How to Protect Against SCADA Attacks
Although you can’t know about and detect all vulnerabilities in advance of deployment, you certainly can be proactive in mitigating the potential of a SCADA security breach by taking the following defense-in-depth methods into consideration:
• Develop a security policy.
• Implement ACLs (access control lists).
• Use MAC address filtering.
• Use VLAN segmentation.
• Physically secure SCADA devices, including alarm and tamper management.
• Disallow the use of third-party USB and related memory sticks.
• Adhere to publications, guides, and standards, such as NERC Critical Infrastructure Protection (CIP) standards; NIST Special Publications 800 Series; IASE guidance; Security Technical Implementation Guides (STIGs); Advanced Metering Infrastructure Security (AMI-SEC) documents; and NISTIR 7628, Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Security Strategy, Architecture, and High-Level Requirements.
• Implement an IDS/IPS that supports SCADA protocol protection mechanisms.
• If a dial-up modem is utilized, implement enhanced security that supports activity logging, encryption, name and password authentication.
• Utilize protective protocols such as SSH, DNPsec, TLS, DTLS, SSL, PKI, and IPsec, if possible.
• Implement strong encryption capabilities.
• Implement a Security Information and Event Management (SIEM) system for log aggregation, log review, and audit analysis.
• Implement a scalable edge network strategy for all applicable firewalls, switches, routers, and IPS and IDS devices.
• Confirm and ensure policies are in place for two- and three-factor authentication.
• Ensure scheduled internal security assessments are routinely performed.
