Manufacturers' belated embrace of Web-driven applications accessed via Windows-based systems on the factory floor is a good news/bad news scenario relative to mission-critical supervisory control and data acquisition, or SCADA systems.
The goods news: Open networks can be more easily and inexpensively deployed to enable more intuitive data sharing and communications across the enterprise (and remotely) by Web browsers that sit on Windows-based PCs that use the Internet's communications protocol (TCP/IP), as well as HTML and HTTP -- the Web's page description language and transport protocol.
The bad news: While facilitating cross-functional communication and information sharing, the approach opens Pandora's box when it comes to securing SCADA, systems which are used to gather and analyze real-time plant operations data throughout the process manufacturing sector and the electrical and water utilities industries.
Microsoft Windows operating systems and Internet Explorer, as we've all learned the hard way, are virtual magnets for cyberphreaks and hackers who seek infamy by using the Internet to launch global worms, denial of service attacks and other mischievous deeds through otherwise impenetrable firewalls -- or carelessly left-open ports therein. And the advent of wireless hotspots spanning the manufacturing enterprise that provide pervasive connectivity into the corporate network will only exacerbate what is already a perilous situation.
What's a manufacturer to do? You can start by looking over the following checklist and by checking out our resource box for ideas on how to continuously improve the security of mission-critical data contained in your SCADA systems.
- Dedicate resources to SCADA security. Hey, if it's mission critical shouldn't it receive the utmost protection? A sad fact is that most manufacturers really don't know how vulnerable they are until they are exposed. The problem: Tough times in recent years meant plant floor personnel reductions that often consolidated numerous responsibilities among fewer staffers. In a perfect world, plant operations personnel need to focus on just that -- running the plant. If operational efficiency is your enterprise's mantra, these employees can't be distracted by security concerns -- even though they'll always be mindful of them. That's why experts say organizations should budget for a security consulting resource to develop SCADA security policies and a separate resource for spec'ing and deploying a security solution -- either establishing full-time positions or hiring third parties (see below).
Remember: Just because your company has a firewall that is designed to safeguard corporate data, that doesn't mean your organization is impervious to viruses and other forms of maleware, such as Trojan Horses. Security experts can help leverage necessary investments in intrusion protection and detection software by creating workable policies and procedures that cover most known -- and still percolating -- threats.
In addition to utilizing a SCADA security expert, you should also deploy a security solution specifically designed for the SCADA environment. Most security solutions designed for the enterprise should not be deployed in the sensitive real-time control environment. SCADA-specific security solutions should have the following features: an integrated user interface designed for real-time systems operators, threat-adaptive lock-down levels synchronized with specific threat levels, security and performance monitoring agents for your specific SCADA or DCS system, resource throttling to ensure system reliability and availability and network and host monitoring functionality. Verano Inc.'s Industrial Defender, introduced in 2003, is one such solution.
- Don't forget about the perimeter. The more security software you deploy, the more data points that need to be attended to. Thousands of events logged by security software need to be analyzed and responded to (this information should include how a threat was discovered and addressed). Adding security software to existing applications servers is bound to crunch performance. (Have you ever seen a standard desktop computer grind to a halt when running a virus scan program in the background?)
That's why security experts suggest installing dedicated servers that incorporate firewall, intrusion protection / prevention in one application that run in front of the SCADA network segment. It can not only help to protect mission-critical data, but this approach will help maintain a high level of systems availability. "In securing SCADA, what's most important is systems availability," notes Gary Sevounts, director of utility security solutions at Symantec Corp. (Cupertino, CA). "If the SCADA network goes down, it may lead to black out, loss of life or catastrophic consequences."
"Access control to mission-critical real-time systems doesn't have to be costly or labor intensive. The control network perimeter appliance should have preset access control rules, adaptable to changing threat levels. When the threat increases, access to control systems automatically decreases," says Lori Dustin, vice president of marketing and services at Verano Inc. (Mansfield, MA).
- Don't forget the threats from within. Open networks have enabled the accounting department see what's happening on the factory floor when assembling and assessing key performance indicators (KPIs) -- if the applications in question can exchange data or interoperate with one another via exposed Web services. While firewalls are often thought of as devices for keeping outsiders off your network, companies might want to consider cordoning off certain network segments -- like SCADA -- to prevent internal prying eyes from knowingly or unwittingly wreaking havoc.
"Manufacturing groups need to think harder about how to isolate networks," notes Alison Smith, a senior research analyst at AMR Research Inc. (Boston). "If they've adopted a Web-based architecture, they don't think about the implications of what an employee who needs access to financial data could do to [process] controls." Smith also suggests limiting internal access to external Web sites and keeping e-mail internally directed -- unless companies invest in customized e-mail-blocking servers or hosted services that weed out spam and various forms of malware. "Companies have built stuff into [Windows] interfaces that reflect an ongoing romance with dashboards that include not only work performed on a daily basis but 'My Favorites' within a Web browser or links to MSN [or AOL]," she says. "Do employees really need weather and stock quotes on the shop floor?"
Many manufacturers have created so-called Intranets that include internal e-mail and enable the creation of access controls, similar to those found in the physical world, that challenge users twice before allowing them entry to a variety of sensitive applications or data stores. Lacking the proper privileges and password, they are denied access. "Let's face it, the Internet is a dangerous place," Smith remarks. "There's an allure to openness, but companies need to use basic common sense to make sure [non-authorized] employees aren't accessing the operations environment."
- Know industry-specific standards. SCADA uses different communications protocols than most IT departments are accustomed to -- which vary by industry. For instance, ICCP enables electric utilities to exchange data and to do things such as buying and selling energy. The oil and gas industry uses MBBUS. Off-the-shelf security packages are not designed or validated for these environments, Symantec's Sevounts says.
"It's dangerous to take untested, [not] validated intrusion protection and prevention software into a SCADA environment. It can cause more problems than benefits delivered," he observes. For instance, anti-virus software that is not SCADA optimized could degrade real-time systems performance. "If that happens ... you have a major problem," he says.
Symantec has a partnership with Systems Integration Specialist Co. Inc (i.e., SISCO of Sterling Heights, MI), which developed the ICCP protocol, to provide software that works with its security appliances (dedicated servers) to safeguard ICCP. The company has a similar plan for MBBUS, Sevounts adds.
- Consider managed services. Resource constrained organizations should look into this option. Why? It can be mind-numbing to monitor, log and respond to the millions of data points generated by security software that could prevent a SCADA security breach -- or to assess and recover from an ongoing attack. These services provide access to security expertise that most companies usually can't afford on their own, providing access to trained personnel who can not only detect mischievous activities before the enterprise is impacted, but can recommend remedial measures to take before the event takes on a life of its own.
"Operations people focus on systems performance and reliability -- security is a component of this -- but operations staffs are not security experts," notes Dustin. Third parties, she says, have rigid processes for monitoring security and containing breaches, something companies can't easily replicate.
Symantec, for example, has a number of secure operations centers scattered across globe that provide 24/7 monitoring of all events.
What's critical is that these experts have access to data on the health of the global Internet, which comes in handy when diagnosing the significance of any particular event, its origin and consequences for the organization. These services act as an extension to your operations group, proactively alerting operations to ongoing attacks or increased vulnerability to attack, Symantec's Sevounts says.
AMR's Smith, however, says smaller companies should think twice about hiring outsiders to manage security for the obvious reasons -- prohibitive expense, loss of operational control and uncertain knowledge transfer. As with any technology investment, there are trade-offs between mitigating risk and incurring unnecessary expenses, she says. "Companies ... that run pipelines need to take [additional precautions]; specialty chemical mom and pop shops do not normally have to worry."