7 days ago finished the eight version of the SANS SCADA Summit at Orlando. Conferences were really great and it was a great opportunity to see that I am not the only CISO that is having trouble developing and implementing an information security program to the ICS world of the company. The most important conclusions obtained back there are:
Operators and professionals from the industrial world does only care about the process: they want it efficient, reliable, available all the time and simple. When we, the security people, try to implement some control measures to avoid risks from being materialized, we need to preservate all those attributes to the process. Lets keep in mind that if we cannot improve the ICS process with our controls, the business wont let us do anything and they prefer to suffer the risk materializing than let us try to avoid them.
Compliance is a consequence of implementing a good security program. Choose a good framework to implement and begin working. Examples of such frameworks are:
ISA (Industrial Automation and Control Systems Security) 99 IEC 62443
20 Critical security controls
NIST GUIDE to SCADA and Control Security
CFATS (Chemical Facility anti terrorism standards)
As you definitely need to avoid increasing the complexity on the SCADA System operation, you cannot allow irregular acess to your operators to resources outside the Industrial Control System (ICS) network. That means not allowing to read e-mail and not accessing the Internet from the same computer where a Human to Machine Interface (HMI) is installed. They can always use other computers that have access to the IT world.
As I stated, the ICS guys only cares about their process and tent to disregard anything that might cause problems or make them feel they are doing their work in a slow way. Therefore, a strong awareness campain is needed pointing to strong motivations like cyberterrorism and materialized risks to the SCADA and ICS systems.
Firewalls are good but not enough to protect risks from SCADA and ICS systems. You need to add other controls like SCADA application whitelisting, Host Intrusion Prevention Systems, Network Intrusion Prevention Systems and patch management.
Patch unpatched vulnerabilities of your SCADA and ICS systems. If fore some reason the product cannot be patched, take any other approach to lower the risk to the minimum possible value.
Include the ICS environment to your information security risk matrix. You need to start including it inside your controls. Otherwise, information security risks will become unmanageable to your SCADA/ICS.
SCADA/ICS systems manages critical infrastructure and could be a target addressed by any irregular and ilegal group. For all us who work to companies where SCADA/ICS systems are vital to business, it will become the most important information asset to protect, as it could be used to destroy all the assets used to ensure companys future money.
Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.