Industrial control system (ICS) including its components (SCADA, PLCs, and RTUs etc.) are typically used in industries such as electrical, water and wastewater, oil and natural gas, chemical, transportation, pharmaceutical, pulp and paper, food and beverage etc.
SCADA (Supervisory Control and Data Acquisition) generally refers to an industrial control system for a given process. These processes are often of mission critical nature and usually exist as of industrial, infrastructure or facility-based nature.
ICS systems were originally designed to meet performance, reliability, safety, and flexibility requirements. In most cases, they were physically isolated from outside networks and based on proprietary hardware, software, and communication protocols that lacked the secure communication capabilities; the need for cyber security measures within these systems was not anticipated.
However, in today’s ever-connected real-time business environments, the earlier “air gap” does not exist.
Common threat agents for these ICS systems are:
These vulnerabilities can be classified into broadly three groups:
These vulnerabilities are introduced into the ICS due to incomplete, inappropriate, or non-existent security documentation, including policy and procedures.
These vulnerabilities can occur due to flaws, misconfiguration, or poor maintenance of hardware, operating systems, and ICS applications.
These vulnerabilities in ICS may occur from flaws, misconfiguration, or poor administration of ICS networks and their connections with other networks.
1. What can be tested
Control systems, critical infrastructures, industrial networks
External or internal
Full or focused (concentrate on specific aspects of security)
4. Basis of information
White, grey- or blackbox
Direct attack attempts or covert attack
Passive, polite, aggressive or paranoid