The primary purpose of this research was to assess the adequacy and effectiveness of security control of the Supervisory Control and Data Acquisition (SCADA) communication network used by infrastructure companies. Initially, the SCADA networks were physically separated from other networks connected to the internet and hence assumed secure. However, the modern SCADA are now integrated with other network resulting in new security vulnerabilities and attacks similar to those found in traditional IT. Thus, it is important to reassess the security controls of the SCADA because it is operated in an open network environment. In this research, a case of the SCADA security controls in the power sector in Tanzania was assessed, whereby a specific SCADA implementation was studied. The data were gathered using observation, testing, interviews, questionnaire and documentation reviews. The results were analyzed using the Cyber Security Evaluation Tool (CSET) and checked for compliance based on the National Institute of Standards and Technology (NIST) and North America Electric Reliability Corporation (NERC) standards. The findings have shown that there exist security vulnerabilities both in security compliance of the standard and component-based vulnerabilities. Additionally, there is inadequate of audit and accountability, personnel security and system and information integrity. Also, for the component-based security compliance, the finding shows that identification and authentication, security management and audit and accountability. On the basis of the results, the research has indicated the areas that require immediate action in order to protect the critical infrastructure.
Y. Wang, “sSCADA: securing SCADA infrastructure communications,” Int. J. Commun. Networks Distrib. Syst., vol. 6, no. 1, pp. 1–13, 2010.
H. G. Sandip, C. P., Ganesh, D. B., and James, “Improving Cyber Security of SCADA Communication Networks,” Commun. ACM, vol. Vol. 52, no. No. 7, p. pp 139-142, 2009.
T. Adams, “SCADA Systems Intermediate Overview,” in Technical Information Bulletin 04-1, 2004, no. 877, pp. 1–64.
Z. Jianqing, “Secure Multicast for Power Grid Communications,” PHD Thesis, University of Illinois at Urbana-Champaign, 2010.
A. Cook, H. Janicke, L. Maglaras, and R. Smith, “An assessment of the application of IT security mechanisms to industrial control systems,” Int. J. Internet Technol. Secur. Trans., vol. 7, no. 2, pp. 144–174, 2017.
C. Ten, C. Liu, and M. Govindarasu, “Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees,” in IEEE Power Engineering Society General Meeting, 2007, no. July.
L. Yang, X. Cao, and J. Li, “A new cyber security risk evaluation method for oil and gas SCADA based on factor state space,” Chaos, Solitons and Fractals, vol. 89, pp. 203–209, 2016.
A. Hristova, R. Schlegel, and S. Obermeier, “Security assessment methodology for industrial control system products,” 4th Annu. IEEE Int. Conf. Cyber Technol. Autom. Control Intell. Syst. IEEE-CYBER 2014, pp. 264–269, 2014.
S. Araghi and A. A. Shams-baboli, “Improving Security in SCADA Systems,” 2012.
J. H. Graham and S. C. Patel, “Security Considerations in SCADA Communication Protocols,” Comput. Eng., no. 502, pp. 1–24, 2004.
R. Tsang, “Cyberthreats, vulnerabilities and attacks on SCADA networks,” Univ. California, Berkeley, Work. Pap. …, pp. 1–23, 2010.
Z. Cheah and A. B. M. O. Faruk, “Identifying and Responding to External Threats in a PCS Network,” Norwegian University of Science and Technology, 2007.
S. Venkatraman, “Cybersecurity in Power Systems,” MSc Thesis, Georgia Institute of Technology, 2012.
This work is licensed under a Creative Commons Attribution 4.0 International License.
The names and email addresses entered in this journal site will be used exclusively for the stated purposes of this journal and will not be made available for any other purpose or to any other party.
Submission of the manuscript represents that the manuscript has not been published previously and is not considered for publication elsewhere.