Quite often when we look at the control systems for our SCADA devices, we think of questions like: How well will they perform over their expected service life; Can they handle the environment in which they will reside; and do they have the capacity to control the unit (pump, valve, drive unit, etc.) they were designed for? And perhaps, in some cases, we’d like to know if they can be upgraded without having to go off-line or, if so, with minimal downtime.

New Times, New Problems
It wasn’t until very recently that federal, state & local governments, including municipalities, and businesses operating facilities and infrastructure, such as pipelines, power plants, and oil refineries, collectively began to become fully aware, and thus concerned, about the real and increasing threat of someone from “the outside” attempting to hack into the control system network. However, awareness is on a steep upswing, and there are most certainly very real threats that could take a key piece of equipment off-line or, worse, have the controller give the operator the false impression it is doing one thing, when, in fact, it is doing something else altogether. It does not take much imagination to picture what disastrous results could come about if such a thing were to happen, and already there are a myriad of examples of when this has happened with costly and dangerous (not to mention disruptive) effects.

For instance, Jacksonville Energy Authority (JEA) in Jacksonville, Fla., a power utility, was hit with a denial of service attack in late February this year. The attack shut down its website, including its payer interface, and JEA couldn’t collect fees from its customers for about six days. JEA is now protected by Prolexic, a tier-one denial of service (DoS) mitigation and protection provider. In the May 23, 2013 edition of The Wall Street Journal, an article titled “Iran Hacks Energy Firms, U.S. Says,” states that “Based on a survey of 150 power companies, the report found that ‘more than a dozen utilities reported ‘daily,’ ‘constant’ or ‘frequent’ attempted cyberattacks,’ and one said it was the target of about 10,000 attempted cyberattacks each month.”

5 Cybersecurity Questions for CEOs

FBI Director Robert Mueller states “There are only two types of companies—those that have been hacked, and those that will be.” Given the threat and magnitude of risks involved, CEOs need to be personally engaged when it comes to cybersecurity. Here are five Cybersecurity Questions for CEOs from the U.S. Department of Homeland Security.

  • How is our Executive Leadership informed about the current level and business impact of Cyber Risks to our Company?
  • What is the current level and business impact of Cyber Risks to our Company? What is our plan to address identified risks?
  • How does our Cybersecurity Program apply Industry Standards and Best Practices?
  • How many and what types of Cyber Incidents do we detect in a normal week? What is the threshold for notifying our Executive Leadership?
  • How comprehensive is our Cyber Incident Response Plan? How often is it tested?

This is why cybersecurity providers are suggesting that when a company is considering either an upgrade to an existing SCADA control network, or the installation of an entirely new one, that owners, managers, and system operators alike put serious thought and planning into the integral security of the network, as well as consider how a new or upgraded system will interface with user controls outside the protected zones of your business.

From the outset, it is always easier, more efficient, and more complete when the security components of any data processing or control network are “baked into” the mix from the beginning. It helps the organization avoid the continuous “patch and Band-Aid” syndrome that affects so many industrial operations that have to contend with legacy systems. If the security features can’t be built into the system from the start, it can at least become a key component of that system once an upgrade or renovation is completed.

READ ALSO VIEWPOINT: Cybersecurity Matters, But How Much?

Is the IT Department the Answer?
Another important consideration is how the SCADA system security is tied into the enterprise security; the IT staff isn’t always the default answer to all security issues throughout the business. Cybersecurity, particularly SCADA security, requires special training and understanding of SCADA system security equipment and data protocols. Security tools applicable to email, accounting, scheduling, billing, and human resources often have nothing at all in common with the design or implementation of security protocols within the SCADA environment.

Furthermore, enterprise and business-end IT staff have different objectives from the outset than SCADA system operators. Enterprise managers demand security and controlled access; SCADA operators require robust control features and continuous and often open access. This key difference makes it very difficult for the typical enterprise IT staff to meet the security objectives of the SCADA environment in the same way they would the business-side IT operations. The primary objectives of the two systems are in fundamental conflict with one another.

New Technologies Bring New Challenges
The next item to consider in this ever-changing security environment is to ask how the business will handle the “bring your own device” (BYOD) movement that so many companies are now beginning to face. Has your business developed a plan to fully integrate the security of those devices not only into the enterprise side of your IT network, but also with the ability to look into the demilitarized zone (DMZ)—i.e., the middle ground between an organization’s trusted internal network and an untrusted, external network such as the Internet—and the protected side of your SCADA control network? How will those dashboards connect to the SCADA system? Is the organization prepared to integrate the security needs of putting SCADA controls or readouts on a TCP/IP server, or wide area network (WAN), and thus deal effectively with all of the inherent risks that come along with that migration and blending of technologies? Will mobile device data be shunted off-site to be screened, filtered and tested against proprietary security protocols before coming back into your business environment? Or does the security objective of your business require that all sensitive data, even that for mobile devices, stay on site and go through your own enterprise IT system before being sent to that mobile device? The answer to that question will determine which type of company to choose to help manage mobile device security, since there are service providers who fit either one format or the other, but not both.

Measures to Mitigate Cyber Attacks

How do you know you’ve been hacked? What measures can be implemented to prevent or mitigate attacks? Because cyber attacks present multi-dimensional threats, no one solution, one product, or one tactic will ever provide sufficient protection. To fight this integrated battle, companies need a layered defense-in-depth capability incorporating the following elements:

  • Distributed Denial of Service (DDoS) Mitigation and Protection—to protect organizations from brute force attempts to shut down websites, customer payer interfaces on websites and other Web apps;
  • Intrusion Detection/Intrusion Prevention—to prevent hackers gaining network access to steal intellectual property, customer records, sabotage equipment and other malicious activities;
  • Firewall Management—to ensure network firewalls are up-to-date with current security patches against the latest threats;
  • Threat Intelligence—by eaves dropping on hacker forums to get advance warning on directed attacks and the newest attack techniques;
  • Vendor Access—security protocols to ensure outsourcing partners don’t inadvertently initiate attacks by introducing viruses, worms, and other malware to take down the whole systems;
  • Employee Access—security protocols incorporating least privilege, what is not explicitly permitted is denied, for user authorization and access to data and areas on the networks;
  • System Hardening—measures taken to protect networks such as removing unnecessary software on computers/servers, closing open network ports and other potential attack vectors;
  • Incidence Response—immediate actions and planned responses to cyber attacks including the assistance of a Cybersecurity Integrator’s action teams, triage support and turn-key resolution.

Looking into the larger internal security picture, there are questions regarding who is monitoring firewall logs, how threat assessments are being conducted, and whether there is an effective response plan in place to deal with a threat once it has been detected. We are often told, “Our IT department has that all under control. We don’t have any intrusion issues.” Then a very simple follow-up question ensues: “How do you know? Do you have the data and up-to-date reports to prove that?” Sadly, that simple question is often followed by an uncomfortable silence. Having a state-of-the-art firewall system, with a VPN, or modem-based filter, is of little use in the long-run if the system’s data logs are not actively analyzed, compared daily to new and known threat profiles, and processed for action based upon their potential to penetrate IT and/or SCADA systems and do harm. If the frequency and type of threat profile is not clearly understood, then it is impossible to expect the security appliances and protocols of IT and SCADA network to perform as intended.

Approaches & Solutions
To best address these types of questions in effective and meaningful detail, business should consider partnering with a certified SCADA security architect to review their system’s security integrity. This will help identify gaps and develop a remediation plan to fortify the system’s security posture, not only for the present, but also to keep the system updated against numerous threat vectors in the future.

Another key factor to fending off would-be attackers is to employ a “defense in depth” (DID) strategy. Understand that there is no one magic bullet for system security, no one best supplier of defense appliances or software, but rather that a combination of defense strategies is the key to greater defensive success. The simple fact is that any single appliance or security program can be hacked, given enough time and effort. A successful strategy employed by many companies is to combine different brands of firewalls, each with different configurations, and different security software packages, for the very simple purpose of making it harder for hackers to penetrate the network than it is for them to attack someone else’s. Remember, the intruder is always looking for the easy target. Security doesn’t necessarily need to be flawless; it just needs to be robust enough to make the potential intruder look elsewhere for lower hanging fruit. Having a DID strategy is one relatively simple method of making that happen.

Specialized Assistance
Another successful method to address these security concerns and meeting improved security goals is to employ a managed security threat service and threat intelligence provider. There are a number of such specialty service organizations currently available to choose from. The service can be brought in as a capital expense (CapEx) or as an ongoing operating expense (OpEx). This is an important distinction, as there are security monitoring companies out there that fit one category, and those that fit the other. Does your organization wish to own its own security appliances, or do they simply wish to have them employed by the service provider as part of the monthly service? The size of your business, the size of the on-site IT staff, and the willingness to have a hands-on or hands-off approach to this security solution will help drive the decision as to which type of service provider is best suited for your particular business needs.

And Yet an Even Bigger Threat
Finally, and perhaps most unfortunately, there is the existence of state-sponsored cyber warfare programs. This is particularly worrisome, as this brings the collective cyber threat concerns to a whole new level. With nearly unlimited financial and material resources, state-sponsored cyber attacks are surely going to become yet another high-profile threat to contend with in any business, enterprise or industrial concern that handles sensitive financial data, national security information, classified, or patented industrial process information, intellectual property, and even direct control over key infrastructure systems, such as power generation, water supply and wastewater processing, and natural resource exploration and extraction.

With this recent awareness of large-scale, state-funded cyber intrusion attack and theft programs—a Chinese military unit allegedly hacked The Wall Street Journal and the The New York Times, purportedly because the newspapers were critical of former Chinese Premier Wen Jiaboa (“Barbarians at the Gate,” The Wall Street Journal, Feb. 4, 2013)—it is only a matter of time before additional requirements are promulgated and implemented by the federal government. The power generation community, the oil and gas industries, healthcare, and others all currently have federally mandated cybersecurity protocols.

Ultimate Solution: Complete Integration
In the end, the question for the owner, manager and operator becomes this: How are all these different security disciplines going to come together as they should, to work in a seamless and fully integrated manner to meet IT and SCADA security needs? The problem with this new evolution in complexity is that there are many solutions for the individual components of the security system and its needs, but there is a noticeable lack of system integrators helping industrial organizations bring all these needed security elements together. For that, it is strongly recommend that companies seek the assistance of an organization that specializes in understanding each of these industrial security players, one that can help find the best fit for each security need. By employing best-of-breed technologies for each of those service and appliance providers, the security integrator will help define specific security needs, propose relevant solutions, and then implement the needed upgrades and installations to fully facilitate efforts in meeting ongoing SCADA and IT security needs.

Len Robbins is a certified SCADA security architect and co-founder of Guardian Flow Systems. He can be reached at 520 230-8125 or L.Robbins@GuardianFlow.com. Jeffery Mayger is co-founder of Guardian Flow Systems. He can be reached at 520 230-8125 or J.Mayger@GuardianFlow.com.