I reviewed the AGA 12 cyber security documents in an earlier blog entry, and I haven’t tracked progress closely because I’m not a big proponent of encryption as the communication security solution.

A presentation at Distributech peaked my interest again, and there have been some changes and new developments.

First, prototype AGA 12 bump-in-the-line encryptors have been developed and tested. The testing in the field did not go well, but this was related more to communication issues rather than security issues. I’m sure with some additional trials the prototypes will work. The bigger question is the market for this product.

Second, the AGA document has been reorganized into four parts.

- Part 1: Background, Policies and Test Plan

I’m not a fan of this document primarily because it overreaches. The authors say “the AGA 12 series of documents recommends practices designed to provide confidential SCADA communications”, yet the document does more than that. It has a great deal of text that is informative rather than normative on creating an information security program. It is very difficult to cover this wide range of information in a short document.

That said, it was a very good idea to break this into a separate document. Now users that are looking for the encryption standard can focus on the applicable part.

- Part 2: Retrofit link encryption for asynchronous serial communications

This is the meat of the work to date, and it is what was used to design the bump-in-the-line prototypes.

- Part 3: Protection of network systems

This will address encryption of IP-based SCADA protocols.

- Part 4: Protection embedded in SCADA Components

Third, key management is still “expected to be addressed in future addendum”. It is not unprecedented for key management to be in a separate document, look at IPsec as an example. However, security protocols are rarely receive widespread use or effective deployment until key management has been addressed, again look at IPsec as an example.