Safety and Security in SCADA Systems Must be Improved through Resilience Based Risk Management

This chapter describes vulnerabilities related to safety and security in distributed process control systems integrated with information and communication technology (ICT). The author describe key vulnerabilities and how to mitigate these vulnerabilities by current best practices, which have worked in an industrial setting in Norway. Distributed process control systems are denoted as SCADA systems, i.e. supervisory control and data acquisition systems. Increased networking and increased use of ICT impacts the complexity and vulnerability of the SCADA systems. To improve safety and security, there must be a focus on systematic knowledge generation between ICT and process experts and a focus on exploring resilience as a strategy to manage risks and support continuity of operations (resilience seen as the ability to bounce back and sustain operations). Best practices in risk management in this area are to establish policies, improve risk awareness, perform risk assessment in collaboration between ICT and SCADA professionals, focus on segregation of networks, focus on active protection against malicious software, improve reporting and sharing of incidents, and establish and explore disaster/recovery plans. In addition, there should be focus on certification and testing of components in ICT and SCADA systems and improvement of resilience to mitigate uncertainty and complexity.