Luiijf, H.A.M., Lassche, R.: SCADA (on)veiligheid, een rol voor de overheid? [SCADA (in)security, a role for the Government?], TNO/KEMA report, [Unclassified] (June 2006)Google Scholar
- 4.Department of Energy (DoE), 21 Steps to Improve Cyber Security of SCADA Networks, Office of Energy Assurance, Office of Independent Oversight And Performance Assurance, U.S. Department of Energy, USA (2005), http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf8
- 5.ISO, Code voor Informatiebeveiliging/Information technology - Security techniques - Code of practice for information security management framework, ISO/IEC 17799:2005. This standard will be renamed to ISO/IEC 27002Google Scholar
- 6.EWICS TC7, A Study of the Applicability of ISO/IEC 17799 and the German Baseline Protection Manual to the Needs of Safety Critical Systems. European Workshop on Industrial Computer Systems - Executive Summary (March 2003), http://www.ewics.org/attachments/roadmap-project/RdMapD31ExecSummary.pdf
- 7.EWICS TC, A Study of the Applicability of ISO/IEC 17799 and the German Baseline Protection Manual to the Needs of Safety Critical Systems. European Workshop on Industrial Computer Systems (March 2003), http://www.ewics.org/attachments/roadmap-project/RdMapD31.pdf
- 8.Luiijf, H.A.M.: SCADA Good Practice voor de Nederlandse Drinkwatersector, report TNO DV2007 C478 (December 2007) [Dutch version; Restricted distribution]Google Scholar
- 9.Luiijf, H.A.M.: SCADA Security Good Practices for the Dutch Drinking Water Sector, report TNO DV 2008 C096 (March 2008) [English version]Google Scholar