Getting Started on ICS and SCADA Security (Part 2 of 2)

Last week I discussed the first steps to take to get started to improve ICS and SCADA Security in your facility.  Those steps included:

  • Step 1 - Conducting a Security Risk Assessment,
  • Step 2 - Learning Industrial Cyber Security Fundamentals, and
  • Step 3 - Understanding the Unique Requirements of ICS and SCADA Cyber Security.

This week I discuss the remainder of the process.

Step 4 - Vulnerability Analysis

The next step is a Vulnerability Analysis.  Now that we understand the risks, what are the key vulnerabilities in our processes, equipment and software?

For example:

  • Does my company need to worry about the Siemens PLC security flaws that were exposed in early August?
  • If my HMIs or programming stations use Adobe Reader software, are all the copies in the plant patched for all the new vulnerabilities that can turn a PDF into a piece of malware?
  • If a consultant shows up with an infected laptop, is there a process that will detect it before it is connected to a process network?
  • Are there unsecured modems connected to programming stations on the plant for remote support?

This sort of analysis is the most complex portion of a security program. It requires:

  • An understanding of the actual plant network architecture,
  • A detailed inventory of data, equipment and software (assets),
  • A clear grasp of company policy/processes, and
  • A solid knowledge of the current security threats.

Vulnerability analysis tools such as Nessus can help, but they must be used only once their potential risk to the plant floor is assessed and is determined to be negligible.  Such an assessment requires a person or people with solid ICS / SCADA security experience.

Another challenge with scanning tools is that the amount of data collected can be large and difficult to sort in terms of priority.  Modeling tools can help make sense of the information.  Two older papers that can help inform you about modeling tools are provided at the end of this article. As well, look at the Microsoft threat Modeling Tool – while it is designed for software analysis we have used it successfully in the past for system assessment.

Again, a few companies have the internal skills and tools to do this sort of analysis, but most need the help of a specialist team like exida to do a really thorough job.

I need to stress that performing the Vulnerability Assessment before the Risk Assessment is complete is a bad idea. The Risk Assessment is needed for defining priorities and focusing efforts when you find vulnerabilities. If you do the Vulnerability Assessment first, or before the Risk Assessment is complete, you are in danger of misallocating your resources and not properly addressing high risk items.

Steps 5 and 6 – The Security Architecture / Mitigation Strategy

This is where you start getting into the details and technologies.  You will now design your security architectures and select specific security technologies and practices to achieve your security goals.  The ISA-99/IEC-62443 zone and conduit models for architectures are a great place to start for architectures. I have written lots on this before (see links at the end of this article), so I won’t go into more detail here.

As for security technologies, these might include:

This list can get long, but the above covers the main technologies currently used in modern SCADA and ICS systems. Again, prioritize by risk, which is a function of probability and consequence.

For example, if your company uses Safety Integrated Systems (SIS), it is a system with very nasty consequences if things go wrong. The SIS is likely a good place to start your security mitigation strategy, rather than a data historian server. On the other hand, if your vulnerability analysis indicates your plants are filled with unpatched Windows NT computers, perhaps the probability of incident is a driving factor. Only a proper risk analysis can guide this priority setting.

While you are doing all this work, don’t forget to involve your vendors. First, demand secure products from your vendors. Also ask for guidance and best practise documents. Many of the vendors have created useful guidelines on what works from a security point of view and will not impact their systems.

Strategic Assessment and Planning is the Way to Go

While the steps described for “getting started” are not exactly “fast and easy” measures to take, they will lead to better cyber security and will avoid wasting resources on the wrong initiatives or technologies.

If it is not possible for you to drive this process for your organization, then apply these principles within your sphere of responsibility and influence, and be an advocate for a plant or organization level plan.

The bad guys are focusing on ICS and SCADA systems like never before.  Make sure your facility does not lose production or create a safety incident by having a solid cyber security program in place.

Related Content to Download

PDF "Building Intrinsically Secure Control and Safety Systems Using ANSI/ISA99 Security Standards for Improved Security and Reliability"

(overview presentation on the fundamentals of the ANSI/ISA-99 Standards)

Related Links resources re: Modeling Tools:

Other resources:

Practical SCADA Security Articles about using Security Zones:

(includes a section and a diagram on dividing control networks into security zones)


RSS Feed Subscribe to the "Practical SCADA Security" news feed

Add new comment