Scada

ABSTRACT Supervisory control and data acquisition (SCADA) allows a utility operator to monitor and control processes that are distributed among various remote sites. The goal of this thesis is to develop a risk management framework that uses existing probabilistic risk assessment (PRA) methodology to quantify the risks of willful threats to water utility SCADA systems. This framework can assist decisionmakers in understanding the risks of cyber intrusion, their consequences and tradeoffs in order to maximize the survivability of the system. Surety, a measure of survivability, is defined as a measure of system performance under an unusual loading. A survey is conducted to understand the current state of SCADA in water utilities, to document information on cyber intrusion, and to determine the concerns of administrators on system security. Using hierarchical holographic modeling (HHM), sources of cyber risk to SCADA are identified. Event trees and fault trees are used to model the probabilistic consequences of cyber intrusion on water supply systems. Cost, surety, expected level of percentage of water flow reduction, and conditional expected level of percentage of water flow reduction are introduced as performance measures to evaluate policy options. Alternatives are generated and then compared using multiobjective tradeoff analysis. Lastly, a prototype city is analyzed to demonstrate the applicability of the developed methodology. The methodological framework for managing cyber risk to water utility SCADA systems constitutes the major contribution of the thesis.
TABLE OF CONTENTS • ABSTRACT * CHAPTER 1 INTRODUCTION * • 1.1 Cyber Attacks * 1.2 Stakeholders * 1.3 Statement of Need * 1.4 Thesis Tasks * 1.5 Thesis Overview * CHAPTER 2 SUPERVISORY CONTROL AND DATA ACQUISITION * • 2.1 Introduction * 2.2 Master Terminal Unit * 2.3 Remote Terminal

References: Applegate, Lynda, M. Corporate Information System Management: Text and Cases, Fourth Edition, Irwin, Inc. Boston, MA. 1996.   Amoroso, Edward, Fundamentals of Computer Security Technology, Prentice-Hall PTR, Uppersaddle River, NJ, 1994.   Behar, Richard, "Who’s Reading Your Email?" Fortune Text Edition, February 3, 1997, http://www.pathfinder.com/@@uxdr5ayaeny7duax/fortune/1997/97020 (July 1, 1997).   Brown, Eryn, "The Myth of Email Privacy", Fortune Text Edition, February 3, 1997, http://www.pathfinder.com/ @@uxdr5ayaeny7duax/fortune/1997/97020 (July 1, 1997). Duganm Joanne, Bechta and Trivedi, Kisitur, S., "Coverage Modeling for Dependability Analysis of Fault-Tolerant Systems", IEEE Transactions on Computers, Vol. 38, No. 6, 1989.   Elgamal, Taher, "Securing Communications on the Intranet and Over the Internet", Netscape Communication Corporation, http://home.netscape.com/newsref/ref/128bit.html (June 30, 1997).   Haimes, Yacov, Y., Risk Modeling, Assessment, and Management, John Wiley and Sons, Inc., New York, 1998.   Hillebrand, Cary, Expert Three, Technical expert specializing in the planning and design of SCADA based and distributed control systems for regional and municipal water distribution networks and water/waste water treatment plants, 1997.   Internet Security Solutions, "The Right Answer-Adaptive Security", ISS White Papers, http://www.iss.net (October 5, 1997).   Kyas, Othmar, Internet Security: Risk Analysis Strategies and Firewalls, International Thompson Publishing, 1997.   Lambert, Robert, "An Interview in Newport News, Va.", President, Automation, Inc., June 12, 1997. (October 10, 1997).   Nelson, Anthony, Expert One, Technical expert for computer fraud tracing and intrusion testing for internet firewalls and mission critical applications like SCADA, 1997.   Nelson, Anthony, Expert One, Personal email on scenario and estimates, 1998.   President’s Commission on Critical Infrastructure Protection (PCCIP), http://www.pccip.gov/summary.html (October 23, 1997).