Supervisory control and data acquisition (SCADA) are computer controlled systems that monitor and control industrial processes that exist in the physical world. These computers run applications that perform key functions in providing essential services and commodities such as electricity, natural gas, gasoline, water, waste treatment and transportation, making them a critical part of a nation’s infrastructure.
These systems were designed for functionality, focusing on performance, reliability, flexibility and safety, while not making security a priority and because it is not uncommon for these systems to have a 20 year life cycle, it will be years before more secure systems are in widespread use.
This makes SCADA’s potentially vulnerable to disruption of service, process redirection, or manipulation of data that could result in serious disruptions to organizations and nations alike.
In order to address this issue it is essential to take actions to implement security and establish management processes and controls.
Here are 10 steps to mitigate the risks in keeping these systems secure.
- Risk assessment
Conduct a thorough risk assessment to identify systems and evaluate their properties and characteristics, discover threats and vulnerabilities that pose risk to the systems and finally address those risks by transferring, eliminating or accepting them.
- Implement security features provided by vendors
Most older SCADA systems have no security features, which happen to be also the most prevalent. Some newer SCADA devices come with basic security features, but are usually disabled to ensure easy installation. Security features must be set to provide a maximum level of security and only lowering them after a rigorous risk assessment of the consequences of doing so.
- Do not rely on proprietary protocols
SCADA systems sometimes use unique, proprietary protocols to communicate with servers and often this is the only security in place to protect the network. This however is not a wise risk mitigation strategy.
- Evaluate and strengthen security
Penetration testing must be performed regularly to find vulnerabilities and fix them before an attacker does. Having a seconds set of eyes check out critical systems is a good security practice. Penetration testing not only serves to identify vulnerabilities; it also serves in verifying secure configurations are in place when installation is performed.
- Implement internal and external intrusion detection systems and establish 24/7 monitoring
In order to be able to effectively respond to cyber attacks, it is necessary to establish an intrusion detection strategy that includes alerting network administrators of malicious network activity. Incident response procedures must be in place to allow an effective response to any attack. In addition to network monitoring, logging must be enabled on all systems.
- Conduct physical security surveys
Any connection that has a SCADA connected to the network is a target, especially if they are in a unguarded remote sites. Conduct regular physical survey and inventory access points at each facility that has a connection to a SCADA system. Identify and assess remote telephone/computer network/fiber optic cables that could be tapped; radio and microwave links that are exploitable; computer terminals that can be accessed; and wireless local are network access points.
- Define cyber security roles, responsibilities, and authorities for managers, sys admins and users.
Its very important for the organization to understand the expectations associated with protecting information technology resources through the definition of clear roles and responsibilities. Personnel need to be given sufficient authority to carry out their assigned responsibility and a organizational structure must be in place defining how security issues are escalated and who is notified in an emergency.
- Document network architecture
It is imperative that the organization design their networks with security in mind and continue to have a strong understanding of their network architecture throughout its lifecycle. An in depth understanding of the functions that the systems perform and the sensitivity of the stored information is critical. Without this understanding, risk cannot be properly assessed. Additionally it is very important to document the information security architecture and its components, while establishing controls to keep the documentation current.
- Establish a rigorous, ongoing risk management process
A robust risk management process is needed to provide the organization with feedback on the effectiveness of the cyber security policy and its implementation. A mature organization is one that can self identify issues, conduct root cause analyses, and implement corrective actions to address the individual and systemic problems. Self-assessment processes are a normal part of an effective security program and include routine scanning for vulnerabilities, automated auditing of networks and self-assessment of performance or Key Performance Indicators (KPI).
- Establish effective configuration management processes
Configuration management is a fundamental management process needed to maintain a secure network. It need to include both hardware and software configurations. Changes can easily introduce vulnerabilities that undermine network security, so processes are required to evaluate and control any change to ensure the network remains secure.