The continuous growth of cyber security threat s and attacks including the increasing sophistication of malware is impacting the security of critical infrastructure, industrial control systems, and Supervisory Control and Data Acquisition (SCADA) control systems. The reliable operation of modern infrastructures depends on computerized systems and SCADA systems. Since the emergence of Internet and World Wide Web technologies, these systems were integrated with business systems and became more exposed to cyber threats. There is a growing concern about the security and safety of the SCADA control systems. The Presidential Decision Directive 63 document est ablished the framework to protect the critical infrastruct ure an d the Presidential document of 2003, the National Strategy to Secure Cyberspace stated that securing SCADA systems is a national priority. T he critical infrastructure includes telecommunication, transportation, energy, banking, finance, water supply, emergency services, government services, agriculture, an d other fundamental systems and services that are critical to the security, economic prosperity, and social well-being of the public. The critical infrastructure is characterized by interdependencies (physical, cyber, geographic, and logical) and complexity (collections of interacting components). Therefore, information security management principles and processes need to be applied to SCADA systems without exception. Critical infrastructure disruptions can directly an d indirectly affect other infrastructures, impact large geographic regions, an d send ripples throughout the national an d global economy. For example, under normal operating conditions, the electric power in frastructure requires fuels (natural gas and petroleum), transportation, water, banking and finance, telecommunication, and SCADA systems for monitoring and control. In this paper, we provide an analysis of key developments, architecture, potential vulnerabilities, and security concerns including recommendations toward improving security for SCADA control systems. We discuss the most important issues concerning the security of SCADA systems including a perspective on enhancing security of these systems. We briefly describe the SCADA architecture, and identify t he attributes that increase the complexity of these systems including the key developments that mark the evolution of the SCADA control systems along with the growth of potential vulnerabilities and security concerns. Then, we provide recommendations toward an enhanced security for SCADA control systems. More efforts should be planned on reducing the vulnerabilities and improving the security operations of these systems. It is necessary to address not only t he individual vulnerabilit ies, but the breadth of risks that can interfere with critical operations. We describe key requirements and features needed to improve the security of t he current SCADA control systems. For example, in assessing the risk for SCADA systems, use of general methods for risk analysis including specific conditions and characteristics of a control system need to be applied. Effective risk analysis for SCADA systems requires a unified definition for mishap an d identification of potential harm to safety. As computer systems are more integrated, the distinction between security and safety is beginning to disappear. In bridging the gap between these domains, we propose a unified risk framework which combines a new definition of mishap with an expanded definition of hazard to include the security event. However, methods for risk management that are based on automated tools and intelligent techniques are more beneficial to SCADA systems because they require minimum or no human intervention in controlling the processes. We also identify a unified security/safety risk framework for control systems. Implementing security features ensures higher security, reliability, an d availability of control systems. Thus organizations need to reassess the SCADA control systems an d risk model to achieve in depth defense solutions for these systems. The increasing threats against SCADA control systems indicate that there should be more directions in the development of these systems. Therefore, achieving better quality an d more secure SCADA control systems is a high priority. Information security management principles and processes need to be applied to SCADA systems with out exception. We conclude with a thought about the future of SCADA control systems. A strategy to deal with cyber attacks against the nation's critical infrastructure requires first understanding the full nature of the threat. A depth defense and proactive solutions to improve the security of SCADA control systems ensures the future of control systems and survivability of critical infrastructure.
