U.S. flag

An official website of the United States government, Department of Justice.

NCJRS Virtual Library

The Virtual Library houses over 235,000 criminal justice resources, including all known OJP works.
Click here to search the NCJRS Virtual Library

SCADA & PLC Vulnerabilities in Correctional Facilities White Paper

NCJ Number
238390
Author(s)
Teague Newman; Tiffany Rad; John Strauchs
Date Published
July 2011
Length
15 pages
Annotation
This White Paper identifies the security vulnerabilities of Siemens SCADA (supervisory control and data acquisition) systems used in conjunction with Siemens PLCs (programmable logic controllers) in correctional and other secured government facilities, and recommendations for improving security measures are offered.
Abstract
The primary vulnerability of PLCs and SCADA systems is due to malicious software called Stuxnet, whose existence was discovered by Sergey Ulasen of VirusBlokAda on June 17, 2010. Since then, computer security researchers have been analyzing its code in an effort to decipher its origins and functions. Although it was not the first malicious software to target automation systems, it was unique in exploiting four zero-days and was the first to contain root kits specifically targeted for particular Siemens SCADA systems. Although PLCs have been used for more than 40 years, until Stuxnet, few security research projects focused on them. PLCs were initially developed in the 1960s to facilitate industrial automation. Many PLCs in current use employ a simple programming language called Ladder Logic to make it easier to program them. The simple and basic nature of PLCs makes them vulnerable to being exploited, however. The current research analyzes PLC use and vulnerabilities that have escaped attention because most people know little about PLCs used in correctional facilities. A review of the electronic, physical, and computer security designs in correctional facilities shows why PLCs were installed in many jails and prisons, and their vulnerabilities in those facilities are considered. Recommendations for improving security in locations with PLCs and SCADA include a combination of re-evaluation of prison physical designs and electronic security, network security, and greater enforcement of computer usage policies in these facilities. 9 notes and 3 figures