Much like information technology systems, industrial control systems (ICS) are vulnerable to attack and malicious interference. The control system known as SCADA, or supervisory control and data exception, is no exception.
Consider this: upwards of 40% of SCADA systems connected to the Internet are vulnerable to hackers with low-level hacking skills. This is a frightening fact, and it is made even more so by the knowledge that critical infrastructure uses SCADA. This makes targeting SCADA that more desirable for attackers.
Below is a technical-focused, security awareness checklist for organizations that use SCADA as an ICS.
Security Awareness Checklist
1. Separate SCADA from the General Network
One of the most important recommendations to take from this checklist is to make sure that your organization operates its SCADA system on a separate network from what the organization normally uses for day-to-day operations. Separation of a SCADA system from the general organization network prevents an information-security incident or attack from taking down SCADA.
Another benefit of using separate networks is that if there is a vulnerability on the general network, attackers will not be able to use it to cause damage or a service interruption of the SCADA system.
2. Enforce a Strict Password Policy
As simple as it may seem, enforcing a strict password policy may be the determining factor in repelling those aiming to attack a SCADA system. Some requirements that you will want to use include:
- Character requirements, including a combination of letters, numbers and symbols
- Make employees change their passwords every 90 days
- Use an administrator password
- Delete old administrator and inactive accounts on a regular basis
Some organizations do not require passwords for their SCADA systems. When this is the case, there should be physical safeguards such as fingerprints, retina scans or other biometric methods available to verify who is using the SCADA system.
3. Limit Connection Between the Internet and SCADA
One of the most common sources of security-related issues for SCADA systems is the simple fact that they are connected to the Internet. That Internet connection is what most attackers use to attack and breach SCADA systems, just like how they attack and breach other Internet-connected networks. Unfortunately (depending on how you look at it), connecting to the Internet is unavoidable in a lot of cases. Without an elaborate IoT scheme implemented, remote access/control of a SCADA system would be impossible without the Internet.
If your organization’s SCADA system needs to be Internet-connected, run a risk analysis on the connection to determine the best course of action to take. In most cases, using security devices such as firewalls, data diodes and proxy servers will ameliorate most security concerns. However, this view is very general, and since every security situation is different, an in-depth analysis of your situation is necessary.
4. Patch Management
Patches may end up being the porthole that exposes your SCADA system to vulnerabilities. Oftentimes, third-party companies will default to standard systems, software and protocols during their initial service configuration. What this means to attackers is that standard exploits and tooling kits can be more easily applied within the SCADA system.
To begin, your organization should write up and maintain a patch-management policy. This policy should specify when new patches are to be applied (at the organization level) and how incidents are to be handled.
Next, your organization needs to enforce an information technology policy of staying up to date with changes in patches, vulnerabilities, and workarounds for when incidents arise. This will offer your organization an effective patch strategy if and when security incidents arise.
5. Integrity Guarantees
In many SCADA systems, there is no way to authenticate changes made to the system. Fortunately, this is just the default configuration; there are proactive steps that can be taken to remedy this. The list presented below will cover all of your bases:
- Make sure that your specific SCADA system is up to date with all updates and firmware version, if any
- Document whenever a change is made to the SCADA system. Make sure to document who made the change, what change was made, when the change was made and why
- Implement a change control plan
- Audit the SCADA system configuration periodically against any existing change documentation to ensure that the configurations are set correctly
6. Create and Implement a Mobile Device Connectivity Policy
It’s the dirty, unspoken fact of the work world: laptops and other mobile equipment used by organization employees and third-party vendors can be some of the worst infection vectors. Simply connecting an infected device to a network can introduce infections and attacks onto a network with devastating consequences.
An effective mobile device connectivity policy will handle this issue at the source — the device itself. One solution would be to simply force any mobile devices that need to connect to the SCADA system be kept/only used on premises. Another possibility is that a device scan could be made mandatory, where only devices that are scanned and proven to not be infected can be used to connect. Either way, this major back door for infections, and attacks must be addressed on your SCADA security awareness checklist.
SCADA Safety in Numbers, Positive Technologies