Six ways to improve SCADA security
by Amol Sarwate - Security Research Manager at Qualys - Friday, 30 March 2012.
Industrial control systems (ICS), distributed control systems (DCS), supervisory control and data acquisition systems (SCADA) have all been around for decades, but thanks to Stuxnet, DuQu and other major incidents, these systems have recently began receiving serious security consideration.

When it comes to securing SCADA networks, we are years or even decades behind when compared to securing typical IT networks. In this article, I will present some of the SCADA security’s most daunting challenges along with some recommendations to secure SCADA networks.

1. A SCADA network is inadvertently connected to a company’s IT network or even to the internet

Companies believe that their SCADA networks are air-gapped or separated from other networks in their organizations. In some cases, business needs require data from SCADA systems (like electric outage information, etc.) to be exposed on the internet. And during this implementation, the secure network diagram on paper starts deviating to the insecure configurations of the real world.

A search for ‘data presentation and control’ software on the internet yields SCADA systems with management services exposed to the internet. If an organization's SCADA network is not securely connected with the IT network, worms can jump from the HR desktops or reception kiosk into the SCADA network.

Recommendation: Based on available resources, use a mapping tool or professional service (who will use some tools on your behalf) to investigate your SCADA network connectivity and deviations from the securenetwork diagram on paper. Caution: Not all tools are created equal and a blind scan of your network could knock down SCADA components like PLCs, RTUs and IEDs. Thus, it is important to ask your tool vendors if the tool has ever beenused in SCADA environment and if a SCADA configuration is available.

2.‘Data presentation and control’ now runs off-the-shelf software

Long gone are the days when control systems ran on proprietary or custom platforms. Most SCADA systems today use off-the-shelf operating systems, standard browsers and other technologies which are used in desktop environments. Hackers can easily create exploits that target the underlying software vulnerabilities to infect and propagate their worms.

Recommendation: Use your IT experience to deal with IT problems. Scan for vulnerabilities in your IT and SCADA networks and patch them as soon as possible. Our research has shown that patching is the most simple yet effective solution.

In some cases patches cannot be applied, and I will discuss that issue in the next section. There are various technical security benchmarks (like CIS) and compliance standards available for off-the-shelf systems like Windows, Solaris, Oracle, Apache and others. Use a policy compliance system to make sure that off-the-shelf systems are configured securely. Anti-virus, IDS, firewalls and other well-known IT solutions will also be helpful.

3. Control systems not patched

In many SCADA systems, the underlying OS or applications have not patched for years. It’s not fair to blame SCADA system administrators in all instances because there is little guidance from SCADA vendors regarding whether or not an OS patch is safe for SCADA software. For example, Microsoft releases patches every month. Without any guidance from SCADA vendors on the compatibility of the patch with their SCADA software, SCADA system administrators will not apply the patch. In some cases the underlying OS is a modified version of the standard OS. Some vendors may quickly translate and re-release the OS patches from Microsoft for their modified OS, while other vendors may not be as quick to release the patch.

Spotlight

European Central Bank blackmailed in wake of data breach

Posted on 24 July 2014.  |  The European Central Bank - the central bank for the euro - has suffered a data breach, and has only discovered it after receiving a blackmail letter from the attacker.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Jul 25th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //