Ten steps to secure control systems

While vulnerability scans and penetration tests are commonly used in the corporate environment, it is often not prudent to use these in the control systems environment, at least not on production devices. There are many documented cases where port and vulnerability scans of control devices have caused control system devices to malfunction, re-boot or shut down entirely. Because of the deterministic and highly critical nature of control systems devices and software, penetration tests also are likely to interfere with control functions. In the absence of test systems that can be used for vulnerability scans and penetration tests, technical reviews are the most recommended method to identify vulnerabilities in the control system environment.

Typical vulnerabilities that are found in SCADA architectures include:

Remote Access
The remote access methods usually introduce security vulnerabilities ranging anywhere from unauthorized access to introduction of malicious code from infected clients. In general, remote access into a SCADA environment should be tightly controlled and secured.

IP Connections
Most IP connections, while necessary, are usually constructed for ease of use and not for security. 

Modems
Often dial in modems are installed to provide vendors with maintenance capability. 

Applications and Data Exchange
Quite often applications are written with file shares that bridge between the corporate and the SCADA environment and permissions that allow too much access to the SCADA environment. Data flowing or out of the SCADA environment must be validated and the mechanisms for exchanging data must not introduce vulnerabilities to hackers or malicious code.

Change Management
Change Management must be robust and strictly enforced in order to protect the SCADA environment.

Incident Response
Incident Response plans should be in place and tested in the event a cyber security incident occurs.

User Accounts
User accounts must be administered and constructed in such a way to discourage unauthorized use. 

Monitoring
Even if no know vulnerabilities exist, the environment must be monitored both for unauthorized activity and the presence of malicious code.

Risk assessments identify the probability that a vulnerability can be exploited by first determining the probability that a threat (hacker, error, etc.) will attempt to exploit the vulnerability and then determining the probability that the attempt will be successful. For each mitigating control in place, the probability of success is reduced. In addition to the probability of occurrence, an estimate of impact – sometimes financial – is also made. The resulting overall probability and impact can then be used to rank the vulnerabilities by priority.

In situations where the probabilities are well defined from statistical evidence, they can be used to compute a ballpark number for the financial value of implementing the mitigating controls by multiplying the probability by the financial impact. Unfortunately, exact probabilities for security incidents are difficult and a documented sample of incidents involving control systems does not exist. 

However, relative probabilities can be determined – the probability of an external hacker trying to gain access is lower than a malicious insider which is lower than accidental incidents. Using relative probabilities, it is possible to prioritize the risks.

An additional benefit of risk assessments is buy-in from the stakeholders of the subject systems. By participating in the risk assessment workshops, they gain a better understanding of the vulnerabilities and threats, and assignment of the probabilities and impact is a group process usually resulting in group ownership of the results.

Penetration Tests attempt to exploit discovered vulnerabilities to establish unauthorized access to the SCADA environment and to accomplish unauthorized manipulation of the environment. Penetration tests are much like invasive vulnerability assessments in that they can cause unintended disruption to the SCADA environment. For this reason, if they are pursued, they should be performed by persons knowledgeable of SCADA systems or supervised by someone who is knowledgeable. 

Typically, the passive Vulnerability Assessment is the first step in the process. From that point, the client can stop there or choose any combination of the other options: invasive vulnerability assessment, risk assessment and/or penetration test. "The Cyber Security Assessment Methodology" illustrates the methodology that KEMA uses for a passive vulnerability assessment, followed by a risk assessment.