A fundamental concern regarding SCADA security is the increased connectivity to other, internal or external, computer networks. The typical and often recommended solution is to only carefully connect the SCADA system to the control office LAN which in turn can be designed to mitigate cyber threats from the internet at the network perimeter by using firewall, application proxies and related technologies. Sometimes additional de-militarized zone (DMZ) networks are also used for an extra careful integration. The operations of office networks are however often not regarded a core competence at the enterprise, especially for small and medium-sized enterprises (SMEs), and consequently they are often outsourced under the rationale of achieving cost saving or improves quality of service.
The business case for the outsourcing vendor is to be as cost efficient as possible and consequently it looks for economy of scale in the internal operation. A solution to this program is naturally to operate several customers’ networks in the same physical network but logically separated. From security point of view this could however become an additional threat. Misconfigurations in any of other knowledge of this network architecture may lead to a situation where safeguards such as firewalls are not restrictive enough. In this configuration, a threat agent with access to some of the other networks outsourced to the partner might have an unexpected attack vector and back door in to the network. Taking this further, the backbone network used by the outsourcing partner can in turn be controlled by another part and capacity over this network.