Interconnected global network systems have many benefits. Recognizing their value and acknowledging that adversaries are not going away, governments, industry, and users must understand potential threats and the viable options for addressing them to ensure network security.
Users have no standardized evaluation process to help them decide which Supervisory Control and Data Acquisition (SCADA) security technologies are best for preventing network security threats.
This lack of an evaluation capability hinders users’ ability to make swift and cost-saving decisions on the best way to protect these critical networks.
SCADA networks are composed of computers and applications that monitor and control essential services and commodities, including electricity, gasoline, water, water treatment, and transportation. These networks allow digital input, possibly from a computer located thousands of miles away, to control them. They are part of the nation’s critical infrastructure and vulnerable to security threats and attacks.
SPAWAR Systems Center Pacific (SSC Pacific) is developing a Cyber-SCADA Evaluation Capability (C-SEC) that will enable users to evaluate technologies for securing SCADA networks.
The objective of C-SEC is to support an improved secure posture of SCADA networks. The team plans to accomplish this objective by understanding cyber/SCADA needs, evaluating existing solutions for monitoring and protecting against cyber threats, and developing a new cyber/SCADA strategy. While various types of systems will be reviewed, C-SEC will focus on protecting energy systems.
This project focuses on producing an evaluating software tool that allows users to evaluate SCADA security technologies easily, and includes security metrics that provide a granular decomposition of how well security technologies are securing SCADA energy networks. A laboratory environment at SSC Pacific models a sample SCADA network using SCADA equipment to explore SCADA vulnerabilities.
The project has two competing requirements: constant accessibility to the networks, and security to ensure that no abnormal/malicious activity exists on the networks. The C-SEC team is approaching security from the group up rather than addressing security as an added requirement, which has helped focus some of the complexity in reconciling competing requirements.
C-SEC is a two-year project scheduled for completion in December 2014. The project has three deliverables: a C-SEC evaluation software tool, a C-SEC test and evaluation laboratory environment, and a C-SEC online collaborative environment that allows multiple users to compare evaluated technologies and reuse evaluation results.