SCADA Security Checklist: What to Audit for ICS

Supervisory control and data acquisition (SCADA) systems are the foundation of a rapidly growing ICS industry that oversees essential functions in power, chemical, and various manufacturing fields, and a SCADA security checklist is an important tool for critical infrastructure. SCADA systems provide necessary oversight, producing vital, real-time data to help operators maintain their ICS.

But SCADA systems may be open to potential cybersecurity vulnerabilities.

Threat actors, malware, or improperly-trained employees each provide potential threats to SCADA systems and the ICS they oversee. For that reason, it’s essential that operators and asset owners perform this (or a similar) 10-step SCADA security checklist as part of their regular audits.

1. Keep SCADA on its Own Secure Network

Your SCADA system should be kept separate from your organization’s general network for day-to-day operations. Doing so greatly limits the number of vulnerabilities your SCADA is exposed to. It also ensures that errors or failures in the general network aren’t likely to affect essential SCADA functions.

That said, it is often a multi-step and continuous process to ensure the SCADA’s network is (and remains) completely separate. For each audit, operators should map any current systems, identifying connections and all potential points of entry or exit.

All hardware and software, including firmware and applications, should be identified, and unnecessary connections or access to SCADA should be removed.

2. No SCADA Connections to the Internet

Connections to the enterprise provide a significant vulnerability to a SCADA system but may be required for business purposes. That said, direct internet connection should be avoided at all costs. While there may be instances of SCADA on the internet, it’s not always catastrophic, with most systems consisting of read-only status screens.

Let’s keep it that way! 👍

3. Secure Password Policies and MFA

While the necessity of complex passwords has been somewhat overstated, a good password policy has long been a best practice. After all, stolen, leaked, or guessed credentials remain the primary form of infiltration of critical infrastructure networks.

A strong password policy goes beyond using numbers, symbols, and capital letters. Recognizing that not all SCADA systems can support complex password policies, these systems should at least be changed from the factory default. Employees should change passwords on a regular cadence, and inactive accounts should be deleted quickly.

Whenever possible, multifactor authentication should be implemented, especially for remote access and jumphost systems, to verify operators.

4. Mobile Device Policy

Laptops and mobile devices are becoming more common within ICS but can create a significant vulnerability to SCADA systems, as each device can be a potential vector of network infection. Solutions can be tricky, but a clear and effective policy is necessary.

Unnecessary external devices should be forbidden from the ICS site, with authorized devices managed and scanned for issues regularly.

But there are other options available, too. Understanding your inventory of assets, including mobile or transient devices, is critical to continued safe operations. Equipping your operators with sensor-based tools like EmberOT can help identify potential rogue assets and unwelcome connections.

5. Removable Media Devices

Removable devices like flash drives, external hard drives, and CD-ROMs can be potential sources of infiltration or exfiltration. Strict policies should be enacted and enforced regarding any removable media.

6. Defense in Depth

Ensure that the multiple layers of your SCADA’s defense are kept intact. While this process looks different for every SCADA system, here are some common practices:

• Separate administrator accounts and privileges from general user accounts
• Minimize all potential connections with other networks
• Delete unused user accounts
• Arrange that all superfluous functions are shut off
• Where possible and supported by your OEM, use antivirus software, firewalls, or specialized ICS cybersecurity to monitor any unauthorized connections or changes

7. Integrity Assurances

Create a process where any SCADA changes or reconfigurations are controlled and documented. Where possible, go beyond manual work order systems and digitally track changes to the system.

Documentation and communication are key in tracking down changes made to SCADA and verifying what is authorized or malicious.

8. Software Patch Management

Software patches, tools, and firmware upgrades can be essential tools for bolstering your SCADA’s efficacy and security, but they can also be a gateway for potential exploitation. The quality of third-party companies’ software patches can vary, meaning your organization needs a patch-management policy.

Not all patches are created equal, so all patches should be reviewed thoroughly and efficiently by your organization, best utilizing the resources at hand and ensuring existing vulnerabilities aren’t left lingering.

9. Appropriate Physical Security

Cybersecurity works hand in hand with physical security. Access to your ICS and SCADA systems should be properly enforced.

Large, geographically dispersed ICS systems can be more difficult to protect, but the weakest point in any system is the one that matters most.

10. Equip Operators with the Tools to Detect Attacks

Equip your operators with monitoring and detection capabilities in order to identify and address attacks. No one knows your ICS better than your operators, but they need the appropriate tech. That way, they can evaluate whether your SCADA system and ICS are working in alignment without external interference.

SCADA Security Checklist + EmberOT data = Empowered Operators

SCADA security requires 24/7/365 attention. Protections and firewalls need regular security checks, and processes need to be rigorously enforced. It’s a steep task, but one that EmberOT is committed to making easier.

With EmberOT’s out-of-the-box, fully-integratable system, our ICS cyber defense technology equips your operators with the tools to overcome all the cyber defense issues to come. Reach out to us or request a demo today.