Encryption device planned for legacy SCADA installations

Thales e-Security Inc. is finishing work on an encryption appliance to secure legacy process control systems that regulate much of the nation's critical infrastructure.

"It is designed to be a bump-in-the-wire solution," installed between the remote device and the management console, said Juan Asenjo, director of business development for the Weston, Fla., company.

The module, which will be marketed this May in the Thales Datacryptor product line, would provide near-end-to-end encryption, as well as authentication for remote administration of supervisory control and data acquisition systems.

SCADA systems perform remote monitoring and control of complex industrial and utility facilities. They traditionally have been designed with little thought for security and as the systems are connected to public networks they are coming to be seen as weak spots in the nation's critical infrastructure.

The Homeland Security Department last year identified 1,700 vulnerable facilities described as soft targets because of SCADA systems that left them open to outside assault. The sites included both private and government facilities, ranging from chemical plants and shopping malls to dams and bridges.

DHS' Protective Services Division is responsible for coordinating efforts to harden the facilities but has no authority to require improvements and little budget to encourage them.

The list of vulnerable sites was compiled from reports submitted by states. Division director James F. McDonnell told a congressional panel last year that it probably would be another two years before an accurate list is available [see GCN story.

The Datacryptor SCADA module is in the final stages of development, Asenjo said. It is a bulk encryptor in a hardened box that uses the Advanced Encryption Standard algorithm and authenticates administrators accessing maintenance ports by password and a token.

The encryptor now supports the two most commonly used SCADA protocols, Modbus and the Distributed Network Protocol.

"Encryption will always add a certain amount of delay," Asenjo said. He said the module is expected to keep that delay below 20 percent, "which is within the acceptable range."

He said Datacryptor's distinguishing feature would be combining both data encryption and encrypted access to SCADA maintenance ports.

The price for a single encryption module and the management software package will be $500.