Top SCADA system security recommendations


Leading on from our post on SCADA System Security Challenges and Recommendations, we look at the top SCADA system security recommendations to give SCADA system owners a head start on securing the critical national infrastructure appropriately.

Firstly, and most importantly, organisations need to be aware of how vulnerable their systems are from a technical perspective. Vulnerability analysis tools can be utilised to perform scans and audits on equipment within the scope of the SCADA network. Initially though, companies must understand their network, map together all components and be aware of how many potential attack paths there are into their SCADA environment. Assets should be recorded in a register and links should be detailed, including who has access to these and how.

SCADA System Security Recommendation #1: Identify and list all assets within the scope of the SCADA network, including assets, location, status and possible attack paths.

Following this, organisations can conduct technical audits via vulnerability analysis tools. The results of this assessment can be used to identify security holes in the network, however, this is just an automated process and organisations must utilise skilled staff to put these vulnerabilities into context. With the vulnerability analysis results, SCADA system owners can deduce likely attack paths and implement controls to prevent this occurring.

SCADA System Security Recommendation #2: Perform regular technical vulnerability analysis scans to identify security holes in the network.

In addition to the technical perspective, organisations must implement procedures to prevent re occurrence of vulnerabilities becoming exposed. For example, if default credentials are identified and addressed via a vulnerability analysis scan – the procedures that put these in place initially must be addressed to ensure that any new components installed don’t open up further holes. All current processes should be reviewed, including how engineers set up new components, how existing components are maintained and who has access to what assets.

SCADA System Security Recommendation #3: Revise current procedures to ensure that default credentials and configurations don’t leave security holes.

As well as reviewing the current procedures and technical configurations, it is important to ensure that monitoring at the boundary is efficiently executed. All points of entry to the SCADA environment should contain boundary controls to try and prevent an attack at the earliest stage. This may include intrusion detection or prevention systems or firewalls. The type of defensive mechanism implemented will vary dependent on the risks identified during the risk assessment phase. There may be other considerations such as performance or cost, however, any boundary control is better than nothing.

SCADA System Security Recommendation #4: Implement technical security controls at the boundary to identify malicious activity.

With appropriate boundary controls in place, efforts should be turned to locking down and hardening SCADA systems appropriately. This will reduce the attack surface for attackers to exploit, and result in a more secure environment if attackers are able to breach the boundary. As SCADA systems are based on normal commercial off the shelf operating systems, vulnerabilities that exist in regular operating systems will also affect SCADA systems. As with any other system, SCADA systems should be locked down, unnecessary services removed and protocols secured.

SCADA System Security Recommendation #5: SCADA systems should be locked down as with any other system. Unnecessary services should be removed and operating systems locked down.

SANS have identified numerous vulnerabilities in SCADA systems. Read more: http://www.securingthehuman.org/blog/2013/04/15/industrial-control-systems-ics-security-awareness-poster/

SANS have identified numerous vulnerabilities in SCADA systems.
Read more: http://www.securingthehuman.org/blog/2013/04/15/industrial-control-systems-ics-security-awareness-poster/

It is important to understand the interconnections in SCADA networks, this will allow the business to identify possible attack paths and threats to these systems. For example, if SCADA systems are managed remotely then this is a highly attractive target for attackers to compromise. The company need to think about this connection from end-to-end and the security vulnerabilities that exist for attackers to exploit. In this scenario, the engineer may be accessing the SCADA systems from an uncontrolled end user device that has already been compromised or could spread a worm onto the SCADA network. The connection methods also need to be analysed to ensure that communications are secure and credentials are not transmitted in the clear, allowing an attacker to sniff the traffic and gain legitimate, privileged access. All these considerations need to be made, making this a top SCADA system security recommendation.

SCADA System Security Recommendation #6: SCADA system connections need to be analysed, reduced and secured appropriately.

Moving on from technical controls surrounding the SCADA network itself, it is also vitally important to ensure that insider threats are mitigated appropriately. Personnel operating SCADA systems, including engineers that install new and configure new components through to engineers that remotely support them, need to be aware of the threats to SCADA systems. Personnel should be trustworthy and confidence in the personnel operating SCADA equipment should be gained by the company before allowing any privileged access.

SCADA System Security Recommendation #7: SCADA system engineers should be trustworthy and understand the threats to SCADA networks.

As demonstrated by the Stuxnet case, removable media is often the main attack vector for SCADA system security concerns. Often SCADA systems are segregated, or air gapped, from other networks – making the spread of malware difficult. However, the use of removable media can often bridge this air gap and is a major security concern for many SCADA networks. Organisations need to be aware of this threat and implement controls appropriately, this may be either via an isolated machine that is not connected to the network to scan removable media for viruses, or malware analysis located in a DMZ.

SCADA System Security Recommendation #8: Implement secure data import and export procedures, ensure removable media is scanned before introduction to the network.

Authentication is an issue for any network, and SCADA networks are no different. Once organisations have identified the connections coming into the SCADA network and connected networks, it is vital to secure those connections appropriately. For example, organisations that allow remote administration of SCADA components need to ensure that strong authentication mechanisms are implemented to prevent unauthorised access. Connection methods need to be strong to prevent clear text authentication credentials being sniffed by attackers. SCADA system owners should implement strong encryption controls for connections in and out of the network, authentication mechanisms need to be implemented and organisations should consider two-factor authentication for SCADA networks.

SCADA System Security Recommendation #9: Secure authentication mechanisms and secure communication paths through appropriate encryption.

Finally, and quite importantly, SCADA system owners need to ensure that their incident response procedures are effective in learning from any incident and recovering appropriately. These procedures include the end to end process of identifying and preventing an attack through to post incident analysis and forensics to prevent a similar attack occurring again. Organisations should ensure that monitoring is linked up with incident response procedures to ensure that once an incident is recognised, ideally at the boundary, the attack can be analysed, signatures created and systems secured. Post incident analysis allows SCADA system owners to secure their network appropriately and prevent future attacks.

SCADA System Security Recommendation #10: Set up incident response procedures, including incident response and post incident analysis to improve SCADA system security.

Implementing these 10 SCADA system security recommendations will not necessarily result in a secure environment, but will be a great starting point for SCADA system owners to begin to prevent attacks against their systems appropriately. SCADA system vulnerabilities are natural due to their nature, however, by identifying risks and attack paths of malicious users, system owners can go a long way in implementing appropriate controls. Use this as a basis, select a suitable risk assessment methodology and continually update processes to result in a secure environment.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Recommended for you

Leave a Reply

Your email address will not be published. Required fields are marked *