A SCADA environment (Supervisory Control and Data Acquisition) is unlike a conventional IT network in that it provides interconnectedness between industrial systems such as robots, valves, thermal or chemical sensors, command and control systems and HMI (Human Machine Interface) systems, rather than desktops. These environments monitor, manage and administer critical infrastructures in various fields such as transport, nuclear, electricity, gas, water, etc.
Historically, these SCADA control systems have used a dedicated set of communication protocols but as technology and industrial architectures have evolved, these same industrial systems are all interconnected via a conventional IP network. The problem of course is not the use of the conventional IP but rather potentially vulnerable environments such as an unpatched Windows operating system on an HMI platform. Reducing down time is sometimes justification enough to postpone patching on these systems, making SCADA environments potential targets for cybercriminals.
As we have seen with Stuxnet, assuming control over industrial systems is not beyond belief. It is unfortunate that it took an attack of this scale to raise awareness about the potential threat that cyber crime poses to the industry sector. As a result of this, many industrial companies have begun to integrate security measure into their systems, but to truly secure a SCADA system, more needs to be considered.
The first step is to consider SCADA as a part of a company's overall IT infrastructure. Applying some of the same basic security measures and techniques as an internal IT infrastructure is a strong start. Apart from this basic step, national organizations such as the North American Electric Reliability Corporation (NERC) , or ANSSI in France, offer some reliable resources. Beyond these are some other critical considerations:
Applying software patches on a regular basis to the SCADA operation system, applications and components is an essential step to avoid security breaches due to vulnerabilities already known by security vendors. In addition, the implementation of a tool for detection and analysis of vulnerabilities that allows malicious Internet threats to be intercepted before they impact the network or the target server will enable proactive measures to prevent attacks, avoid service interruptions and respond quickly and in real-time against emerging threats.
It is essential to isolate the SCADA network from any other corporate network. To that end, the use of DMZ's or bastions will allow you to segment the SCADA architecture. With the HMI network separated from other machines and systems, each environment can be confined and protected from bouncing attacks with Intrusion Prevention Systems (IPS) and anti-malware solutions, protected in just the same way as an enterprise network.
After having partitioned and segregated the different elements of a SCADA architecture, the next logical step is to apply protocol validation and control related to its various components. This means inspecting those dedicated communication protocols to be sure they aren't being misused and prevent them from becoming an attack vector.
In addition to the segmentation of the network, it is crucial to segregate users from administrators and provide different access levels between the two groups. For example, an administrator could have full access, including configuration changes via the HMI, whereas the users may have read-only access.
The need for a correlation and event management tool is essential. It is critical that the network administrator has the ability to fully understand the security state of the entire network and know, for instance, the state of various robots, the HMI patch level and its relationship to a specific user or component of the architecture.
With attacks becoming more sophisticated, such as Advanced Persistent Threats (APT), it is critical that industrial organizations realize that integrated security in their SCADA environments is essential if these networks are to continue to function as they were designed to. By doing so, they should have the ability to control the networks, users and applications while proactively avoiding potential risks. They should also equip themselves with tools designed by specialized teams to identify potential issues in real-time and be able to respond quickly when a threat is confirmed.