Your task this week will vary based on the type of system you operate. Asset owners with SCADA have more work this week.
SCADA Systems
SCADA systems monitoring and controlling geographically dispersed systems, such as pipelines, electric grids, and water delivery, often have 10’s or 100’s of unmanned field sites with OT cyber assets. Many of these field sites are in remote areas where unauthorized physical access would go unnoticed or take a long time for responders to arrive.
An attacker with physical access at an unmanned field site can physically damage equipment or alter the process at the site more easily than using a cyber attack to achieve the same result. The greater OT cyber risk is an attacker gaining physical access to the unmanned site, connecting to the SCADA network at the site, and using this SCADA network access to attack other field sites and the control centers.
Review the SCADA wide area network (WAN) and determine if field site to field site communication is possible. Remember the fact that you don’t use it doesn’t mean it’s not possible.
If communication is possible, is it required?
If it’s not required, your task is to find a technical security control to prevent it and put this on your OT security project plan. Most modern devices that bring communications into a field site have a basic security filtering capability. It likely is as simple as saying communication with the field site is allowed to and from the control centers and nowhere else. Your SCADA WAN provider may also have a service that would restrict access as you specify.
Also investigate if there are technical security controls limiting access from a field site to the control center. Typically, a small number of terminal servers or other collectors will poll or access the field sites using a small number of ICS protocols. There should be a firewall or other security perimeter method that restricts access with a least privilege approach.
Note: Are your field sites accessible from the Internet? Did you check this back in Week 23? Most carriers are competent today, but in previous years many “private” networks were found to be Internet accessible as sale’s promises did not meet implementation realities.
DCS, Single Site, and Control Center Systems
Internal segmentation decisions are less straightforward for these single site systems. Some of the segmentation possibilities include:
- Segment by Purdue level by establishing a security perimeter between layers 2 and 1.
- Segment by system or subsystem if you have multiple independent processes running inside the site.
- Segment by role or authority. Your engineering workstations may have more capabilities than your operator stations / HMI. Your historians and OPC servers may belong in their own zone.
As you consider these internal segmentation possibilities, a key consideration is what communication, and potential attack traffic, would be blocked if the segmentation is implemented. There likely is minimal risk reduction if the internal segmentation requires the unauthenticated ICS control and administrative protocols be allowed through the security perimeter.
Identify the best place for internal segmentation and make the case whether this is or is not worth pursuing from a risk reduction perspective.
_________
What are the top 3 locations in your OT where internal segmentation would reduce risk.
Location Risk Reduction Rationale