What is a SCADA System and Why It May Need Another Look

SCADA security is the practice of protecting your industrial systems from relentless cybersecurity threats, an often-overlooked faction for businesses.

Image by Rainer Maiores from Pixabay  

Let’s start with a light-hearted story

Returning to my home in New England is something I look forward to every year since I moved south.  Upon returning home, I updated my family on my new role at QoS Consulting Solutions. Speaking with my grandmother I mentioned working with SCADA systems, to which she replied, “I didn’t know you were a skatah, are you wearing your helmet and knee pads?”, in her no-so-subtle northern accent. This was a slight misunderstanding, as she thought I said I was a skateboarder, not to mention my grandmother is a little hard of hearing… but little did she know she was making a great point: Protect your SCADA systems.

Time to Drop into Why Your SCADA Systems May Need an Update

Supervisory Control and Data Acquisition (SCADA) is defined by the NIST CSRC Glossary as a “generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (e.g., delays, data integrity) posed by the various media that must be used, such as phone lines, microwave, and satellite”.

If SCADA systems are not new to you, then either you are curious about where the issue lies, as you manage these systems every day. Or you are extremely familiar with these issues as you work incessantly to address them as they may impact critical business operations. The kicker is lacking security controls: SCADA systems are commonly set up without security best practices in mind. And because of that, businesses that rely on their SCADA systems are one of the most frequently attacked organizations. If your SCADA system was built around the time when burning your music onto CDs was cool, then it is likely out of date and not segmented properly. Therein lies the Achillies heal of SCADA systems: Improper network segmentation.

If Your Network is Flat, it’s time to Fix It!

Okay, dig your feet in for this one, and make sure your grip tape is in good shape because it should be a bumpy ride. A flat network allows attackers to exploit a vulnerability found on one system and use it to gain access to other connected networks. In cybersecurity, this is called an attack surface, and we want to make sure it’s as small as possible. To accomplish this, we recommend your SCADA be designed with 3 separate components, each with its own network and firewall:

  • The Human Machine Interface (HMI): Hardware or software for the operators to control and monitor industrial systems.
  • Programmable Logic Controllers (PLCs): A control system used for storing instructions for the systems to perform their business functions like timing, logic, communication, arithmetic, and data processing.
  • Sensors and Field Devices: Hardware on the industrial system that is necessary for the machines to operate like temperature, pressure, and other types of sensors. These devices use the logic created by PLCs to carry out system-defined actions.

The Times Are A-Changin’

As we alluded to in the burning music onto CDs analogy above, it is possible that your SCADA system was implemented at a time when security was not a design consideration. Therefore, vulnerabilities in the form of lacking network segmentation are a risk. Bob Dylan had it right in the 1960s when he released his hit song, The Times Are A-Changin’. There are supercomputers in our pockets, the Cubs won the World Series, and the cybersecurity landscape is no different. As threat actors evolve and find new ways to exploit old network structures, you need to apply cutting-edge cybersecurity practices.

For more information speak with a QoS consultant today, sales@qosconsultingsolutions.com, or reach out through our contact form on our website, www.qosconsultingsolutions.com.