Autopro Blog

3 Simple Ways to Help Keep Your SCADA System Secure

January 11, 2016

by

Recently it was reported that a malware attack on the SCADA system of a Ukrainian electrical utility resulted in 1.4 million people losing power for several hours.

According to the article, the utility fell prey to a trojan "which typically infects an enterprise through a phishing attack that carries a document with an infected Microsoft Word macro. From there malware would try to be used to find a way onto the utility’s SCADA (supervisory control and data acquisition) network, which controls electrical systems”.

While this particular incident was carried out as a targeted attack, SCADA systems can easily be made vulnerable to unintentional infection, simply due to a lack of awareness. The good news is there are a few simple checks you can implement to help secure your system, remembering that there is no such thing as being completely secure.

Some general areas to consider when thinking about SCADA security are:

  • User access
  • Direct access
  • Data confidentiality

Let’s look at each of these in a bit more detail.

Manage user Access to your SCADA System

Take a good look at user access to your SCADA system and ask some simple questions such as:

  • Who has access?
  • What access has been granted?
  • Why has access been granted?
  • What method is used to obtain access (such VPN or direct login)?

 If these questions cannot be answered completely satisfactorily, the access of the user in question requires further investigation.

As well, it is important to ensure that the access being granted only suits the needs required and nothing more. Too many times, users are granted access that is beyond what the daily job requirements would dictate. For example, a user who only needs to look at yesterday’s totals might be granted full access to read and write to the database including instrument tags and settings, or the user is given access to the DOS command prompt and other tools that could be used to modify settings and data. In that situation, the user could inadvertently modify something without even being aware of it.

It is also important to ensure that any security measures employed do not impede users in accomplishing the job at hand.

Restrict Direct Access to your SCADA System

In addition to outside access, you should also evaluate the ways your SCADA hardware can be accessed directly, by asking such questions as:

  • Are users able to plug their laptops into the equipment to download data?
  • Are users able to plug in any USB devices?

Laptops and USB memory sticks are a huge risk, as users typically do not scan them for malware and viruses on a regular basis to ensure they are not carrying something that could impact a corporate or SCADA infrastructure.

One easy method to lock this access down is the utilization of USB port locks. If a user requires access to the USB port, they must verify that the device has been properly scanned prior to getting the key to unlock that port. Standalone scanning stations can be purchased and installed to provide users with a way to easily scan USB devices for viruses and malware before accessing the USB port.

Maintain Data Confidentiality

Another simple security measure you can take is to ensure that someone involved with the SCADA system is on at least one security mailing list. These are subscription based email lists that publish regular notices and updates about major and minor security vulnerabilities, sometimes including remediation tips and strategies.

There are many sites out there that can be used to obtain this information. Two that you can check out to get you started are Bugtraq and Insecure.

Security is an ever changing world and it is critical to develop, document and maintain plans and processes in order to protect your resources.

Autopro is a vendor-independent engineering services provider which has designed and integrated most major SCADA hosts within a variety of industries. Our experienced SCADA team can help you understand where your system vulnerabilities might be, determine the nature and likelihood of threats, and provide you with recommendations on how to mitigate your risk.