Assessing and improving SCADA security in the Dutch drinking water sector
article
International studies have shown that information security for process control systems,
in particular SCADA, is weak. Many of the critical infrastructure (CI) services critically
depend on process control systems. Therefore, any vulnerability in the protection of process
control systems in CI may result in serious consequences for citizens and society. In
order to understand their sector-wide security posture, the drinking water sector in The
Netherlands benchmarked the information security of their process control environment.
Large differences in the individual security postures of the ten drinking water companies
were found. Good Practices for SCADA security were developed based upon the benchmark
results. This paper discusses the simple but effective approach taken to perform the
benchmark, the way the results were reported to the drinking water companies, and the
way in which the SCADA information security good practices were developed. Apart from
some high-level indications of areas requiring more security attention, no actual security
posture results are presented in this paper since the study data contain company and
national sensitive information. For the same reason, the figures in this paper are based
on artificial data.
in particular SCADA, is weak. Many of the critical infrastructure (CI) services critically
depend on process control systems. Therefore, any vulnerability in the protection of process
control systems in CI may result in serious consequences for citizens and society. In
order to understand their sector-wide security posture, the drinking water sector in The
Netherlands benchmarked the information security of their process control environment.
Large differences in the individual security postures of the ten drinking water companies
were found. Good Practices for SCADA security were developed based upon the benchmark
results. This paper discusses the simple but effective approach taken to perform the
benchmark, the way the results were reported to the drinking water companies, and the
way in which the SCADA information security good practices were developed. Apart from
some high-level indications of areas requiring more security attention, no actual security
posture results are presented in this paper since the study data contain company and
national sensitive information. For the same reason, the figures in this paper are based
on artificial data.
TNO Identifier
441925
Source
International Journal of Critical Infrastructure Protection, 4, pp. 124-134.
Pages
124-134
Files
To receive the publication files, please send an e-mail request to TNO Repository.