Análisis del sistema de gestión de seguridad de la información del sistema SCADA y las RTU de una Central Hidroeléctrica de CELEC EP

Abstract

This research analyzes the information security system of the SCADA structure and the Remote Terminal Units (RTU) for the electric power management of a hydroelectric power station, which contributes nearly the 25% of the electric power to the national interconnected system (SNI) of Ecuador.

The SCADA systems, by its initial idea, were isolated. They use industrial communication protocols that lack data encryption algorithms. However, there is an increasing need for consulting the information stored in their database by external or third party systems, the need to enable remote access for external support, etc. These factors cause the SCADA system maintains connectivity with the organization's corporate network.

I performed an analysis of the technological platform in the SCADA and the RTU; it is based on the international safety standards ISO 27001/27002, NIST 800-53 and NER CIP; risk analysis and penetration testing. This methodology allowed to determine weaknesses and strengths of the system, with the purpose of designing a security policy adjusted to this system of production, which allows to protect it from external and internal threats. These threats can cause partial or total failure of the system, directly affecting the critical elements, which influence the production of the Hydroelectric Power Station analyzed.

To maintain the security of the information assets of a SCADA system, due to the existing risks, it is important to analyze their vulnerabilities and present practical solutions, applicable and adjusted to their reality and importance. For this reason, the information security policy must be updated periodically.