Ten steps to secure control systems

By Jay Abshier, CBCP CISSP

WHILE MOST UTILITIES acknowledge that the cyber security of their control, diagnostic, and SCADA systems is important, there are many questions regarding what should be done to secure them. There are several efforts under way to define cyber security standards and industry (“best”) practices for the security of control and SCADA systems (subsequently, references to control systems will include SCADA). While these need to be adhered to, there is no “silver bullet” tool that once implemented will secure any system.

Control system security is a process of due diligence to security principles. The purpose of this paper is to try to summarize the ten most important design and process principles that, while not guaranteed to secure a system, will ensure that due diligence has been followed to make it as secure as practical. These are:

• Governance
• Security Awareness and Training
• Policies and Procedures
• Change Management
• Security Architecture
• Remote Access
• Vulnerability and Risk Assessments
• Incident Response
• Configuration & Patch Management
• Monitoring

Following these principles will provide a due diligence approach that should meet the intent of the NERC Cyber Security Standards (1200 and 1300).

Governance
The purpose of a structured, formal governance policy is to ensure that input and/or concurrence from appropriate stakeholders are obtained before decisions are made. The appropriate stakeholders will differ from company to company, but an educated guess can be made as to typical roles and levels of responsibilities involved. 

Of course, at the very top of any governance hierarchy is the executive management team made up of the CEO, CFO and business unit executives. Typically, for the IT function (not the IT Department, but systems throughout the company that rely upon IT) there is a governing council composed of the CIO, the Chief IT Architect and business unit leaders responsible for IT in their business units. Quite often the business unit does not actually have IT staff, and this role is filled by the business unit leader responsible for the business systems that rely upon computers and the IT infrastructure. Typical names for this team are IT Council or IT Executive Team. Very large companies sometimes have CIOs for major business units, and this team is sometimes called the Council of CIOs. This paper will refer to this group as the IT Council.

The IT Council typically has reporting to it technical teams, which also include technical business unit representatives where possible, for functions such as architecture, telecoms, application development and information security. Each team will develop, and upper level teams will approve their procedures for considering, vetting and approving new initiatives before they are submitted to higher level teams for approval.  

Additionally, business units should have governance teams for their significant business functions. For the case of control systems, Operations might have a governance team structure similar to IT, with a team responsible for the control systems. For the sake of reference, this team will be called the Control System Governance Team. 

Ultimately, the business unit whose critical business functions rely upon IT systems should be in charge of changes made to those IT systems and how they are managed. But, it is critical that the Control System Governance Team solicit input from the appropriate IT technical governance teams before important changes to equipment, software or procedures are made. Having a formal governance structure will help ensure that the appropriate individuals and roles provide that input, and will allow executives who are required to approve new projects to document that appropriate vetting occurred before those projects are funded. 

Security Awareness and Training
The vast majority of people – employees, contractors and vendors – are diligent about doing what is necessary to meet their business objectives while making quality a priority. Many times, though, it does not occur to some employees that security issues are something to which they should also pay attention.

In a previous position I held as Director of Information Security at a large oil and gas company the person in charge of IT at a very large global business unit was not paying attention to information security. In a private conversation I mentioned this to a senior executive of the company, who replied “he has quite a few fires burning him, and yours isn’t very hot.”  If you are faced with this problem, one option is to wait until the information security fire gets so hot the business unit leaders notice – but getting attention this way usually involves nasty consequences such as hacks or infestations of viruses and worms. A better alternative is Security Awareness Training.

An effective security awareness training program not only tells the audience what is expected of them – it also tells them why.  In fact, at least half of the education should focus on the why.  I have found that if actions required of employees do not make sense or they do not understand why those actions are important, the employee is much more likely to ignore the rules. A wise security guru once asked me “What is the best security program?” His reply when I said I didn’t know was “The one people use.” The purpose of a security awareness program isn’t so much to tell people what they should do, but to convince them they should want to follow the rules.