SCADA Systems

A critical infrastructure system “can vary from country to country. There are 14 infrastructures that are identified by the US Government that are required to have protection from threats. “These infrastructures are so important because they provide goods and services and great contribution to the economy and national defense.” And the “reliability, resiliency, and survivability” of these infrastructures allow the people to “maintain a sense of confidence in their country and themselves.” For critical infrastructure the vulnerabilities are “characteristics of an installation, system, asset, application, or its dependencies that could cause it to suffer a degradation or loss (incapacity to perform its designated function) as a result of having been subjected to a certain level of threat or hazard.” Most infrastructures are controlled by systems that are usually connected to a network. And because of that, the systems are vulnerable to cyber-attacks. “An individual or an entity with malicious intent might disrupt the operation of the system by blocking delaying the flow of information through the control networks. They can also make unauthorized changes to programmed instructions in the PLC’s, RTU’s and DCS controllers. This may result to International Journal of Control and Automation 19 malfunctioning of an infrastructure.” A lot of our infrastructure systems are intertwined and coincide in one way or another.  If the energy source infrastructure succumbs to an attack that will affect majority of the other infrastructures that this country uses to operate water, food processing, companies and businesses, banking, oil and gas, etc. So, if is very important to have systems in place that protect the critical infrastructures. SCADA Systems are one of the controlled systems that help protect infrastructures against vulnerabilities and attacks. SCADA stands for supervisory control and data acquisition. SCADA Hardware systems usually have “Distributed Control System components.” “RTUs or PLCs are also commonly used; they are capable of autonomously executing simple logic processes without a master computer controlling it.” There’s a SCADA System and a modern SCADA system. With the regular SCADA system there is an operator who manually operates the different control buttons and has authorization access.  Modern SCADA systems provide telemetry for the industries that need to “connect systems and equipment separated by long distances.” Telemetry allows users to “send commands, programs and receive monitoring information from the remote locations.” “SCADA systems are now in line with the standard networking technologies. The old proprietary standards are being replaced by the TCP/IP and Ethernet protocols.” Because SCADA systems can be accessed via the internet it is more vulnerable. However, there are protocols and techniques that can be implemented to secure the SCADA Systems.

The “Short Arm” of Predictive Knowledge

“Chance and luck and folly, the great equalizers in
human affairs, act like an entropy of sorts and make all definite designs in the long run revert to the perennial norm. Cities rise and fall, rules come and go, families prosper and decline; no change is there to stay, and in the end, with all the temporary deflections balancing each other out, the state of man is as it always was. So here too, in his very own artifact, man’s control is small and his abiding nature prevails.” (Hans Jonas)

This portion of Hans Jonas reading stood out to me and I think it has a major point when it comes to developing cyber-policy and infrastructure. Or any topic of life really can be seen through this statement. Life is unpredictable at times and things are always changing. Sometimes we have control over that change and sometimes not so much. But we go with the flow and adapt to the change. Because technology is constantly changing and advancing, there will always be updates and adjustments to policies and procedures. And those changes maybe out of man’s control but he can always adapt through trial and error, to see what security features, structures, etc., will/will not work. Alot of times trial and error creates experience and that can potentially prepare for future attacks. It is also important for employers to advise their employees of the new updates in policies and procedures. Most people that enter the IT field are already aware that things are likely to change in a moment’s notice. But it can still be a disclaimer for employers to mention to their employees, for those who may not be aware or well informed, to keep an eye out for different changes in regulations, procedures, and policies. And these steps may not fully equip a company for what may occur, but the company can at least be somewhat prepared.

To ensure a company remains within its budget, I would balance the trade-off for training and additional technology by providing the basic and standard training to all employees. Depending on the level of access for the employee there would be additional training available so that individual can know the dos and don’ts of the additional technology that maybe added.I believe it is important for the employees to be informed on how to use the technology that is implemented because, like one of the articles stated, a lot of the breaches are internal. And it was from an employee who either inadvertently or intentionally created the breach. So, to prevent the unintentional breaches training will be available so the employee/employees are familiar with the most secure way of handling the system.Also, I agree that efficiency tends to be a popular trait that is praised and receives more attention. But, in a case where budgeting is in place, I think it would be more cost-effective to have proper training available and inform the individuals that efficiency isn’t the only important aspect. But, securing the company’s and our customer’s information and assets is the main goal. So, we aren’t to make any shortcuts to maximize productivity. And if it is a case that an updated system, software, hardware, etc. will allot space to be efficient as well as effective, then I would add that technology. Depending on the company and manufacturing methods, having a low percentage of productivity could be unprofitable. Of course, having the additional technology and the employees well trained is the main goal. But it would be done in strides and not all at once.Also, referring back to my previous statement above, only the advanced training would be provided to the individuals who would have access to the additional technology that is being added. The basic training will be provided to all employees and there would be limited access. So, for instance, if an employee works in the packaging department,boxing, shipping, etc., they wouldn’t need the same level of training as a Chief Security Officer or an Application Security Developer.