Securing SCADA Networks

from Cyber Attacks

-A Vendor Perspective
Presented by Shawn A. Sabo, National Sales Manager, QEI Inc.
2005, QEI Inc. all characteristics subject to change.
For clarity purposes, some displays may be simulated.
Any trademarks mentioned remain the exclusive
property of their original owner.

The Need
Loss of service
Cost of countermeasures
Customer confidence factor

Vendors have many of the Same

Security Concerns as Utilities
1. Networks
2. Information
3. Personnel
4. Access and tools.

The Changing Nature of SCADA Systems

- Incorporation of SCADA into the Enterprise
Network
- Implementation of Open Systems
- Remote access to monitoring and control
- Control your SCADA system from your cell phone

- Put SCADA data on every applicable

desktop
- Extending the network to the substation and
beyond

Extended Enterprise Network

Twenty One Steps to Improve Cyber Security of SCADA Networks

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.

Identify all connections to SCADA networks.

Disconnect unnecessary connections to the SCADA network.
Evaluate and strengthen the security of any remaining connections to the SCADA network.
Harden SCADA networks by removing or disabling unnecessary services.
Do not rely on proprietary protocols to protect your system.
Implement the security features provided by device and system vendors.
Establish strong controls over any medium that is used as a backdoor into the SCADA network.
Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring.
Perform technical audits of SCADA devices and networks, and any other connected networks, to identify
security concerns.
Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate
their security.
Establish SCADA Red Teams to identify and evaluate possible attack scenarios.
Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and
users.
Document network architecture and identify systems that serve critical functions or contain sensitive
information that require additional levels of protection.
Establish a rigorous, ongoing risk management process.
Establish a network protection strategy based on the principle of defense-in-depth.
Clearly identify cyber security requirements.
Establish effective configuration management processes.
Conduct routine self-assessments.
Establish system backups and disaster recovery plans.
Senior organizational leadership should establish expectations for cyber security performance and hold
individuals accountable for their performance.
Establish policies and conduct training to minimize the likelihood that organizational personnel will
inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls.

SOURCE: Office of Energy Assurance, U.S. Department of Energy.

Twenty One Steps fall into

Four Categories
1. Control access
2. Get rid of the unnecessary and
harden whats left
3. Know and use the tools you have
available
4. Take a fresh look

Control Access
Look to designs with security in mind.
Deal with vendors who protect their
product and documentation.
Restrict vendor access for maintenance
purposes.
Dont keep compromises a secret from a
vendor (if applicable) and expect the
same.

Get Rid of the Unnecessary

(and Harden whats Left)
Have your Vendor deliver systems with
unnecessary server services and ports
disabled. (DCOM, UPnP, Automatic update,
Messenger,etc.)
Have vendor incorporate security aspects into
your training.
Expect a vigorous patch policy from vendors
to include testing.
Receive vendor guidance on third party
protective software (antivirus, spyware, etc.).

Get Rid of the Unnecessary

(and Harden whats Left)
Make sure your vendor has the ability to partner
with your IT departments security scheme.
Take active control of your security (Password
control, SCADA system defaults, etc.).
Sort out your problems with speed and expect
the same from your vendor.

Know and Use the Tools

You Have (or Should Have) Available
Use Vendor resources for your own testing. (Red team
concept)
Request your vendor offer system manager courses
which include auditing and monitoring tools.
Monitor intrusion detection tools.
Work with your vendors users group for pooling of risk.
(stockpiles spares, CPUs, etc.).
Encourage user group addressing of security concerns.

Take a Fresh Look

Monitor the industry concerning items beyond your
particular SCADA applications package. (hardware
platform, operating system, etc.)
Become familiar with the industry security resources
(DOD-CERT, ESISAC, etc.)
Examine the various failure modes and plan
accordingly. Enlist your vendor in formulating bypass,
manual operation and backup contingencies.
Test all contingency plans before they have to work
(Vendor 24/7 support, offsite backup, recovery plans,
etc.)

Deal with Vendors who take

Security as Seriously as you
Put your Security Requirements
into your System Specifications

Now that we are all Sufficiently Concerned..

All industries seem to think they are

behind others when it comes to
Cyber-Security.

Four Categories
1. Control access
2. Get rid of the unnecessary and harden
whats left
3. Know and use the tools you have
available
4. Take a fresh look

Questions ?