Abstract
International studies have shown that information security for process control systems, in particular SCADA, is weak. As many critical infrastructure (CI) services depend on process control systems, any vulnerability in the protection of process control systems in CI may result in serious consequences for citizens and society. In order to understand their strengths and weaknesses, the drinking water sector in The Netherlands benchmarked the information security of their process control environments. Large differences in their security postures were found. Good Practices for SCADA security were developed based upon the study results. This paper will discuss the simple but effective approach taken to perform the benchmark, the way the results were reported to the drinking water companies, and the way in which the SCADA security good practices were developed. Figures shown in this paper are based on artificially constructed data since the study data contain company and national sensitive information.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
CPNI, Traffic Light Protocol (TLP) (2005)
VEWIN, http://www.vewin.nl (last visited March 24, 2008)
Luiijf, H.A.M., Lassche, R.: SCADA (on)veiligheid, een rol voor de overheid? [SCADA (in)security, a role for the Government?], TNO/KEMA report, [Unclassified] (June 2006)
Department of Energy (DoE), 21 Steps to Improve Cyber Security of SCADA Networks, Office of Energy Assurance, Office of Independent Oversight And Performance Assurance, U.S. Department of Energy, USA (2005), http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf8
ISO, Code voor Informatiebeveiliging/Information technology - Security techniques - Code of practice for information security management framework, ISO/IEC 17799:2005. This standard will be renamed to ISO/IEC 27002
EWICS TC7, A Study of the Applicability of ISO/IEC 17799 and the German Baseline Protection Manual to the Needs of Safety Critical Systems. European Workshop on Industrial Computer Systems - Executive Summary (March 2003), http://www.ewics.org/attachments/roadmap-project/RdMapD31ExecSummary.pdf
EWICS TC, A Study of the Applicability of ISO/IEC 17799 and the German Baseline Protection Manual to the Needs of Safety Critical Systems. European Workshop on Industrial Computer Systems (March 2003), http://www.ewics.org/attachments/roadmap-project/RdMapD31.pdf
Luiijf, H.A.M.: SCADA Good Practice voor de Nederlandse Drinkwatersector, report TNO DV2007 C478 (December 2007) [Dutch version; Restricted distribution]
Luiijf, H.A.M.: SCADA Security Good Practices for the Dutch Drinking Water Sector, report TNO DV 2008 C096 (March 2008) [English version]
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Luiijf, E., Ali, M., Zielstra, A. (2009). Assessing and Improving SCADA Security in the Dutch Drinking Water Sector. In: Setola, R., Geretshuber, S. (eds) Critical Information Infrastructure Security. CRITIS 2008. Lecture Notes in Computer Science, vol 5508. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03552-4_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-03552-4_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03551-7
Online ISBN: 978-3-642-03552-4
eBook Packages: Computer ScienceComputer Science (R0)