Six ways to improve SCADA security
by Amol Sarwate - Security Research Manager at Qualys - Friday, 30 March 2012.
Recommendation: Demand your SCADA vendor to provide guidance on patching Microsoft, Adobe, Oracle, etc., for all software used in the setup. If acustomized version of the standard OS is used, then demand quick release of customized patches. If possible, invest in a lab where you can test for patch compatibility yourself. Use a vulnerability management system to identify missing patches.

4. Authentication and authorization

In many instances ‘data presentation and control’ software is not capable of basic authentication and authorization. Even if the software is capable weak configuration, shared or default passwords render these features useless. If a worm gets on the machine it can easily manipulate a SCADA environment provided that it knows how to communicate with the SCADA control software via default password or nopassword set.

Recommendiation: Configure SCADA control software to use per user authentication, authorization and logging controls. In addition to strong passwords, use a smart token based authentication scheme.

5. Insecure ‘datacommunication’ protocols

Decades ago, SCADA protocols were not designed with security in mind as networks were air-gapped and this thing called as Internet did not exist. However, 20 to 30 year-old protocols like Modbus and DNP3 still exist and thrive in SCADA networks. Manipulating PLCs running on such protocols is trivial, and upgrading to newerprotocols (like secure DNP3) often requires you to replace components, which can be costly.

Recommendation: If your system is already using newer protocols with key management and secure communication, make sure they are configured to use these newer features. Investigate your upgrade options and the costs associated with them. If upgrades are not possible, determine whether there is a way to tunnel the communication through secure channel.

6. Long life span of SCADA systems

Finally, the achillesheel of SCADA systems is their long lifespan, which is often measured in decades. These systems are built to last, and unlike PCs, which are easy to replace, it’s difficult and costly to replace even part of a SCADA infrastructure.

Recommendation: There is no easy fix for this. While designing new systems or expanding existing systems, consider the long life cycle and architect your infrastructure accordingly so that components are easily upgradable or replaceable.

If you are SCADA system owner or administrator, I would appreciate if you could email me your feedback on this blog post along with your experience managing them.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th