Thursday, December 23, 2010

Industrial Security - a reminder from Stuxnet

I've refrained from blogging about Stuxnet for the simple reason that I'm no expert on it. You can learn more than I know about Stuxnet from Wikipedia. However, it should reinforce the need for basic security good practices. I hear too many integrators and industrial professionals write off a system as not needing any security applied because the system is on an isolated network. Consider the vector Stuxnet used to attack isolated networks - USB drives to infect the system then peer to peer Windows RPC calls. Even if you're not the target of a large attack, you need to protect yourself from the much more common "insider threat", a disgruntled or malicious employee. Let's consider some easy steps that can make a huge difference in protecting your SCADA system and industrial network. 
1. First, get the best "bang for your buck" - take care of your low hanging fruit. Embarrasingly, in industrial systems this means: get rid of shared accounts and no passwords, don't connect the control network to the Internet or harden your business necessary connection point, ensure that you have a working backup, check your backdoors (old modems, etc).

2. The strength of your system lies in a Defense in Depth approach, meaning taking advantage of strengths of overlapping security mechanisms. While adhering to point #1, knock out the really easy and obvious ones. There's no reason to get fancy until you have your basics covered.

3. Architect your system with security in mind. For example, if you decide to start with Windows XP SP 1, you're just asking for trouble. I get it that patching often has negative side effects with industrial/SCADA software, but you need to (minimally) begin with a baseline that isn't hugely vulnerable. Design around industry standard technologies and protocols such as OPC-UA. Don't try to roll your own security solutions!

4. Develop a security policy and train your users. It's important that management understands and accepts the level of risk that the system takes on. It's important that users know what's allowed and that consequences are serious. Require that they sign an Acceptable Use Policy (AUP). A successful security program is as much about users, policy, and procedure than equipment, applications, and configuration.

5. Establish individual accountability (auditing). Ensure that users have individual accounts and that their activity on the system is logged and periodically reviewed. I know this often doesn't happen in manufacturing, but it should.

You have far too much value in your HMI, SCADA, industrial system. Ask yourself, how much does downtime cost? How can you afford to not secure your control system?


meterdata said...

Small companies have problems securing data.

Keith M said...

I have a friend who works for a company who wishes to develop value add software for HMI/SCADA, but one of the real problems is that the value add software needs internet connectivity, but as you say here, SCADA systems are usually locked down and I presume avoid internet access. Any thoughts on how to get around that?