Best Practices for Securing Your IoT/SCADA Systems

IoT and SCADA Versus IT Security Requirements

Although they may seem similar, it is important to realize that the Internet of Things (IoT), Supervisory Control and Data Acquisition (SCADA, the system we introduced in our previous article SCADA in 2023), and IT security risks are in contrast, and that a comprehensive security plan needs to be in place to protect these systems. Looking at general technology risk frameworks, most of the focus surrounds operational technology. An area that isn't focused on enough is IoT, more specifically SCADA and industrial control systems (ICS). When managing a SCADA system, it is important to identify and classify “SCADA assets” such as:

• Password management;
• Authentication and authorization;
• Account administration; and
• Vulnerability management.

These assets can be critical to an IoT system, especially when third-party supplied SCADA devices are deployed.¹ Thus, physically and logically securing all IoT -- including SCADA or ICS assets -- is instrumental to overall security.

Best Practices for Securing SCADA

The increasing complexity and interconnectedness of SCADA systems creates new risks and vulnerabilities that need to be addressed. In this section, we will examine some of the leading practices for securing and managing SCADA systems. However, it is important that we note the existence of grey areas in SCADA systems.

1. Keep Software and Firmware Up-to-Date

To begin, one of the most important security practices for SCADA systems is to keep all software and firmware up-to-date. This includes operating systems/technologies, applications and firmware for all connected devices and interfaces with external systems. Outdated software and firmware can have known vulnerabilities that can be exploited by attackers to gain unauthorized access to the system. As an example, consider the cyber-attack at a water treatment plant in Florida 2021, in which hackers gained remote access to the plant’s computer systems through a weakly protected software application. The plant had stopped using the application for a period before the incident but failed to uninstall the application. This tool was used as a gateway to access the plant systems and the attacker was able to access a control panel and maliciously increase levels of sodium hydroxide in the distributed water supply. Luckily this was observed by a plant operator monitoring the systems and reversed before any irreversible damage could be done. Even though the attack was stopped in good time, it is evident that failure to update system software, which in this case is the vulnerability, was by the attacker. ²

2. Use Strong Authentication and Access Control

SCADA systems should use strong authentication and access control mechanisms as part of efforts to keep unauthorized users out of the system. This includes the use of strong passwords, two-factor authentication, and role-based access control (RBAC). This is a widely used security approach, using the employees' roles to determine what permissions the system grants the user. Access to the system should also be restricted to only those who need it to perform their job functions.

The Colonial Pipeline hack is a related example that happened recently. This 2021 hack is the largest publicly disclosed cyber-attack against critical infrastructure in the U.S. The Colonial Pipeline is one of the largest and most vital oil pipelines in the world, and it was shut down for several days after a hacker group known as Darkside accessed the Colonial Pipeline network. This attack resulted in over 100 gigabytes of data being stolen in a less-than-two-hour window. Following this, the attackers infected the Colonial Pipeline IT network with ransomware that affected many computer systems. The Colonial Pipeline shut down their IT systems to prevent the spread of ransomware, and the only option they had to regain access to their systems was paying the Darkside hackers for the decryption key. ⁴

3. Implement Network Segmentation

SCADA systems should be segmented from other networks to limit the potential impact of a security breach. Network segmentation can help prevent attackers from moving laterally from one system to another and limit the potential damage caused by a successful attack.

4. Monitor System Activity 

Continuous monitoring of SCADA systems is critical to detecting and responding to security incidents. Monitoring should include activity logs and network traffic analysis, using a tool such as SolarWinds NetFlow Traffic Analyzer to achieve this, and also deployment of intrusion detection systems such as Snort and CrowdSec. This can help identify unusual activity and potential security incidents, allowing security teams to respond quickly and mitigate the impact of any breaches.

5. Conduct Regular Security Assessments

Regular security assessments are necessary in order to identify vulnerabilities and improve the security of SCADA systems. Assessments should include vulnerability scanning, penetration testing, and risk assessments. Tools such as Nessus and Wireshark can be deployed on SCADA systems to assess and analyze packets in real time. Results from these assessments should be used to prioritize security improvements and determine whether the system is secure against known threats.

6. Develop an Incident Response Plan

SCADA systems should have a comprehensive incident response plan that outlines the steps to be taken in the event of a security breach. This plan should include procedures for identifying and containing the breach, notifying relevant stakeholders and restoring the system to a secure state. Regular testing and training on incident response procedures can improve the efficacy of the plan and prepare all stakeholders to respond to a security incident.

This process would entail documenting procedures for identifying and classifying breaches, and appointing a list of stakeholders to be notified as soon as a breach or incident is identified. The plan should be reviewed and updated at least annually to keep the contact list up-to-date.

Quickly responding to security incidents effectively and efficiently helps minimize damage, improve recovery time, restore business operations and avoid high costs.

The Grey Areas 

As aforementioned, many companies are under the misconception that, if the supervising system is secured, so are the subsystems (sensors, actuators, communication devices/infrastructure). The flaw in that statement is rooted in the fact that there exists a grey area between IoT/SCADA and overall OT/IT controls. When probing networks as part of an attack, attackers can find vulnerabilities. Thus, it is important for companies to understand what exists in the grey area to prevent and neutralize attacks. Systems that can be the origin of vulnerabilities include the following:

1. Protocol: Attackers can intrude into the unsecured communication systems and modify data sent from a remote terminal unit (RTU) or programmable logic controller (PLC). Referencing the diagram below, note the programmable logic controllers. Being connected into the systems and processes, these PLCs relay data back to the control room building. This poses as a gap in that a cybercriminal can breach PLCs and manipulate the data being relayed or even adjust pump speeds in this scenario.

One Flaw too Many: Vulnerabilities in SCADA Systems - Security News (trendmicro.com)

2. Mobile Applications: Offsite engineer and technician use of mobile applications to monitor and modify processes in an industrial plant is another vulnerability because users are susceptible to making wrong decisions based on jeopardized data from said applications being hacked.

3. Human-Machine Interface: Being that this system allows for attackers to access critical and sensitive information, this is the ideal system for an attacker. HMI systems are vulnerable to essential information being stolen or tampering of control processes. ⁵

4. Related Components: Nowadays, most SCADA systems are highly reliable; the issue lies within the other technologies/components that carry them. These components can be a risk to SCADA systems if effected. Examples include firewalls, infusion pumps, and even printers.

Conclusion

The distinction between operational technology and IoT/SCADA systems is crucial as companies tend to overlook gaps in this grey area. Establishing and maintaining these best practices for SCADA systems will keep  organizations ahead of the ever-evolving threats and challenges that emanate from the use of emerging technologies associated with SCADA and overall Internet of Things systems. Specific controls/control areas to protect your systems will be discussed in the future of this series -- stay tuned.