SCADA systems are common management tools for much of our infrastructure. Because these systems are responsible for protecting a large part of what keeps our country running, it is important that we take extra measures to reduce security vulnerabilities.
The United States Department of Energy has compiled a list of 21 best practices to help improve the security of SCADA systems. Here, we provide a brief overview:
Evaluate all connections and services with access to the SCADA system
The Department of Energy recommends that you identify and analyze all network connections that are part of your SCADA system. They specifically recommend checking the following:
- Internal local area and wide area networks
- Internet connections
- Wireless network devices, including satellite uplinks
- Modem or dial-up connections
- B2B Connections to business partners, vendors or regulatory agencies
Perform a risk analysis. Which of these is necessary? Is having the connection worth the risk to the system? Once you have identified the unnecessary connections, remove them. This will decrease the chances of a security breach.
Once you have identified the necessary connections, take steps to reinforce the security of those connections to your SCADA network. Installing a network firewall device and establishing VPN connections on any external or internet connections will help to ensure the integrity of your systems.
Similarly, you should evaluate all services connected to your SCADA system and disable any that are not in use. Allowing access for a service that is not a necessity is a risk.
Go beyond proprietary protocols and default configurations
The United States Department of Energy encourages you to be wary of default configurations from SCADA companies. They encourage those using SCADA to perform thorough evaluations of their own systems. Although proprietary protocols may be easier, the Department of Energy warns that these protocols are often not enough to protect against threats.
Modern SCADA systems typically come equipped with security features, but often these are set at a low level. Set these to the max to lower the potential of threats.
Audit your SCADA system to determine vulnerabilities
Another strong recommendation from the Department of Energy deals with audits and physical evaluations of your system. They encourage users to perform network and physical evaluations in an effort to find vulnerabilities. This includes physically scanning any remote sites. Unmanned areas are a particular threat.
You will not know your weak points unless you take measures to try and find them. In addition, they encourage that you have a plan in place for incident monitoring and reporting to minimize damage in the event of a breach.
They even suggest the use of �Red Teams,� or groups of workers with enough knowledge of the system to identify weaknesses, to develop a list of possible vulnerabilities. Don�t stop there. Continually practice and maintain efforts to spot any weak areas. Make sure all workers are aware of their roles in the event of a problem.
One of the most effective methods of finding weak points is to hire a third-party company to perform a penetration (or pen) test. These companies specialize in finding vulnerabilities in your system. Their entire job is to ethically hack your system, then report back with recommendations to fix the issues.
Develop strategies for protection
The Department of Energy recommends that you clearly document weak spots and that you have a written network protection plan in place. Where are problems likely to occur? What are some steps that can be taken to prevent further issues from occurring? Who should workers contact? Documenting these items provides a quick way for workers to find problems and evaluate solutions should the need arise.
Prepare your staff
It is unfair to expect your staff to know how to handle critical situations if you haven�t given them the proper training or tools. To that end, the Department of Energy recommends that you provide regular training for staff members and that you perform drills and assessments to properly educated and hold workers accountable.
Disaster recovery and backups are also helpful. In the event of a breach, you can ensure that things continue to run as smoothly as possible.
SCADA systems are great tools for managing large amounts of information. Taking extra steps to ensure the security of your system is a relatively small effort in comparison to the potential loss of productivity, damage to your SCADA system, or even possible lawsuits that could occur as the result of an insecure system. Want to learn more? Check out our post which discusses why protecting our water is a homeland security issue.