7 Ways to Optimize SCADA Cybersecurity

As the name implies, Supervisory Control and Data Acquisition (SCADA) networks house critical systems — including computers and applications — that control, facilitate, or handle essential services. They’re used to manage many critical infrastructure solutions like electric, gasoline, water, and beyond.

It’s rather obvious why protecting them with reliable cybersecurity practices is a huge concern. Here are some ways to do that.

1. Disconnect Unnecessary Systems

Not everything needs to be connected. SCADA systems should be isolated, especially mission-critical processes and operations. Data warehousing and network segmentation are excellent security solutions for protecting critical infrastructure.

General Electric describes network segmentation as a “core building block of a mature cybersecurity profile.” When it’s used in industrial control environments it can mean the difference between a major breach and something much less impactful. It will become even more prominent as cellular networks are used to support SCADA systems, with wireless connectivity, IoT devices, and mobile tech all synced up. Think of it as moving a core network away from a more open and public-facing one.

2. Identify and Limit Existing Connections to SCADA Networks

Understanding threats, potential attack vectors, and how bad actors might use them is imperative for truly protecting any network. Moreover, there must be a concerted effort to discover and assess all open connections, ports, and channels. Where is the network most vulnerable? How could a potential hacker access or seize control of a system?

In the U.S. Department of Energy’s “21 Steps to Improve Cyber Security of SCADA Networks” report, step one is to identify all connections and utilize DMZs, or “demilitarized zones,” to protect equipment.

Physical security is just as vital. USB keys, portable devices, and even laptops plugged into control systems can pose a significant threat. All USB ports and connections should be monitored, controlled, and protected, namely by an anti-malware scanning tool. 

The use of these devices should be restricted and only leveraged in extreme circumstances, for secure backups as an example. No one should be connecting their personal devices to core networks, including smartphones.

This security should also extend to partners, vendors, and beyond — such as visitors coming to a site and accessing the local network. The connections must be monitored and managed appropriately, with tools to revoke access and lock down a system if and when a breach or unauthorized access is detected.

3. Conduct Technical Audits to Reveal Security Concerns

One way to assess the playing field is to conduct regular and comprehensive audits. They can help identify vulnerabilities, take stock of security and how well it works, and develop an understanding of how users are accessing a network.

For example, maybe a user has elevated privileges and is accessing a restricted portal. The audit would reveal this information and provide ample time to take action, revoke access, and ensure no damage or data theft has occurred.

What’s more, systems should always be retested after corrective action has been taken. Establishing a proper protocol for audits, and what that entails, is task number one. Whether that involves creating an in-house task force or enlisting outside help, there should be a dedicated team for handling the administrative side of security audits.

4. Establish Intrusion Detection and Sustained Incident Monitoring

In addition to the security audit team, there should be a crew that supports intrusion detection and incident monitoring systems. Chances are good many of the monitoring tools will be automated, with appropriate systems in place to take action immediately.

But there still needs to be personnel behind those platforms, not just to react accordingly, but also to assess the environment and share details with the necessary parties — namely executives and leadership.

That crew should also spend time regularly assessing incident response plans, updating them to cover new systems and tools, and shore up potential concerns, like addressing a lapse in security coverage.

5. Create an Incident Response and Disaster Recovery Plan

An incident response plan is a must-have. What’s the playbook before, during, and after a cyberattack or data breach? How can access be recovered and the damage mitigated? What users should be locked out? Should the network be shut down completely? Are there critical systems that must remain online?

There should also be a backup solution in place to protect all data, and also to provide a recent recovery point whenever applicable. Ransomware is a particularly nasty form of cyberattack that can compromise or corrupt critical data. It’s never something you want to encounter, but with recent and regular backups, that problem can be remedied much faster than without.

6. Train and Educate People on the Front Lines

Breaches can and do happen because of negligence, so thwarting those kinds of events should also be a consideration. In many cases, the answer is relatively simple: standard personnel must be educated and trained on their cybersecurity responsibilities. That includes using strong passwords, never sharing access or information, following proper security guidelines, and avoiding the use of external devices like smartphones or personal computers.

Consequences must be established for those who do not follow through, and a system of checks and balances should be put in place to monitor what’s happening. The act should be preventive, and able to stop poor security practices and habits before they create a major security event.

7. Define, Authorize, and Manage Cybersecurity Roles

Like standard personnel, security professionals must understand their roles, responsibilities, and the tools they have available. It may even be necessary to train them consistently, to keep policies and tactics at the forefront of their minds.

There are some essential practices for ensuring the security team is properly equipped. For starters, key personnel must have sufficient authority to act and protect the network, with little to no oversight. There should never be a lengthy process for taking action, especially when there’s a need to lock down the network and secure systems. With open system architecture and a distributed management system, it should always be clear who exactly is given remote access.

What’s more, there should be feedback channels where security personnel can share concerns and suggestions with leaders and executives. What if a software tool is not working as expected or there are better alternatives? What if the security team requires additional resources or people?

Protecting Core Infrastructure

In summary, optimizing SCADA cybersecurity should look something like the following:

• Identify all open connections, devices, and vulnerabilities.
• Disconnect systems that don’t need to be online, and use both network segmentation and data warehousing to separate mission-critical systems.
• Conduct regular and thorough technical audits to understand security capabilities and limitations.
• Establish real-time intrusion detection and monitoring systems and then support them with a dedicated team.
• Create an incident response plan that details action items before, during, and after a security event.
• Train and educate standard personnel on their cybersecurity roles.
• Define, authorize, manage, and assess cybersecurity roles, and revoke access whenever necessary.

It’s important to remember that these systems are nothing like standard network and data channels; they provide access to core infrastructure, with sweeping implications for cybersecurity events and data breaches.

As a recent example, the Colonial Pipeline event was eventually remedied. However, the outcome could have been disastrous. What’s more concerning is that the entire situation could have been avoided by merely following the plan outlined above.

A major security breach could wreak havoc on the local populace, leading to a poisoned water supply, a disrupted power grid, or any number of other nefarious actions.