ICS/SCADA security overview
Introduction
The advent of Supervisory Control and Data Acquisition (SCADA), and Industrial Control Systems (ICS) generally can be described as a synthesis of IT and previously existing industrial and processing systems. Despite ICS/SCADA having the proverbial DNA of IT (and information security) coursing through its veins, its approach to security is significantly different.
This article will provide a high-level overview of the following: an introduction to SCADA security, ICS/SCADA access controls, identification and AAA for ICS/SCADA environments, physical security for ICS/SCADA environments, ICS/SCADA security technologies and tools, security controls for ICS/SCADA environments, ICS/SCADA threats and threat actors, the role of resiliency in automation in ICS/SCADA security, ICS protocols and ICS/SCADA security specialist/technician role.
Learn ICS/SCADA Security Fundamentals
Introduction to SCADA security
The priorities of SCADA are availability, integrity and confidentiality, unlike IT security, which orders its priorities as confidentiality, integrity and availability.
There are three main approaches to SCADA security. The first is hardening the perimeter, which is normally combined with SCADA system isolation (air-gapped). The second approach is defense-in-depth, where multiple layers of security are used beyond a hardened perimeter. Last, for organizations that use remote access, remember that securing remote connections is essential. Successful SCADA security combines the three approaches where appropriate.
ICS/SCADA access controls
The ICS/SCADA environment should be limited to necessary personnel only, and access control is the mechanism for enforcing this. This need may be based upon shift, position, rank or any other classification that is useful to the plant.
There should be two forms of access control for authorizing users — physical and logical. Examples of physical include access cards, pins, keys or biometrics, and an example of logical access controls includes using different levels of access for personnel. Access control should be highly reliable and should not interfere with the duties of plant personnel.
Identification and AAA for ICS/SCADA environments
The authority for Identification and AAA for ICS/SCADA environments is NIST SP 800-53, which sets out policy and guidance for the identification and authentication of authorized users of ICS/SCADA. Authentication refers to the process of positively identifying ICS/SCADA users and authorization refers to the determining of who has access to the ICS/SCADA system.
Controls to manage user identification and authentication include passwords, key cards, certificates, biometrics and so on.
Physical security for ICS/SCADA environments
The best approach to physical security for ICS/SCADA environments is defense-in-depth. A defense-in-depth solution should include a combination of different active and passive physical barriers around facilities, buildings, rooms, control rooms and other physical segmentations of the location.
The first layers of this approach are typically gates, guard shacks, walls and locked doors. A complementary solution is the “six-sided-barrier” approach which looks at all doors, gates, walls, ceilings and floors to ensure no weaknesses such as holes, gaps or weaknesses exist that would compromise ICS/SCADA physical security.
Physical security should extend to personnel and asset tracking. This can be accomplished with ID cards for employees and asset tags for ICS/SCADA computers, components, sensors and so on
ICS/SCADA security technologies and tools
There are a number of security technologies and tools available for ICS/SCADA environments. These types of tools include firewalls, intrusion detection systems (both network-based and host-based), network analyzers, cybersecurity platforms and multi-purpose tools. Some of the major vendors include Barracuda, SamuraiSTFU and Dragos.
Security controls for ICS/SCADA environments
The requirements for ICS/SCADA security controls are:
- Asset management
- Identity and access management
- Vulnerability management
- SCADA network security controls (many are proprietary): The SCADA network must always be protected from other networks, including the facility/plant office network
- Physical security
ICS/SCADA threats and threat actors
ICS/SCADA environments have always been plagued by threats from different sources. The main ICS/SCADA threats and threat actors are:
- Hackers
- Malware
- Terrorists
- Insider threats
Most of these threats originate with the fact that ICS/SCADA systems are becoming more and more connected, thus opening them up to threats and threat actors.
The role of resiliency in automation in ICS/SCADA security
The role of resiliency in automation of ICS/SCADA security is paramount to solid ICS/SCADA security. ICS/SCADA is normally used in some of the most sensitive and necessary industries, including critical infrastructure, and if (and when) an attack occurs, it could potentially be life-threatening in some cases.
Resilience allows an ICS/SCADA environment to operate while giving the ICS/SCADA operators enough relief to sleep at night. A resilient ICS/SCADA environment can survive an attack or two without going down when security automation is properly configured and deployed. Given the importance of what is being protected, resiliency should be bolstered as much as possible.
ICS protocols
ICS protocols were not created with security in mind. To begin with, many manufacturers for ICS/SCADA systems use proprietary protocols without any kind of standardization. Next, there is an array of different communication protocols that are non-proprietary, including:
- Modbus
- DNP3
- ICCP
- Common industrial Ethernet
- OLE for process control (OPC)
- Foundation Fieldbus H1
- Profibus
There is a degree of inbuilt security when every vendor uses a proprietary protocol. However, once an attacker finds out how to get around a proprietary protocol, they will have their front door to your ICS/SCADA environment.
ICS/SCADA security specialist/technician role
The ICS/SCADA security specialist/technician role is responsible for ICS/SCADA environment operations and maintenance. This role is responsible for running ICS/SCADA security systems, investigating and resolving security events, developing ICS/SCADA security policy and developing operational procedures related to ICS/SCADA security.
This role requires rapid response to diagnose and appropriately respond to incidents, continuous monitoring of the ICS/SCADA environment and a good amount of flexibility because incidents can happen at any time of the day. The job market for this role is solid, with above-average growth and the average salary you can expect is $50,000.
Conclusion
ICS/SCADA environments are an essential part of today’s modern industrial, processing and critical infrastructure facilities. Despite the good amount of IT DNA in this technology, ICS/SCADA has security needs distinct from traditional IT, and this must be accounted for when laying out a security plan for this type of environment.
If you are new to ICS/SCADA environments and perhaps have been interested in the ICS/SCADA security specialist/technician role, this article has been for you.
Learn ICS/SCADA Security Fundamentals
Sources
- Guide to Industrial Control Systems (ICS) Security, NIST
- SCADA Security Basics: Why Industrial Networks are Different than IT Networks, Tofino Security
- SCADA Cybersecurity Framework, ISACA
- What is SCADA?, Inductive Automation
- What is SCADA Security, Forcepoint