Blog

Posted by Julie Gruenholz

The 3 things I Learned When I Became a Certified SCADA Security Architect

January 10, 2019

First, some background...

Let me tell you what a Certified SCADA Security Architect is, and why I became one:

I’ve been a control system integrator for well over 25 years. As a contractor, I have worked on almost any kind of control system that you can imagine. Some plants have systems running on primitive smart relays, linked to text-based HMIs, located in dark closets, mostly held together by duct tape and bailing wire. On the other end of the spectrum, some plants have hundreds of high end PLCs, running advanced algorithms, linked to brightly lit control rooms, which are processing and controlling large amounts of data and equipment. All these systems have the following things in common:

  • Up-time and availability is critical. Any system downtime means a financial loss for the owner.
  • All these systems are run by humans, which makes them vulnerable. These vulnerabilities may include:
  • Accidental equipment operation performed by untrained or unauthorized personnel.
  • Malicious sabotage performed by disgruntled workers or any human that has physical access to your plant.
  • Cyber-attacks to any system that has a connection (no matter how rudimentary) to the outside world, performed by anyone who has mischievous intent.
  • Most of these systems do not have plans to prevent, detect, or correct any problems that arise.

Usually I’m hired to install new systems or to help troubleshoot system failures. Since my typical scope does not encompass a complete approach to best control system practices, I have become interested in taking a more proactive approach to industrial control system (ICS) maintenance. This has led me to become a Certified SCADA Security Architect (CSSA).

CSSA is an accreditation offered by IACRB (Information Assurance Certification Review Board), which is an industry standards organization. The CSSA certification encompasses the following domains:

  • SCADA security policy development
  • SCADA security standards and best practices
  • Access Control
  • SCADA protocol security issues
  • Securing field communications
  • User authentication and authorization
  • Detecting cyber-attacks on SCADA systems
  • Vulnerability assessment

I have also taken the classes that FEMA (Federal Emergency Management Agency) offers regarding implementation of the National Infrastructure Protection Plan (NIPP). The NIPP is the federal government’s plan to make our infrastructure secure. This is not only important for our water, sewer and power infrastructure systems, but also for private industry.

Now, the 3 Things I learned when I became a CSSA:

Thing 1: A CSSA can help bridge the gap between IT and OT.

  • Working as a system integrator at various industrial plant sites, I frequently see conflict between the IT department and the OT department. Typically, the IT department manages the business computers and networks in a plant, while the OT (Operational Technology) department manages the industrial control system (ICS) and networks that run the plant’s processes.
  • As ICSs modernize, most protocols are transmitted over Ethernet. Although your OT and IT systems appear to have merged because everything uses Ethernet, they are incompatible in how they need to be managed and deployed.
  • As a CSSA, I can help make this relationship less adversarial. I understand the requirements of both departments and the tools that the OT folks need to make sure the ICS is as secure as the systems owned by the IT department.
  • There are thousands of IT experts in the world who have developed best practices for their industry. Unfortunately, the OT part of your plant does not have this luxury. Your ICS probably uses networks and protocols that were invented before network security was “a thing”. Protecting this system requires a different approach than traditional IT security. 

Thing 2: A CSSA can help with the balance between what operators and owners need.

  • What do operators need? Operators need usability. It is good business practice to have an ICS that is there to help, not hinder, your ability to run the plant. The control system should require minimal interaction to manipulate equipment quickly and efficiently.
  • What do owners need? Owners need security. It is good business practice to have a secure plant control system. A secure system is like having an insurance policy for your ICS.
  • Operators and owners both need system up-time and availability. To achieve this, there needs to be a sane balance between usability and security. A CSSA understands both sides and can provide solutions that work best for both operators and owners. Exploring these solutions is helpful in deciding how your ICS should be setup and managed.
  • ICS security continues to get more attention. This is because of:
  • Recent cyber-attacks that have been in the news.
  • The DHS/FEMA National Infrastructure Protection Plan (NIPP)
  • It is expected that current ICS security standards and best practices will soon become law.

Thing 3: A CSSA can help you understand your ICS vulnerabilities. This will enable you to prioritize system improvements.

  • Many people only consider that their systems are vulnerable to HMI/SCADA manipulation, spoofing or denial of service from an outside source. In reality, most ICS attacks come from folks who have physical access to your dedicated control network. Therefore, air-gapped systems are not secure. There are minimally invasive ways to prevent and deter inside attacks, which should be deployed on all systems.
  • All ICSs that are connected to the outside world need to be protected from external cyber-attacks. There are over 200 different ICS protocols that are in use today. Many of these are former serial protocols that are now transmitted in Ethernet packets. Almost all of them have no security.

To reduce risk at your facility, I encourage you to secure your industrial control system to ensure all data is transferred and stored safely. To learn how to do this, read my next blog “6 Steps to Secure your Industrial Control System”.

For more information please contact Julie directly at jgruenholz@hallam-ics.com or visit our

Help Desk

About the Author

Julie Gruenholz is a Senior Control Systems Engineer for Hallam-ICS. As an Electrical Engineer, she has been designing, installing, modifying and programming control systems since 1991.

Read   My Hallam Story  

About Hallam-ICS

Hallam-ICS is an engineering and automation company that designs MEP systems for facilities and plants, engineers control and automation solutions, and ensures safety and regulatory compliance through arc flash studies, commissioning, and validation. Our offices are located in Massachusetts, Connecticut, New York, Vermont and North Carolina and our projects take us world-wide.

Contact Us

Topics: Process Control and Plant Automation

Julie Gruenholz

By Julie Gruenholz

Find me on:

January 10, 2019

Next Blog Post Previous Blog Post