SCADA Security Book Review

Save your money and don’t buy this book. We won’t even link to a page where you could buy it.

The reason for the worst, 1-star rating is this book is not about SCADA Security. It is a collection of general purpose IT security chapters written by a collection of authors that rarely even mention control systems. There is little control system experience in the authors, and the collection of articles approach lead to an uneven and poorly structured book.

It appears the publisher wanted a book on SCADA Security; had published other Techno Security books; and decided this was a quick way to get a book out and take advantage of interest in the field.

Most of the book appears to be slightly adapted work from other efforts. For example, Chapter 1 – Physical Security even mentions it is adapted from previous works. It covers key control, tailgating, employee badges and other physical security products. However, there is nothing, literally nothing, specific to ICS security in this chapter.

Even more baffling is an interview at the end of the chapter with the Telecommunication Manager of the Charlotte Observer. This is the expert the author interviews?

This is regrettable because physical security of ICS cyber assets is an underemphasized issue. He could have covered the need to protect Ethernet SCADA ports at unmanned remote sites or the challenges of limiting physical access to cyber assets in power or manufacturing plants where equipment rooms are accessed by a wide variety of personnel. Or how anyone with the right safety equipment has free run in most plants.

This same lack of any ICS specific information is found in Chapter 4: Developing an Effective Security Awareness Program, Chapter 5: Working with Law Enforcement on SCADA Incidents, Chapter 6: Locked but Not Secure (on lock picking), and Chapter 7: Bomb Threat Planning.

Only Chapter 2: Supervisory Control and Data Acquisition covers control systems. This chapter is a fine summary for the IT professional on what a control system is. It would be a nice article or white paper for controlglobal or, but hardly a reason to buy the book.

Most troubling was Chapter 3: SCADA Security Assessment Methodology. It again is a general IT security chapter, and if you follow this methodology there is a good chance you will crash a SCADA or DCS. It specifically does not address how to scan an ICS leveraging redundancy. It does not reference the common vulnerabilities that should be addressed in a control system assessment. It is a how-to provide an IT security assessment.

Save your money and don’t let the title fool you.

Next Week: Eric Knapp’s new book Industrial Network Security