In 1998, Sandia recognized that SCADA systems were vulnerable and initiated a program to coordinate the resources needed to address many of the nation’s critical SCADA challenges. Sandia’s SCADA Security Program leverages expertise developed over many years of experience in national security and securing high consequence systems.

Frequently Asked Questions

Q: What is SCADA?

A: SCADA stands for Supervisory Control and Data Acquisition. SCADA systems are used in utility infrastructures as a computer-based monitoring and control system that centrally collects, displays, and stores information from remotely-located data collection transducers and sensors to support the control of equipment, devices, and automated functions.

Q: What comprises a SCADA system?

A: All hardware and software elements associated with the control and monitoring of a system, including GUIs, databases, sensors, relays, switches, remote telemetry units (RTU), networks, applications, etc.

Q: Where are SCADA systems used?

A: They are used in various applications requiring real-time and near real-time process control, e.g. electric power, oil and gas pipelines, water treatment and distribution, and chemical processing.

Q: Why the sudden concern about SCADA systems?

A: Concerns are based on:

  • Greater awareness of critical infrastructure issues.
  • Studies and assessments have found a lack of security in SCADA systems.
  • More reliance on Internet and COTS software bring in new vulnerabilities.
  • Increased and validated threat (terrorist, extremists, activists).


SCADA Security

A Brief History

The use of Supervisory Control and Data Acquisition (SCADA) systems and process control systems became popular in the 1960s as a need arose to more efficiently monitor and control the state of remote equipment.SCADA and process control systems had numerous applications including industrial and utility automation.

Many early SCADA systems used mainframe computer technology, making them hierarchical and centralized in nature. Systems were designed without the use of standards, resulting in the development of a variety of proprietary systems. Communication with remote equipment was very radial in nature and numerous proprietary protocols were developed and are still in use today.

A problem with early SCADA and process control systems is that they required human oversight to make decisions as well as human support to maintain the information system. In other words, they were expensive. At the same time, SCADA systems were not as expensive as systems that had no supervisory control. Before SCADA, “you had to send people around the plants to close valves and turn on pumps at various times. You’d have to call people and ask them to kick on three specific pumps because you needed more water in the eastern portion of the system. It was very labor-intensive.” Today, industrial plants use SCADA systems to control valves, motors and other forms of equipment. In most cases, SCADA systems include “operator-level software applications for viewing, supervising and troubleshooting local machine and process activities.” Hence the term Supervisory Control as opposed to automatic control or digital control, since a human supervisor was always in the loop controlling and managing the flow of information. This is changing, however, as SCADA systems take on more of the supervisory element.

Being able to automate the action of valves and other equipment was viewed as a security improvement during the early days of SCADA because it meant that a physical valve would not be exposed to unauthorized use. Little was known, however, about the new vulnerabilities that would be introduced through this technology. Today”s SCADA systems are a combination of legacy and modern technology. Communication between system elements often uses Ethernet and Internet Network enabled devices, routers, switches and Windows-based operating systems are now quite common in SCADA systems, bringing with them the vulnerabilities that we experience in our desktop computers and corporate networks.

A Nation Responds

The US Government has been instrumental in helping raise awareness for the new vulnerabilities associated with SCADA automation. It has been recognized since 1998 through the PDD-63 and the PCCIP that allowing an adversary to control a critical infrastructure through SCADA could cause national problems. The national critical infrastructure has been a target of many physical attacks. This has resulted in a concern about whether similar consequences could be accomplished through cyber means now that much of the US infrastructure is automated and computerized. Although there haven”t been many documented SCADA system exploits, we can reasonably assume that infrastructure problems through SCADA can occur based on the track record of intrusion to physical systems.

Sandia Steps Up In The National Interest

In 1998, Sandia initiated a program to coordinate the resources needed to address many of the nations critical SCADA challenges. Sandia’s SCADA security program leverages expertise developed over many years of experience in national security and securing high consequence systems. Sandia is a recognized leader in critical infrastructure protection, cyber security, and energy systems solutions. Sandia’s SCADA security program includes four areas: Vulnerability Assessments, Standards, Testbeds, and Technology Research and Development.

Vulnerability Assessments

Assessments were an early way to help clarify the systems as they existed in the field at that time. Since 1999, Sandia has conducted numerous assessments of operational systems in hydroelectric dams; water treatment systems; electric power transmission, distribution, and generation; petroleum storage and refineries; and transportation systems. This knowledge has been invaluable in understanding first-hand the true issues facing the owners and operators of the national infrastructures.


Standards were recognized as an important activity to move solutions and technologies out to market and the industry as a whole. Standards bodies are groups that are chartered to represent industry stakeholders and offer Sandia the opportunity to contribute while not providing a competitive advantage to any particular entity. Standards are a way to propose a solution that provides national benefit to all stakeholders through a recognized process. It is conjectured that over 50% of utilities have SCADA systems manufactured by a European country. It turns out that European countries require conformance with International Electrotechnical Commission (IEC) standards so the development of a standard in the IEC will have a strong impact on the security of US utilities. Sandia is the Department Of Energy and US representative to the IEC.

SCADA Development Laboratory

Sandia established its SCADA Security Development Laboratory (SSDL) in 1998. Its purpose was to analyze vulnerabilities in common SCADA systems and components and to support research for a “high surety SCADA system.” Since that time, the lab has been integrated with several unique capabilities at Sandia. For instance, the Distributed Energy Technology Lab (DETL) provides platforms to test the control of operational generation and load systems. The cryptography facility supports research and development of encryption for application in SCADA networks. The Red Team facility provides a suite of tools to attack and analyze SCADA vulnerabilities. The Advanced Information Systems Lab is used to research intelligent technologies for development of the infrastructures of the future. All of these facilities are networked with modeling and computational capabilities at Sandia to provide a unique complex for finding solutions to today”s SCADA security problems and develop next generation SCADA systems.

Research and Technology Development

Research and technology development is required to fill the technology gaps between the problems of today and the industry solutions of tomorrow. The direction of SCADA is towards fully automated, distributed, and self-healing infrastructures. More intelligence and system level security is needed to eliminate the issues associated with optimizing at a local level and man-in-the-middle limitations.

The Future of SCADA

We are constantly pushing the capability of the infrastructures to a point where humans will not be able to respond quickly enough to prevent or secure against an outage or attack. Sandia is helping to shape the next generation of SCADA systems through the development of technologies that provide security and reliability consistent with these next generation requirements.