SCADA security is the practice of protecting your industrial systems from relentless cybersecurity threats, an often-overlooked faction for businesses.
Let’s start with a light-hearted story
Returning to my home in New England is something I look forward to every year since I moved south. Upon returning home, I updated my family on my new role at QoS Consulting Solutions. Speaking with my grandmother I mentioned working with SCADA systems, to which she replied, “I didn’t know you were a skatah, are you wearing your helmet and knee pads?”, in her no-so-subtle northern accent. This was a slight misunderstanding, as she thought I said I was a skateboarder, not to mention my grandmother is a little hard of hearing… but little did she know she was making a great point: Protect your SCADA systems.
Time to Drop into Why Your SCADA Systems May Need an Update
Supervisory Control and Data Acquisition (SCADA) is defined by the NIST CSRC Glossary as a “generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (e.g., delays, data integrity) posed by the various media that must be used, such as phone lines, microwave, and satellite”.
If SCADA systems are not new to you, then either you are curious about where the issue lies, as you manage these systems every day. Or you are extremely familiar with these issues as you work incessantly to address them as they may impact critical business operations. The kicker is lacking security controls: SCADA systems are commonly set up without security best practices in mind. And because of that, businesses that rely on their SCADA systems are one of the most frequently attacked organizations. If your SCADA system was built around the time when burning your music onto CDs was cool, then it is likely out of date and not segmented properly. Therein lies the Achillies heal of SCADA systems: Improper network segmentation.
If Your Network is Flat, it’s time to Fix It!
Okay, dig your feet in for this one, and make sure your grip tape is in good shape because it should be a bumpy ride. A flat network allows attackers to exploit a vulnerability found on one system and use it to gain access to other connected networks. In cybersecurity, this is called an attack surface, and we want to make sure it’s as small as possible. To accomplish this, we recommend your SCADA be designed with 3 separate components, each with its own network and firewall:
The Times Are A-Changin’
As we alluded to in the burning music onto CDs analogy above, it is possible that your SCADA system was implemented at a time when security was not a design consideration. Therefore, vulnerabilities in the form of lacking network segmentation are a risk. Bob Dylan had it right in the 1960s when he released his hit song, The Times Are A-Changin’. There are supercomputers in our pockets, the Cubs won the World Series, and the cybersecurity landscape is no different. As threat actors evolve and find new ways to exploit old network structures, you need to apply cutting-edge cybersecurity practices.
For more information speak with a QoS consultant today, firstname.lastname@example.org, or reach out through our contact form on our website, www.qosconsultingsolutions.com.
Michael Joe is a Security Consultant and blog writer at QoS Consulting Solutions, author of several captivating works on our website. Michael graduated from the College of Charleston in South Carolina with a Bachelor of Arts degree in Communication and with Latin Honors: Cum Laude. Michael’s passion for spreading awareness and knowledge of information technologies and cybersecurity is evident in his unique voice and writing style. As you noticed in his work, Michael’s storytelling and humor have a way of grasping the reader in a way few technology-focused blogs have done. Michael’s aim is to educate and entertain to change the way people perceive IT literature: Moving it away from a hyper-focus on so called “geeks”, towards the greater public. Cybersecurity is for EVERYONE, not just the techies in the trenches! Michael was expertly trained in the art of cybersecurity consulting.
See author's posts