When organizations talk about implementing security measures for their SCADA system, “most folks want everything fully secured,” says Kevin McClusky, co-director of sales engineering at Inductive Automation. But deciding what “fully secured” looks like for an organization will depend on specific needs and resources, from available budget and existing software and hardware to actual security risk.
While organizational circumstances may be different, these best practices can guide any organization looking to step up their security. Each step builds on the ones before it, so consider implementing in sequential order.
1. Diagram all network traffic
Creating a diagram that shows all network traffic between Programmable Logic Controllers (PLCs), devices, external software systems, and your chosen HMI/SCADA/MES/IIoT platform is the foundation for intelligent decision making, says McClusky. “Think of this as the item that allows you to have a picture of how your security is looking at the moment. It lets you know where the weak points are and where potential attack factors could be from bad actors trying to get to the system overall,” he says.
While some security tools can automate this diagram, McClusky still recommends creating the diagram manually. “There’s nothing like getting your hands dirty to understand your connections and how everything works inside the system overall,” McClusky said.
2. Encrypt any unencrypted connection
If any connections aren’t encrypted, make sure access to that network is secured. Database connections may be easy to encrypt, while a PLC connection could be difficult. Examine the firewalls that are in place and decide which connections should be encrypted.
To ensure data transferred is kept secure, Inductive Automation’s Ignition platform supports SSL/TLS security as a best practice. The “s” in a URL that begins with “HTTPS” signifies the website is secured by an SSL/TLS certificate. SSL/TLS keeps internet connections secure by safeguarding any sensitive data that is shared between two or more parties over an insecure network. Cryptographic algorithms scramble data in transit, thus preventing bad actors from reading or modifying any information being transferred.
3. Invest in an Intrusion Detection System (IDS)
Having an IDS for a controls network allows easy detection of unauthorized access into the network. If An IDS is even more valuable when there is unencrypted traffic over a network, as it could be a key part of security. Do keep in mind that an IDS won’t detect something like a network tap that can read unencrypted data.
4. Consider a data diode
For extremely sensitive networks that don’t need outside data, consider using a data diode, which only allows data to flow out of a network, but not flow into it, thus cutting off one major vector of attack. While this may not pertain to everyone, a data diode can guarantee there is no communication from the outside to a specific piece of equipment.
5. Determine your risk profile
Organizations can spend overly large amounts of time and money implementing security procedures, layering security effort over security effort, and some of it may be unnecessary. To help decide what’s “secure enough” for each organization, McClusky offers an analogy: think of security procedures for a SCADA system like security measures added to a house. They should align with the actual risk to your organization.
“If you’re in your home, are you going to have one-foot thick concrete walls around your house? No. Do you want your house to be secure? Yes,” McClusky says. “You can keep layering on layers of security and be the Fort Knox of security, but is it worth the investment?”
6. Understand the options and the limits of software and hardware
While there are some exceptions, many modern PLCs do not have security tools built inside of them, McClusky says. If your hardware or software won’t do encryption out-of-the-box, you’ll need to retrofit them to put encryption in place.
“If you don’t know the options when you purchase hardware, there’s no way to do a good job with your security,” says McClusky. To prevent retrofitting software and hardware, look out for the growing number of devices, PLCs and products, such as Inductive Automation’s Ignition, that are being designed with security directly built in.
7. Employ two-factor or multi-factor authorization (MFA/2FA) and single sign-on (SSO)
With the ability to have remote access to your SCADA system through software like the Ignition Perspective Module, organizations can allow more access to system data than ever before, from anywhere and on any device. However, wider access can lead to greater security risk in the event someone’s login credentials become compromised.
Using a single sign-on (SSO) allows users to use one set of credentials to access more than one application. This can streamline the login process for users as well as make it easier to monitor user activity. Two-factor or multi-factor authentication (MFA/2FA) requires users to enter multiple identifying factors to gain access to the system.
For more information about implementing security measures for a SCADA system, check out the Ignition Security Hardening Guide from Inductive Automation.