Monitoring SCADA network Security

We can agree that SCADA security is the need for the protection of control networks for the operation of critical utilities like energy, oil, gas, transport etc…that are geographically and technically dispersed. Last week I have participated in the NiSSF09 Forum, a specialized Critical Infrastructures (CI) protection forum hosted by NISA, the Israel national agency in charge of the CI protection. There was a closed delegate session for the national agencies dealing with the strategies for CI protection against cyberattacks as well as a open session for the industry that develop technology for this purpose.

The topic was SCADA security and the first thing every presenter talked about was the definition on what we call SCADA security (we will not discuss on what is called a Critical Infrastructure). Firstly I would like to set some root considerations… What we call SCADA security is sometimes controversial. This is because we are used to refer to “SCADA security” when talking about “SCADA network security” and many SCADA equipment vendors claim “our SCADA is very secure”… yes, ok (maybe not so ok) but we are talking about the whole picture, i.e., the SCADA network is the addition of legacy SCADA elements (normally not replaced in 15 years) together with standard ICT elements (changed each 3-5 years).

The open session was divided into 3 sub-themes: security in HMI (Human Machine Interface, the utility operation application), SCADA network security and security in the remote units (RTUs). In the network security session, I heard a very interesting thing pointed: a set of recommendations given by the national agencies for their utilities companies which included :
1) the use of uni-directional links (called data diodes) for the connection between the corporate network and the control network
2) the need of a thoroughly design of critical networks separation and the use of SCADA FWs and
3) the need of monitoring what is really happening related to cybersecurity as well as the need of technical audits in the networks.

We presented the need of security network monitoring in the Critical Infrastructures control networks and the difference between the security monitoring in ICT networks and in SCADA networks, both from the assessment and the monitoring tools perspective, topics on which we are currently involved. Our main considerations were: assessment tools must be non-intrusive and monitoring tools must deal with the lack of events in many SCADA equipment and the change of security requirements when talking about availability and resilience.

And lastly, one thing to be considered, according to the US DHS (Department of Homeland Security) representative: 40% of new industrial equipment sold in 2009 in US is wireless. The reduction of installation costs are boosting the use of wireless technology, security should be a must in that technology… but that is another topic that we will deal with another day.

Daniel Chavarri
S21sec labs

Deja un comentario