Yaldwyn shares his insights into how to keep SCADA networks secure
Interview with 4RF’s CTO, John Yaldwyn
Published in Critical Comms Magazine on May 25, 2016
Ahead of his presentation at Comms Connect Sydney in June, Critical Comms Magazine spoke with John Yaldwyn, 4RF’s CTO, to get his insights into how to keep SCADA networks safe and secure.
4RF was founded in 1998. Its focus is on supplying point-to-point and point-to-multipoint radio systems for critical infrastructure and public safety. Based in New Zealand, the company has subsidiaries in Europe, the USA and Australia, with manufacturing occurring in Australia, New Zealand and the USA. It exports to more than 140 countries.
Critical Comms: At Comms Connect Wellington, you showed the audience how to get the most out of limited bandwidth for SCADA. In ‘50 words or less’, how is that done?
John Yaldwyn: The digital transformation of legacy SCADA UHF radio to fat narrowband is changing critical infrastructure field area network perspectives. To deliver useful capacity, a practical approach to IP optimisation is necessary. Start with a good network design, use features such as IP header and payload compression, and combine QoS with micro firewall filtering to ensure that only the necessary traffic is permitted over the radio network.
CC: At Comms Connect Sydney, you’ll be speaking about security for SCADA. SCADA would seem to be a mature technology, so why is security still an issue?
JY: Most mature SCADA systems are based on legacy serial connections and proprietary protocols. This obscurity combined with the non-routable nature of serial connections has limited vulnerability. Legacy serial systems are actually easily exploited in certain types of attack without additional safeguards. Where serial operation must still be maintained, best practice requires wrapping serial traffic in a protective layer of encryption and authentication.
CC: What sort of new security challenges are operators of SCADA systems experiencing?
JY: The two key concerns are the threat environment and the move to IP. Modern SCADA systems are based on routable IP protocols and so the potential for compromise is much higher. The complexity of SCADA systems and the demands for industrial control systems to integrate with business applications such as billing systems can lead to a dangerous lack of isolation. With IP-based equipment and web-based tools, issues of authentication of system users and maintainers must also be considered.
CC: How would you rate network operators in terms of their awareness of the issues you’ll be speaking about? Are some sectors better than others? If so, why?
JY: I think that critical infrastructure operators are becoming aware of security issues, particularly in the electricity space. In the USA, bulk electricity suppliers have mandatory security requirements to meet and those ‘best practice’ recommendations are also being adopted by the distribution network operators. These requirements from North American Electric Reliability Corporation (a not-for-profit regulatory authority) are set out in their series of CIP (critical infrastructure protection) plans.
We’re seeing similar trends worldwide but with varying degrees of priority. Some excellent work available to utilities and industry partners has been developed by the Centre for the Protection of National Infrastructure in the UK and similar government entities, such as New Zealand’s National Cyber Security Centre (formerly the Centre for Critical Infrastructure Protection) and the Australian Cyber Security Centre.