Sandia National Laboratories, as part of its mission to ensure national security, has engaged in vulnerability assessments for IT systems with the main focus on control and automation systems used in United States critical infrastructures. Over the last few years, diverse customers from the electric power, petroleum, natural gas, and water infrastructure have partnered with us to gain insight into their critical vulnerabilities and learn mitigation strategies.
This report describes the generalized trends in vulnerabilities observed from the assessments, as well as typical reasons for these security issues and an introduction to an effective mitigation strategy. Overall, most security vulnerabilities in infrastructure include failures to adequately define security sensitivity for automation system data, identify and protect a security perimeter, build comprehensive security through defense-in-depth, and restrict access to data and services to authenticated users based on operational requirements. Many of these vulnerabilities result from deficient or nonexistent security governance and administration, as well as budgetary pressure and employee attrition in system automation. Also, the industry is largely unaware of the threat environment and adversary capabilities. Finally, automation administrators themselves cause many security deficiencies, through the widespread deployment of complex modern information technology equipment in control systems without adequate security education and training. Comprehensive mitigation includes improved security awareness, development of strong and effective security governance, and amelioration of security vulnerabilities through the careful configuration and integration of technology.