Five SCADA security considerations

Because insecure remote access programs and applications can let intrusions leapfrog firewall configurations and other perimeter protections, they're among the most popular avenues for probes, hacks, malware downloads and other attacks. To lock out unauthorized and potentially destructive access, Allan Evora, president and executive manager at system integrator Affinity Energy, reported on "Five SCADA security considerations" in a Feb. 6, 2018, blog post on his firm's website. Located in Charlotte, N.C., Affinity is a member of the Control System Integrators Association. These five steps are:

• Restrict in-house and remote system access to only authorized users, and assign role-based access levels based on the data, applications and network areas that employees, contractors and vendors need to do their jobs. Also, don't allow guest/default accounts because many applications and computers have pre-installed guest accounts that are often accessible via default password lists that hackers can capture with algorithms.
• Update SCADA and other application passwords every 60-90 days, and use longer passwords with 10-15 characters that are more difficult to crack.
• Require unique credentials for each user, and don't let them share usernames or passwords because it prevents administrators from having visibility of each user's actions. Again, don't use default usernames or passwords because they're easily Googled and used by potential intruders. Also, secure login screens by limiting login attempts. 
• Use two-factor authentication that requires more than a username and password to protect remote applications from brute force password attacks. Two-factor authentication requires two of three items: something the user knows like a password, something the user has access to like a code or phone number sent to a smart phone, or something the user is like a biometric fingerprint.
• Properly configure firewalls by establishing access control lists that dictate rules for the firewalls on who is trusted to access it and what data is allowed to leave. This is basically whitelisting and blacklisting IP addresses to restrict network traffic as much as possible. Also, set up virtual private networks (VPN) for users requiring remote access.