Toward Safe Integration of Legacy SCADA Systems in the Smart Grid

TL;DR

This paper explores security enhancement strategies for legacy SCADA systems in smart grids, focusing on add-on solutions like data diodes and detect-and-respond methods to address vulnerabilities without modifying existing devices.

Contribution

It introduces and compares two add-on security strategies for legacy SCADA systems, proposing a generic framework for the detect-and-respond approach and demonstrating its practicality.

Findings

Data diode provides strong unidirectional security guarantees.

Detect-and-respond approach offers adaptable protection with a flexible architecture.

The proposed framework is feasible for real-world deployment.

Abstract

A SCADA system is a distributed network of cyber-physical devices used for instrumentation and control of critical infrastructures such as an electric power grid. With the emergence of the smart grid, SCADA systems are increasingly required to be connected to more open systems and security becomes crucial. However, many of these SCADA systems have been deployed for decades and were initially not designed with security in mind. In particular, the field devices in these systems are vulnerable to false command injection from an intruding or compromised device. But implementing cryptographic defence on these old-generation devices is challenging due to their computation constraints. As a key requirement, solutions to protect legacy SCADA systems have to be an add-on. This paper discusses two add-on defence strategies for legacy SCADA systems -- the data diode and the detect-and-respond approach -- and compares their security guarantees and applicable scenarios. A generic architectural framework is also proposed to implement the detect-and-respond strategy, with an instantiation to demonstrate its practicality.