SCADA Security

I’m seeing two trends in the anecdotal evidence collected in 2011 while on-site with asset owners, primarily pipeline SCADA and power plant DCS: ambition in the security program and attention to reasonable computer and network equipment lifetimes. While the sample size is not large enough to be statistically significant, caveat related to RISI analysis, when you start to hear the same things in detail from unrelated companies in different industries you take note.

Ambition – We are seeing and hearing plans for significant increases in both administrative and technical security controls from clients. Multiple complex projects are planned and sometimes already funded that will require major changes in the network and processes. More than one have been so ambitious that we have actually said slow down. This has only happened a handful of times in the ten years we have been helping asset owners with SCADA security.

It’s a strange position for a security consultant to tell a client to consider delaying security controls, but the concern is that an organization can only absorb so much change at a time. In the ICS world, our experience is that it takes about three years for an organization to go from start to a reasonably secure ICS – – and this is with commitment and allocation of the right resources. Of course a security program never is over, so time and effort extends beyond the three years and there is much to do in continued improvements in things like security policy audits, monitoring, etc. even after that.

These ambitious plans are a positive sign, but the key is to make sure the plans are prioritized and achieved. If they all are completed as planned, fantastic. Be careful though that the effort on multiple SCADA security projects does dilute the impact and success of the projects. Special concern is warranted when the same people are responsible for implementing and absorbing multiple projects. The concern in implementing is straight forward, while the absorbing is less obvious. Control system engineers, system admins and operators are going to have to work with all those processes and new systems related to security. Make sure you are giving it to them in bites they can swallow.

One of the biggest benefits Digital Bond provides to our asset owner clients is prioritization based on most efficient risk reduction. There are a whole list of security tasks that could or should be done. Focus on prioritizing that list so that you are maximizing risk reduction to reach the acceptable risk level — after all that is the purpose of the security program.

Refresh – Loyal blog readers are familiar with the horror stories of seeing Windows 98 and NT servers running on 10+ old computers that “can never go down” on SCADA and DCS. This also extends to networking equipment, with old hubs or dial-up gateways that crash if broadcast traffic hits them. These are from the days when the computer and networking equipment was assumed to have the same lifetime as the SCADA or DCS application.

Thankfully this is starting to change, and it had to since these systems have to run on a supported operating system with supported applications. If you never touch the software on a system, then the hardware doesn’t need to be changed. This is no longer true. System need to be patched, run anti-virus and likely in the future run some sort of white-listing/HIPS. The most common hardware refresh time we are seeing is 5 years.

This issue has been about setting expectations. If the SCADA manager buying a new system budgets for it to last 15 years then it is hard to go back and refresh hardware in 5 years. People are learning the lesson and setting expectations and budgets to meet the new reality.

There is a tremendous amount of positive momentum and progress in ICS security. Focus on that and you will be optimistic. Focus on how much is left to do and the danger of a sophisticated and motivated attacker and you will be depressed.