How to Protect Against SCADA Attacks

Although you can’t know about and detect all vulnerabilities in advance of deployment, you certainly can be proactive in mitigating the potential of a SCADA security breach by taking the following defense-in-depth methods into consideration:
• Develop a security policy.

• Implement ACLs (access control lists).

• Use MAC address filtering.

• Use VLAN segmentation.

• Physically secure SCADA devices, including alarm and tamper management.

• Disallow the use of third-party USB and related memory sticks.

• Adhere to publications, guides, and standards, such as NERC Critical Infrastructure Protection (CIP) standards; NIST Special Publications 800 Series; IASE guidance; Security Technical Implementation Guides (STIGs); Advanced Metering Infrastructure Security (AMI-SEC) documents; and NISTIR 7628, Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Security Strategy, Architecture, and High-Level Requirements.

• Implement an IDS/IPS that supports SCADA protocol protection mechanisms.

• If a dial-up modem is utilized, implement enhanced security that supports activity logging, encryption, name and password authentication.

• Utilize protective protocols such as SSH, DNPsec, TLS, DTLS, SSL, PKI, and IPsec, if possible.

• Implement strong encryption capabilities.

• Implement a Security Information and Event Management (SIEM) system for log aggregation, log review, and audit analysis.

• Implement a scalable edge network strategy for all applicable firewalls, switches, routers, and IPS and IDS devices.

• Confirm and ensure policies are in place for two- and three-factor authentication.

• Ensure scheduled internal security assessments are routinely performed.