Yesterday I blogged on the scan results, configuration issues and increasing use of Verizon, AT&T and other carriers’ broadband services for SCADA. Today I’ll address the question of whether these networks should be used in SCADA systems. Like most security questions, the answer is not yes or no.
A prerequisite to even considering use is securing the gateway to the control center. As mentioned yesterday, in many cases the carrier has often prevented other users on their network from routing to the control center gateway. You shouldn’t rely on that. There needs to be a firewall with a least privilege ruleset. That firewall should be monitored for all unexpected activity, even what is successfully blocked.
The field sites are often unmanned and physically accessible. So an attacker can open the enclosure and connect a laptop to the Ethernet cable. The firewall should limit them to the control system protocol, but I would even want to take a further step of having an IPS that is stopping any traffic that violates the protocol.
So let’s assume an owner/operator is satisfied that the risks to the control center are addressed. There are now some field sites where this network can be a good fit, better than anything available before. For example there are sensors and instruments that are in the field that are not accessed from the control center because the comms were too expensive. They are now a lot cheaper. I have heard utilities use the Verizon or AT&T networks for pole top and other nice-to-have, non-critical data that they could not cost justify before.
Another example would be for billing data where there is an algorithm identifying likely fraud. If these field sites were hacked, the fraud algorithm would identify any significant reductions in the billing. An attacker would need to be satisfied stealing a small amount.
A third example would be for field sites that are difficult or impossible to run wires. And I’m sure there are more. The key here is understanding the risks and accepting them at the right level of management.
I would not rule out use of these networks, but lastly I would stress that you need to verify whatever the carrier is saying about accessibility and security. Yesterday’s blog has led to a flurry of email with readers saying Carrier A told me it was unreachable and I could ping, and Carrier B said it was secure . . . It probably is not with intent to mislead, but the sales and engineers don’t really understand their network. They are just trying to sell a bunch of $50 per month or less services.