SCADA on Thin Ice: Three Tips to Drive Cybersecurity Without Removing Accessibility

Whether SCADA, Operational Technology (OT) or Industrial Control Systems (ICS), it’s important for organizations to find a way to maintain the accessibility of these technologies while complying with federal, state and local regulations – and defending their network data from cyberattacks.

Organizations with Supervisory Control and Data Acquisition (SCADA) systems are on thin ice. Without proper cybersecurity controls in place, these groups are vulnerable to attack, and vulnerable to compliance issues from strict regulatory requirements such as the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards.

I never truly appreciated the differences between operational technology and the more ubiquitous IT until I worked in upstream oil and gas. In sectors like oil and gas, chemicals, pharmaceuticals and manufacturing, organizations build SCADA to rely predominantly on its accessibility and integrity of data. The reading from a pressure valve, for example, has to be easy for engineers to get to, and the number it displays must be accurate. Failure to do so can, at best, cost a company a lot of money. At worst, a failure can get people hurt or even cause serious harm to the environment.

Information technology is developed with different goals in mind than SCADA

The problem is that information technology is developed with different goals in mind than SCADA. With IT, confidentiality of the data is the center of focus. The data must be protected first, and then easily available as a secondary consideration. This seemingly innocuous difference between SCADA and IT can cause a gap that hackers can leverage to gain access to a network.

IT systems are updated and upgraded frequently in a rapidly-evolving environment. SCADA operates in a more static environment where accessibility and system integrity are paramount and even minor changes pose a risk to the integrity of the entire system. Therefore, SCADA, ICS and OT are often made up of electro-mechanical devices never intended to be networked with digital equipment. They can perform the same function for decades without change or failure.

Exacerbating the issue is that few IT security and management tools are designed to work with SCADA. Many companies resort to trying to get IT solutions to shoehorn into OT networks, but these approaches are normally unsuccessful – the two technologies are just too different. By trying to rig up an off-the-shelf technology such as a PC running Microsoft Windows with a run-of-the-mill anti-virus solution to monitor a piece of operational technology, organizations may also inadvertently void the license of either the OT or IT devices in that chain.

Few IT security and management tools are designed to work with SCADA

Often these fixes do little to nothing towards addressing NERC CIP regulations, which first and foremost require all networked OT assets to be identified and tracked. Many companies aren’t even aware of how many OT assets they have. This produces a huge time constraint and resource burden.

Top 3 tips to protect operational technology and corporate networks
There are several proven ways to protect operational technology and the corporate or IT networks that may be passively linked to them.

Identify all connections to SCADA networks and identify all systems and data that must be protected. This will generally include items broken down within the following categories:
Operating documents

Operating conditions
Plant drawings
Process models
Network drawings
Failure history
Operating procedures

Standard operating procedures
Standard jobs procedures
Maintenance procedures
Current state data

Instrumentation ranges and settings
Control logic
Firewall configuration rules
Distributed control system data
Internet protocol addresses
Once detected, immediately disconnect all unnecessary connections to the OT network, and separate OT from IT networks and corporate networks.
Harden OT networks by removing or disabling unnecessary services.
SCADA security monitoring with data accessibility
Once these top three recommendations are completed, it’s essential that organizations implement solutions that are engineered and tailored for continuous network monitoring, including vulnerabilities, configuration weaknesses, data leakage, log management, and compromise detection to help ensure USGCB, FISMA, and PCI compliance.

It’s essential that organizations implement solutions that are engineered and tailored for continuous network monitoring

Tenable’s SecurityCenter Continuous View™ (SecurityCenter CV™) can audit, verify and protect SCADA and OT networks by providing a continuous network monitoring platform that brings information from around the network to a single management console.

SecurityCenter CV is a highly effective solution. It identifies vulnerabilities and threats by using data collected from five sensors: active scanning, intelligent connectors, agent scanning, passive listening, and host data. By examining all the available data, your organization can continually detect issues before they become breaches.

This makes auditing OT networks much easier. New devices can be quickly identified, and devices operating with unauthorized protocols or attempting unauthorized communications can be managed. SecurityCenter CV has the ability to automatically discover parts of an organization and identify them as an asset group. For example, an asset group could be a list of any devices that speak the SCADA DNP3 protocol. This group could then be used as an access control mechanism. Only certain users of SecurityCenter CV would have access to this asset list, and only they would be able to analyze, report or manage the vulnerabilities.

Organizations with OT and SCADA are on thin ice, but they don’t have to be

Organizations with OT and SCADA are on thin ice, but they don’t have to be. With proper cybersecurity controls in place, these groups can continue to provide valuable services to their customers without opening the doors to attackers.


. . . . . . . .

Leave a Reply