• Overview
• Advice for CEOs
• Automated Testing of SCADA Protocols
• A Study of Security Vulnerabilities in Control Protocols

Introduction

Some questions that you might ask your CIO regarding the security of your SCADA system

• What processes are in place to identify security risks from cyber incidents in our SCADA system?
  Considering the potential for security risks associated with SCADA systems, it is important that there is a framework in place to identify possible risks for existing and new SCADA systems. As SCADA systems are becoming increasingly interconnected with the Internet and corporate networks they are also becoming more exposed to Internet security threats and network vulnerabilities.
• What strategies have been put in place to manage these risks?
  It is crucial for SCADA managers to put in place appropriate risk management strategies. Such strategies might include regular vulnerability assessments of SCADA systems, processes for patch management and configuration management, communication between engineering and IT departments, staff training, appropriate network architecture etc.
• How regularly are vulnerability assessments undertaken of our SCADA system?
  While the identification of risks is important, equally important is the need for regular assessments of the vulnerabilities in your SCADA system. Many organisations fail to do this. In addition to assessing operational systems, assessments should also be undertaken of corporate networks, web servers, and customer management systems to reveal unintended gaps in security, including unknown links between public and private networks, and firewall configuration problems.
• How well do the IT and the Engineering departments communicate?
  SCADA systems are traditionally engineering systems which are now deploying new technologies. It has been found that vulnerabilities can arise from a lack of communication between the IT and engineering departments. In many organisations the engineering and IT departments do not communicate on SCADA security matters. Is this the case in your organisation? These two areas need to work closely together to ensure that SCADA systems have appropriate security arrangements.
• What assessments are undertaken of the training needs of our IT personnel involved with SCADA security?
  New security threats mean new security responses. These may require skills usually not found in process control personnel. Considering that SCADA systems are integral to your business processes, have you budgeted for appropriate education and training? Is time allocated for this? This applies at both the executive level as well as at the information systems and network management levels since it is likely that IT employees' earlier education and training did not include many of the security issues that are now faced by SCADA systems.
• What measures have been put in place to ensure that our network design takes account of SCADA security?
  While firewalls, Intrusion Detection Systems, and Virtual Private Networks can all help protect networks from malicious attacks, improper configuration and/or product selection can seriously hamper the effectiveness of a security position. Your network design should provide segmentation between the Internet, the company's corporate network and your SCADA network to avoid any SCADA system compromise through the corporate network or the Internet. Network architecture should be robust and sufficiently adaptable to counter existing and new threats.

« Prev | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | Next »

Disclaimer »