Read AGA 12 Review - Part 1

1) Management (continued)

While the key management discussed in Part 1 has technical solutions to eliminate the requirement for a sophisticated management solution, there is no simple technical solution for managing the address table.

The address table maps SCADA addresses to a SCADA Cryptographic Module (SCM), or encryptor, that protects the address. When a poll or some other SCADA protocol message is sent, the originating SCM must look at the message and extract the SCADA address from the message. The originating SCM looks at its address table and determines what destination SCM protects that address. It then establishes a dynamic session with the destination SCM and sends the message securely, most likely through an encrypted and authenticated tunnel.

Each SCM will have an address table. Let’s go back and consider the example from the Part 1 blog entry with 2 encryptors at the control center and 50 encryptors in the field. Each control center SCM will need to know the SCADA addresses behind each of the 50 field site SCM’s. Each of the field site SCM’s will need to know the SCADA addresses behind the two control center SCM’s. And if any field site SCM’s communicate with each other, and this happens in larger SCADA systems, they will need to know the SCM / SCADA address mappings for all communicating field sites.

Entering the address table once is a lot of work in even a medium size SCADA network, but management becomes even more important when changes occur. What if a new HMI or control server is added in the control center? The address table for each of the 50 field sites would need to be updated. What if a new PLC is deployed? A SCM loses the address table? A new field site is deployed? While the networks don’t change frequently, even infrequent changes can require a number of address table changes.

Again, this is not a new problem. Frame relay and X.25 encryptors dealt with this exact problem in the past. However, these systems had a management system where changes were entered in a central location and automatically and securely distributed to all encryptors in the network. We would not recommend deploying a system of AGA 12 encryptors without a central address table management solution.

2) Market Demand

The second major question is - - - is there a market for a $500, bump-in-the line encryptor for serial SCADA communications? The market will ultimately decide this question, but for now I’m skeptical.

In our experience, the risks associated with serial communications are substantially lower than many other risks. We are seeing the need for better patching, strong authentication, IDS and security monitoring, protecting the control center from the field, secure remote access . . . well ahead of protecting serial communications. NERC would seem to agree with this assessment since they have specifically excluded non TCP/IP communications.

Actually, it is interesting that most of the field site security solutions, firewalls and encryptors, are targeting a $500 price point.

- Stay tuned for Part 3