NOTE FROM CLEMENT:
This paper talks about the EU problems but the same problems exists on SCADA systems worldwide.

See  a description of the paper from the ENISA website:

In the last decade SCADA technology has passed through a transformation, from isolated and proprietary systems into open architectures and standard technologies that are highly interconnected with other corporate networks and the Internet. A consequence of this transformation is the increased vulnerability to outside attacks. One way to enhance the security of SCADA is through the application of patches. Ideally an organization would deploy patches as soon as they come available, however this is often not possible because of the complexity of the process in which SCADA systems are incorporated and because the systems often need to be operable at any given moment. Furthermore patches need to be tested thoroughly before they can be applied to production environment, which can take days or even weeks, during which a system is vulnerable. Alternative controls should be used during the WINDOW OF EXPOSURE for preventing a vulnerability to be exploited. For instance, when a webserver vulnerability has been discovered the organization could, if possible, block unwanted traffic to the webserver or disable the webserver all together.

Dec 06, 2013


Adrian Pauna, ENISA
Konstantinos Moulinos, ENISA
Contributors:
Hans Pille (DNV KEMA)
Theo Borst (DNV KEMA)
Benessa Defend (ENCS)
Klaus Kursawe (ENCS)
Rob van Bekkum (ENCS)
Victor van der Stoep (ENCS)
Sebastian Ranft (Siemens)

Click HERE to visit the source website at ENISA