March 8, 2005 (Computerworld) －－ Computerized process-control systems run some of the most critical infrastructures in the U.S., such as power utilities, water treatment plants, chemical plants and mass-transit systems. Until recently, little attention was given to securing these systems from a cybersecurity perspective. This is in large part because they were perceived as operating in a closed environment. However, this perception has led to a false sense of security, especially against a backdrop of increasing information security risks.

This article examines the state of security related to process-control systems and what can be done to secure them.

What is SCADA?

There are two types of process-control systems in view—distributed control systems (DCS) and supervisory control and data acquisition (SCADA). DCS are typically used for single-point processing and are employed in a limited geographic area. On the other hand, SCADA systems are used for large-scale, distributed management of critical infrastructure systems and are often geographically dispersed.

For example, in a power utility, DCS may be used for generation of power, while SCADA is used for the distribution and transmission of power. The basic SCADA configuration shown in Figure 1, consists of a supervisory control station and multiple controller stations, either local or remote. Through the use of the control station, operators can monitor status and issue commands to the appropriate devices. Control stations consist of devices that collect data or effect control of equipment. These devices are either remote terminal units (RTU), intelligent electronic devices or programmable logic controllers (PLC).