Time for Less Talk, More Action On SCADA

In June of last year, I wrote about SCADA and the need to be vigilant about protecting these systems. If you haven’t acted to protect your SCADA networks yet, now is the time. In fact, according to a recent report by the U.S. Department of Homeland Security, Industrial Control Systems (ICS) attacks on critical infrastructure have continued to increase. Project Basecamp, individual researchers and security startups have all identified various SCADA vendor vulnerabilities.

In my latest Security Week article, I discuss how next-generation firewalls can help. Here’s an excerpt:

“Network segmentation is an effective method to reduce the scope of [SCADA] attacks and reduce risks, but only if it is deployed with the right security appliance. Just as traditional enterprise networks have recognized the benefits of effective segmentation by applications, users and content using next-generation firewalls, the same advantages can extend to SCADA networks.

Here are the ways to leverage a next-generation firewall to protect a SCADA network:

  • Networks can be built with a “SCADA” security zone that is isolated and segmented from the rest of the network with a next-generation firewall.
  • Access into the SCADA zone can be authenticated by user, not IP address. The ability to tie security policies to user identity provides not only appropriate access to the zone but also a reporting, auditing and logging trail. Non-authorized users are denied. Complementary always-on SSL VPN connectivity can be deployed for users to securely access the SCADA zone.
  • Access to specific SCADA applications such as Modbus, DNP3 and ICCP can be safely enabled based on the actual application, not by ports. This eliminates the risks of having to manage multiple open ports that threats may traverse. Management or backdoor applications like RDP and Telnet can be strictly controlled and allowed only for specific users.
  • A complete vulnerability protection framework can be deployed to inspect all of the traffic traversing the SCADA zone for exploits, malware, botnet and targeted threats. In particular, protection for SCADA-specific vulnerabilities can be enabled. The ability for next-generation firewalls to understand all traffic across all ports all the time means that evasive, port-hopping threats, encrypted threats can still be identified.

Additional security best practices that should be implemented to complement the next-generation firewall deployments in SCADA networks include organizational processes, such as the establishment of on-going risk-management procedures, routine self-assessments, periodic security audits and reviews.”