Guidance For Building A Business Case For Scada Security

Executive Summary
Several events have contributed to a heightened awareness of the need to improve the security in Supervisory Control and Data Acquisition (SCADA) systems. This awareness is most acute in those public and private organizations that have been following the evolution of the security needed to support Critical Infrastructure Protection (CIP), and Critical Information Infrastructure Protection (CIIP). Within this relatively small, and often closed CIP/CIIP community, a number of initiatives have been launched to improve the security of SCADA networks. Typically the awareness of these initiatives begins with technical managers who are faced with the challenge of translating technical issues and options into business terms.

This guidebook is intended to provide SCADA system owners and internal stakeholders the information building blocks and a recommended business case template and process for upgrading SCADA technologies to support protection against the threat of cyber attacks. It begins with a discussion of determining how much security is needed. The answer to this question is very much dependent on the business approach to security. For some businesses it is perceived as a necessary cost of doing business, for others it may be seen as an opportunity to improve other aspects of the business. One approach to help owners determine how much security is enough is to map their security related goals to a maturity model. An example of this approach, applied to SCADA security in the energy sector, is provided.

The next section recognizes that there are many external stakeholders that also have an interest in SCADA system security. This is particularly relevant if the business is considered part of a critical infrastructure. In this case the external stakeholders are grouped by their similar interest in governance, risk and compliance. These three groups have also been assigned levels of maturity based on their “governance” sphere of influence, the breath of their “risk” mitigation strategies and their ability to impose “compliance” policies and regulations. This guidebook recognizes that there is no need for all business owners and external stakeholders to try to achieve the highest level of maturity. The discussion of maturity models is intended to assist authors in identifying appropriate SCADA security goals and objectives for their business as well as the potential influence of external stakeholders. The examples and references provide a range of options to be considered.

To assist in the preparation of a business case separate sections are devoted to:

Finally, an annotated business case template is provided to help structure the issues that need to be considered. The examples used in throughout this guidebook are referenced and summarized in a final annex.

Date modified: