Basic SCADA Security Requirements

Traditional SCADA systems were designed to connect directly to each other either via serial connectors or SONET.  Because of their compact design and communications requirements, SCADA protocols were developed to enable the polling needs of these systems.  Common SCADA protocols include Modbus RTU, RP-570, Profibus and Conitel.  With the expansion of data networks into remote locations, companies operating SCADA systems decided they would tie these into their corporate networks.  However, increased and wide exposure to public Internet sites have led many SCADA systems to compromise from the wide range of vulnerabilities associated with their protocols. 

Unlike common desktop computers and servers, simply installing anti-virus programs is not the best way to secure SCADA systems.  Their legacy design and components leads them to hang or worse when anti-virus programs are introduced.  SCADA software itself lacks any basic security controls because when it was designed years ago, security was not an issue.  Vendors do not develop or release patches for SCADA equipment as quickly and efficiently as enterprise and consumer software vendors, either.  Some of these patches require a reboot of the system running the software, and in critical infrastructures, this can be a huge headache.  Plant shutdowns rarely occur, so vendors and staff need to wait until one of these annual planned outages to perform SCADA patching. 

With new government regulations dictating the security of critical SCADA infrastructure, it is now more important than ever to examine your systems and ensure that no malicious users or code can attack.  This means segregating PLC’s and HMI’s behind several firewalls and forcing all traffic to pass back to your headquarters.  Nothing on the SCADA segments should ever communicate directly with your corporate networks either, but should communicate only with systems within a secure DMZ.  Traffic should also flow from the high security zones (SCADA) to lower security zones and any other traffic, unless it is absolutely verified as necessary, should be blocked by the firewalls. 

Some considerations for developing and maintaining your critical infrastructure include performing vulnerability assessments regularly against your systems, networks and communications.  Stay up to date on any new developments in the SCADA virus and malware domain, and make sure any SCADA software is running on a hardened operating system.  Employ multi-levels of defense with a firewall, IPS, and virus scanning of devices that are capable of running this software.  Keep your virus software up to date.  The use of encryption and VPNs can help when transmitting polled data from a remote site back to centralized SCADA systems.  If an incident occurs, you should be prepared with a thorough and tested Incident Response Plan.  And always ensure your SCADA data, including the software, is backed up regularly, and tested for integrity.