Supervisory control and data acquisition (SCADA) networks contain computers and applications that perform key functions in providing essential services and commodities (e.g., electricity, natural gas, gasoline, water, waste
treatment, transportation) to all Americans. As such, they are part of the nation’s critical infrastructure and require protection from a variety of threats that exist in cyber space today. By allowing the collection and analysis of data and control of equipment such as pumps and valves from remote locations, SCADA networks provide great efficiency and are widely used. However, they also present a security risk. SCADA networks were initially designed to maximize functionality, with little attention paid to security. As a result, performance, reliability, flexibility and safety of distributed control/SCADA systems are robust, while the security of these systems is often weak. This makes some SCADA networks potentially vulnerable to disruption of service, process redirection, or manipulation of operational data that could result in public safety concerns and/or serious disruptions to the nation’s critical infrastructure. Action is required by all organizations, government or commercial, to secure their SCADA networks as part of the effort to adequately protect the nation’s critical infrastructure.
The President’s Critical Infrastructure Protection Board, and the Department of Energy, have developed the steps outlined here to help any organization improve the security of its SCADA networks. These steps are not meant to be prescriptive or all-inclusive. However, they do address essential actions to be taken to improve the
protection of SCADA networks. The steps are divided into two categories: specific actions to improve implementation, and actions to establish essential underlying management processes and policies.
Report
Share
Report
Share
1 of 10
Download to read offline
More Related Content
Similar to Steps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
This document provides instructions for integrating Blue Coat ProxySG and ProxyAV appliances to provide web malware protection. Key points include:
- The ProxySG acts as a proxy and forwards HTTP requests to the ProxyAV for malware scanning before returning content to users.
- The ProxyAV uses supported malware scanning engines to scan content for viruses, spyware, phishing and other web-based threats.
- Appliances can be deployed together with direct internet access or in a closed network, with guidelines provided for one-to-one and redundant configurations.
- Detailed steps are outlined for configuring the appliances, enabling malware scanning, and testing the threat protection policy.
This document provides instructions for creating and downloading a PanelView application that controls a motor. The application includes two screens - a Motor Status screen to start and stop the motor and view its speed/status, and a Set Motor Speed screen to set the target speed. Objects like buttons, displays and indicators are created on the screens and linked to PLC tags to control the motor and display feedback. The application is then downloaded to the PanelView terminal to run.
This document provides steps for deploying Cisco Identity Services Engine (ISE) to enable 802.1X authentication on wired and wireless networks. It involves deploying ISE as the centralized RADIUS server, enabling MAC authentication bypass and 802.1X open mode on switches to monitor device connections in "monitor mode", integrating ISE with wireless LAN controllers for 802.1X wireless authentication, and profiling devices using DHCP and other traffic sources. The deployment is intended to enable identity-based network access without impacting existing connectivity as part of a phased approach to a full TrustSec deployment.
This white paper discusses an integrated security solution from Juniper Networks for virtualized data centers and clouds. It addresses the security challenges introduced by virtualized workloads, which physical firewalls have limited visibility into. The solution includes Juniper's SRX firewalls to protect physical workloads and segment traffic, and Firefly Host virtual firewalls to protect virtualized workloads within hypervisors and enforce the same security policies. This provides consistent security across physical and virtual environments as organizations adopt cloud computing.
This document provides an overview of a CDMA2000 1X network characterization seminar. The seminar will cover the network characterization process including collecting performance data, post-processing, and extracting key performance indicators (KPIs). Attendees will learn how to examine their own network and determine if it is operating well. The seminar materials include data files to open with various analysis software tools.
The NetScreen-25 device comes with accessories for mounting in a standard 19-inch equipment rack. When installing the device in a rack, adequate ventilation is important to prevent overheating. Guidelines include ensuring the rack frame does not block intake/exhaust ports and higher equipment does not draw heat from lower devices. Proper rack installation is crucial for system operation.
The IT industry has gained significant efficiency and flexibility as a direct result of virtualization. Organizations are moving toward a virtual datacenter (VDC) model, and flexibility, speed, scale and automation are central to their success. Although compute and memory resources are pooled and automated, networks and network services, such as security, have not kept pace. Traditional network and security operations not only reduce efficiency but also limit the ability of businesses to rapidly deploy, scale and protect applications. VMware vCloud® Networking and Security™ offers a network virtualization solution to overcome these challenges. This paper describes various components of the network virtualization solution and explains one of the key technology - VXLAN. It also provides design considerations that will help virtualization and network architects deploy this solution successfully in their environment.
This document provides an abstract for Suman Srinivasan's 2015 PhD dissertation from Columbia University titled "Improving Content Delivery and Service Discovery in Networks". The dissertation aims to provide clarity on usage of core networking protocols and multimedia consumption on mobile and wireless networks as well as the network core. It presents research prototypes for potential solutions to problems caused by increased multimedia consumption on the Internet. The dissertation contains four main contributions: 1) Studies measuring data usage and protocols on networks; 2) New software architectures and implementations for service discovery on wireless networks; 3) On-path content delivery networks and a new distributed CDN architecture; 4) Research prototypes for content-centric networking.
This document is a training report submitted by Priya Hada to her faculty supervisor, Ms. Pushpa Gothwal, on the topics of PLC and SCADA. It includes an introduction to automation, sections on PLC components and operation, ladder logic programming, SCADA features and applications. It also describes two student projects using a PLC to automate a pharmaceutical plant and using SCADA software to automate a bottle filling and capping station.
This document is an industrial training report submitted by Deshapriya A.G.S. for their internship at Mobitel (Pvt) Ltd from January 4th to March 25th 2016. Mobitel is the largest telecommunications company in Sri Lanka that specializes in mobile services. The report describes Mobitel's background, services, organizational structure, technical details of projects worked on during the internship, software development processes, and a conclusion on the experience and knowledge gained.
This document is the master's thesis of Réka Szabó titled "Penetration testing of aws-based environments". The thesis investigates how penetration testing techniques can be applied specifically to AWS environments. It outlines a general penetration testing methodology for AWS, integrating existing tools into the process. A major focus is on authenticated penetration tests, where credentials are provided to allow testing for internal misconfigurations. The thesis contains chapters on AWS services, common AWS security issues, penetration testing methodology, and describes conducting both non-authenticated and authenticated penetration tests of AWS environments.
Linux Server Hardening - Steps by StepsSunil Paudel
Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
This document is a training report on programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems submitted by Priya Hada to her faculty advisor Ms. Pushpa Gothwal. The report includes an introduction to automation and PLCs, describing their history, components, operation, and ladder logic programming. It also covers SCADA systems, their features and uses. The report details two student projects, one using a PLC to automate a pharmaceutical plant and another using SCADA software to simulate a bottle filling and capping station.
This document provides instructions and guidelines for configuring authentication and authorization on a Citrix NetScaler appliance. It describes how to configure user accounts and groups, command policies to control user permissions, and how to bind command policies to users and groups. The document includes details on using both the NetScaler command line and configuration utility to manage authentication and authorization settings.
This document provides instructions for configuring a DeviceNet network. It discusses choosing between a single network or subnets, selecting a scanner, and bridging networks. It also covers connecting devices to the network, setting node addresses, and configuring the network both offline and online using RSNetWorx software. A section on automatically configuring the network with AutoScan is also included.
IBM QRadar has a modular architecture that can scale to meet log and flow collection and analysis needs. It operates in three layers - data collection from sources like logs and flows, data processing through rule matching and storage, and data searches through the user interface. Common components include the Console, Event Collectors, Event Processors, Flow Collectors, Flow Processors, and Data Nodes to add capacity. Events represent point-in-time logs while flows are records of network activity sessions between hosts.
Dr Dev Kambhampati | DHS- Cybersecurity improving security of industrial con...Dr Dev Kambhampati
This document discusses defense-in-depth strategies for improving cybersecurity in industrial control systems. It outlines several security challenges, including network perimeter flaws, common protocol attacks, field device attacks, database injection attacks, and lack of patching. The document then presents a strategic framework for defense-in-depth with multiple architectural zones separated by firewalls. Specific countermeasures are discussed like intrusion detection systems, policies and procedures for logging, security training, and incident response. The goal is to provide guidance on applying cybersecurity mitigation strategies to industrial control system environments.
The AVG Download Manager is a tool that helps select the proper installation file for AVG 9 Free. It allows the user to choose the language, checks internet connectivity, and allows configuring proxy settings if needed. It then downloads and launches the installation process for AVG 9 Free.
Similar to Steps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy (20)
System Administrators are often on the front lines of computer security. This guide aims to support System Administrators in finding indications of a system compromise.
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
INTRODUCTION
Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a
network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense
teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable
weaknesses in “as-built” control systems.
Vulnerabilities on the Wire: Mitigations for Insecure ICS Device CommunicationMuhammad FAHAD
Modbus, an industrial protocol used for server to client communication, has been
used for over 40 years and is still widely deployed in new ICS installations (Mostia,
2019). Modbus can be transported over serial mediums of RS232, RS485, or it can be
wrapped in an IEEE 802.3 TCP segment. Within TCP, the typical implementation is
Modbus Remote Terminal Unit (RTU) contained in the TCP/IP stack Application layer,
which can be easily viewed in Wireshark (Sanchez, 2017). Modbus uses simple function
calls combined with data range requests to read and write bits, called coils. Additionally,
it can also read and write integers or floats, called registers. When engineers were
encapsulating Modbus within TCP, cybersecurity concerns were nonexistent and,
therefore, Modbus RTU does not have any built-in security mechanisms (Rinaldi, n.d.).
From an ICS security perspective, Modbus is rife with many vulnerabilities and is subject
to Probe, Scan, Flood, Authentication Bypass, Spoof, Eavesdrop, Misdirect, Read/Copy,
Terminate, Execute, Modify, and Delete attacks (Draias, Serhrouchni, & Vogel, 2015)
This document provides guidelines for establishing effective computer security incident response capabilities. It assists organizations in creating incident response teams and processes for efficiently handling incidents. The guidelines can be applied independently of specific hardware, software, protocols or applications. The document recommends establishing planning, preparation, detection and analysis, containment, eradication and recovery as key phases in the incident response process.
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingMuhammad FAHAD
The “cyber kill chain” is a sequence of stages required for an
attacker to successfully infiltrate a network and exfiltrate data
from it. Each stage demonstrates a specific goal along the attacker’s
path. Designing your monitoring and response plan around the cyber kill chain model is an effective method because it focuses on
how actual attacks happen.
Common Malware Types Vulnerability ManagementMuhammad FAHAD
The document discusses common types of malware including viruses, worms, Trojan horses, spyware, ransomware, rootkits, adware, bugs, and bots. It provides a brief definition of each type and explains how they spread and the harm they can cause. The document also discusses symptoms of malware infections and recommendations for prevention and removal, including using antivirus software, keeping systems updated, and being cautious of downloads.
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
Dragos, Inc. was notified by the Slovak anti-virus firm ESET of an ICS tailored malware on June 8th, 2017. The Dragos team was able to use this notification to find samples of the malware, identify new functionality and impact scenarios, and confirm that this was the malware employed in the December 17th, 2016 cyber-attack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact. This report serves as an industry report to inform the electric sector and security community of the potential implications of this malware and the appropriate details to have a nuanced discussion
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
Executive Summary
No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. Evaluating cyber risk in industrial control system (ICS) networks is difficult, considering their complex nature. For example, an evaluation can consider (explicitly or implicitly) up to hundreds of millions of branches of a complex attack tree modelling of cyberattacks interaction with cyber, physical, safety and protection equipment and processes. This paper was written to assist cyber professionals to understand and communicate the results of such risk assessments to non-technical business decision-makers.
This paper proposes that cyber risk be communicated as a Design Basis Threat (DBT) line drawn through a representative “Top 20” set of cyberattacks spread across a spectrum of attack sophistication. These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. Many industrial cyber risk practitioners will find the list useful as-is, while expert practitioners may choose to adapt the list to their more detailed understanding of their own sites’ circumstances.
The Ministry of Information and Broadcasting Advisory Dated 03.07.2024.pdfSocial Samosa
According to the advisory, advertisers in the Food and Health sectors must submit an annual self-declaration before printing, airing, or displaying any advertisement.
This presentation by Ivan Sergejev from the Estonian Ministry of Finance was part of the Expert Exchange "Youth Empowerment for a Just Energy Transition" held on June 18, 2024.
In MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARMeuginexenogeneic
In MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARM In MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARM In MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARM In MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARM In MOFOLO ^%[+27633867063*Abortion Pills For Sale In MOFOLO ORANGE_FARM
In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Mada...508tomato
In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Madadeni In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Madadeni In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Madadeni In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Madadeni In BLOEMFONTEIN ^%[+27633867063*Abortion Pills For Sale In BLOEMFONTEIN Madadeni
In Madadeni [(+27633867063*)] 🏥 Abortion Pills For Sale in Madadeni ● Women's...ogwypas
In Madadeni [(+27633867063*)] 🏥 Abortion Pills For Sale in Madadeni ● Women's Abortion Clinic in Madadeni ● Abortion Pill Prices in Madadeni 🏥🚑!! Abortion Doctors Near me, Abortion Services Near Me, Abortion Pills Over The Counter, Abortion Pill Doctors' Offices, Abortion Clinics, Abortion Places Near Me, Cheap Abortion Places Near Me, Medical Abortion & Surgical Abortion, approved cyctotec pills and womb cleaning pills too plus all the instructions needed This Discrete women’s Termination Clinic offers same day services that are safe and pain free, we use approved pills and we clean the womb so that no side effects are present. Our main goal is that of preventing unintended pregnancies and unwanted births every day to enable more women to have children by choice, not chance. We offer Terminations by Pill and The Morning After Pill.” Our Private VIP Abortion Service offers the ultimate in privacy, efficiency and discretion. we do safe and same day termination and we do also womb cleaning as well its done from 1 week up to 28 weeks. We do delivery of our services world wide SAFE ABORTION CLINICS/PILLS ON SALE WE DO DELIVERY OF PILLS ALSO Abortion clinic at very low costs, 100% Guaranteed and it’s safe, pain free and a same day service. It Is A 45 Minutes Procedure, we use tested abortion pills and we do womb cleaning as well. Alternatively the medical abortion pill and womb cleansing !!!
As we reflect on our inaugural year at BacharLorai, we celebrate our efforts toward achieving our vision of a world where every Bangladeshi has access to the resources and opportunities needed to thrive. Thanks to our dedicated team and supportive community, we have made significant strides in empowering Bangladeshis worldwide. We've directly impacted over 1,400 lives through diverse, innovative initiatives aimed at addressing crucial societal needs.
In Kempton Park ^%[+27633867063*Abortion Pills For Sale In Kempton Park MAPETLA525nixie
In Kempton Park ^%[+27633867063*Abortion Pills For Sale In Kempton Park MAPETLA In Kempton Park ^%[+27633867063*Abortion Pills For Sale In Kempton Park MAPETLA In Kempton Park ^%[+27633867063*Abortion Pills For Sale In Kempton Park MAPETLA In Kempton Park ^%[+27633867063*Abortion Pills For Sale In Kempton Park MAPETLA In Kempton Park ^%[+27633867063*Abortion Pills For Sale In Kempton Park MAPETLA
In BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA Oakmoorperiprospective
In BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA Oakmoor In BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA Oakmoor In BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA Oakmoor In BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA Oakmoor In BELA-BELA ^%[+27633867063*Abortion Pills For Sale In BELA-BELA Oakmoor
This presentation by Edwin Hlangwani, BRICS Young Scientist at the University of Johannesburg, was part of the Expert Exchange "Youth Empowerment for a Just Energy Transition" held on June 18, 2024.
Beyond Rhetoric: Youth-led Solutions for a Sustainable and Just Energy Transi...
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
1. For further information, please contact:
The President’s Critical
Infrastructure Protection Board
Office of Energy Assurance
U.S. Department of Energy
202/287-1808
Office of Independent Oversight
and Performance Assurance
U.S. Department of Energy
301/903-3777
cover_comp_01 9/9/02 5:01 PM Page 1
3. Introduction
Supervisory control and data acquisition (SCADA) networks contain computers and applications that perform
key functions in providing essential services and commodities (e.g., electricity, natural gas, gasoline, water, waste
treatment, transportation) to all Americans. As such, they are part of the nation’s critical infrastructure and
require protection from a variety of threats that exist in cyber space today. By allowing the collection and analysis
of data and control of equipment such as pumps and valves from remote locations, SCADA networks provide
great efficiency and are widely used. However, they also present a security risk. SCADA networks were initially
designed to maximize functionality, with little attention paid to security. As a result, performance, reliability,
flexibility and safety of distributed control/SCADA systems are robust, while the security of these systems is
often weak. This makes some SCADA networks potentially vulnerable to disruption of service, process redirec-
tion, or manipulation of operational data that could result in public safety concerns and/or serious disruptions to
the nation’s critical infrastructure. Action is required by all organizations, government or commercial, to secure
their SCADA networks as part of the effort to adequately protect the nation’s critical infrastructure.
The President’s Critical Infrastructure Protection Board, and the Department of Energy, have developed the
steps outlined here to help any organization improve the security of its SCADA networks. These steps are not
meant to be prescriptive or all-inclusive. However, they do address essential actions to be taken to improve the
protection of SCADA networks. The steps are divided into two categories: specific actions to improve imple-
mentation, and actions to establish essential underlying management processes and policies.
Background
President Bush created the President’s Critical Infrastructure Protection Board in October 2001 through
Executive Order 13231 to coordinate all Federal activities related to the protection of information systems and
networks supporting critical infrastructures, including:
✶ Federal departments and agencies
✶ Private Sector companies that operate critical infrastructures
✶ State and local government’s critical infrastructures
✶ Related national security programs.
The Department of Energy plays a key role in protecting the critical energy infrastructure of the nation as speci-
fied in the National Strategy for Homeland Security. In fulfilling this responsibility, the Secretary of Energy’s
Office of Independent Oversight and Performance Assurance has conducted a number of assessments of organi-
zations with SCADA networks to develop an in-depth understanding of SCADA networks and steps necessary
to secure these networks. The Office of Energy Assurance also fulfills Energy Department responsibilities
through their work with Federal, State, and private partners to protect the National Energy Infrastructure,
improve energy reliability, and assist in energy emergency response efforts.
2
21 Steps to Improve Cyber Security of SCADA Networks
spread_comp_02 TOC 9/9/02 5:15 PM Page 2
4. The following steps focus on specific actions to be taken to increase
the security of SCADA networks:
1. Identify all connections to SCADA networks.
Conduct a thorough risk analysis to assess the risk and necessity of each connection to the SCADA network.
Develop a comprehensive understanding of all connections to the SCADA network, and how well these connec-
tions are protected. Identify and evaluate the following types of connections:
• Internal local area and wide area networks, including business networks
• The Internet
• Wireless network devices, including satellite uplinks
• Modem or dial-up connections
• Connections to business partners, vendors or regulatory agencies
2. Disconnect unnecessary connections to the SCADA network.
To ensure the highest degree of security of SCADA systems, isolate the SCADA network from other network
connections to as great a degree as possible. Any connection to another network introduces security risks, partic-
ularly if the connection creates a pathway from or to the Internet. Although direct connections with other net-
works may allow important information to be passed efficiently and conveniently, insecure connections are sim-
ply not worth the risk; isolation of the SCADA network must be a primary goal to provide needed protection.
Strategies such as utilization of “demilitarized zones” (DMZs) and data warehousing can facilitate the secure
transfer of data from the SCADA network to business networks. However, they must be designed and imple-
mented properly to avoid introduction of additional risk through improper configuration.
3. Evaluate and strengthen the security of any remaining connections to the SCADA network.
Conduct penetration testing or vulnerability analysis of any remaining connections to the SCADA network to
evaluate the protection posture associated with these pathways. Use this information in conjunction with risk
management processes to develop a robust protection strategy for any pathways to the SCADA network. Since
the SCADA network is only as secure as its weakest connecting point, it is essential to implement firewalls,
intrusion detection systems (IDSs), and other appropriate security measures at each point of entry. Configure
firewall rules to prohibit access from and to the SCADA network, and be as specific as possible when permitting
approved connections. For example, an Independent System Operator (ISO) should not be granted “blanket”
network access simply because there is a need for a connection to certain components of the SCADA system.
Strategically place IDSs at each entry point to alert security personnel of potential breaches of network security.
Organization management must understand and accept responsibility for risks associated with any connection to
the SCADA network.
3
spread_comp_02 TOC 9/9/02 5:16 PM Page 3
5. 4. Harden SCADA networks by removing or disabling unnecessary services.
SCADA control servers built on commercial or open-source operating systems can be exposed to attack through
default network services. To the greatest degree possible, remove or disable unused services and network daemons
to reduce the risk of direct attack. This is particularly important when SCADA networks are interconnected with
other networks. Do not permit a service or feature on a SCADA network unless a thorough risk assessment of
the consequences of allowing the service/feature shows that the benefits of the service/feature far outweigh the
potential for vulnerability exploitation. Examples of services to remove from SCADA networks include automat-
ed meter reading/remote billing systems, email services, and Internet access. An example of a feature to disable is
remote maintenance. Numerous secure configuration guidelines for both commercial and open source operating
systems are in the public domain, such as the National Security Agency’s series of security guides. Additionally,
work closely with SCADA vendors to identify secure configurations and coordinate any and all changes to oper-
ational systems to ensure that removing or disabling services does not cause downtime, interruption of service, or
loss of support.
5. Do not rely on proprietary protocols to protect your system.
Some SCADA systems use unique, proprietary protocols for communications between field devices and servers.
Often the security of SCADA systems is based solely on the secrecy of these protocols. Unfortunately, obscure
protocols provide very little “real” security. Do not rely on proprietary protocols or factory default configuration
settings to protect your system. Additionally, demand that vendors disclose any backdoors or vendor interfaces to
your SCADA systems, and expect them to provide systems that are capable of being secured.
6. Implement the security features provided by device and system vendors.
Most older SCADA systems (most systems in use) have no security features whatsoever. SCADA system owners
must insist that their system vendor implement security features in the form of product patches or upgrades.
Some newer SCADA devices are shipped with basic security features, but these are usually disabled to ensure
ease of installation.
Analyze each SCADA device to determine whether security features are present. Additionally, factory default
security settings (such as in computer network firewalls) are often set to provide maximum usability, but mini-
mal security. Set all security features to provide the maximum level of security. Allow settings below maximum
security only after a thorough risk assessment of the consequences of reducing the security level.
7. Establish strong controls over any medium that is used as a backdoor into the SCADA
network.
Where backdoors or vendor connections do exist in SCADA systems, strong authentication must be implement-
ed to ensure secure communications. Modems, wireless, and wired networks used for communications and
maintenance represent a significant vulnerability to the SCADA network and remote sites. Successful “war dial-
ing” or “war driving” attacks could allow an attacker to bypass all other controls and have direct access to the
SCADA network or resources. To minimize the risk of such attacks, disable inbound access and replace it with
some type of callback system.
4
spread_comp_02 TOC 9/9/02 5:16 PM Page 4
6. 8. Implement internal and external intrusion detection systems and establish 24-hour-a-day
incident monitoring.
To be able to effectively respond to cyber attacks, establish an intrusion detection strategy that includes alerting
network administrators of malicious network activity originating from internal or external sources. Intrusion
detection system monitoring is essential 24 hours a day; this capability can be easily set up through a pager.
Additionally, incident response procedures must be in place to allow an effective response to any attack. To com-
plement network monitoring, enable logging on all systems and audit system logs daily to detect suspicious
activity as soon as possible.
9. Perform technical audits of SCADA devices and networks, and any other connected
networks, to identify security concerns.
Technical audits of SCADA devices and networks are critical to ongoing security effectiveness. Many commercial
and open-source security tools are available that allow system administrators to conduct audits of their
systems/networks to identify active services, patch level, and common vulnerabilities. The use of these tools will
not solve systemic problems, but will eliminate the “paths of least resistance” that an attacker could exploit.
Analyze identified vulnerabilities to determine their significance, and take corrective actions as appropriate. Track
corrective actions and analyze this information to identify trends. Additionally, retest systems after corrective
actions have been taken to ensure that vulnerabilities were actually eliminated. Scan non-production environ-
ments actively to identify and address potential problems.
10. Conduct physical security surveys and assess all remote sites connected to the SCADA
network to evaluate their security.
Any location that has a connection to the SCADA network is a target, especially unmanned or unguarded
remote sites. Conduct a physical security survey and inventory access points at each facility that has a connection
to the SCADA system. Identify and assess any source of information including remote telephone/computer net-
work/fiber optic cables that could be tapped; radio and microwave links that are exploitable; computer terminals
that could be accessed; and wireless local area network access points. Identify and eliminate single points of fail-
ure. The security of the site must be adequate to detect or prevent unauthorized access. Do not allow “live” net-
work access points at remote, unguarded sites simply for convenience.
11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios.
Establish a “Red Team” to identify potential attack scenarios and evaluate potential system vulnerabilities. Use a
variety of people who can provide insight into weaknesses of the overall network, SCADA systems, physical sys-
tems, and security controls. People who work on the system every day have great insight into the vulnerabilities
of your SCADA network and should be consulted when identifying potential attack scenarios and possible con-
sequences. Also, ensure that the risk from a malicious insider is fully evaluated, given that this represents one of
the greatest threats to an organization. Feed information resulting from the “Red Team” evaluation into risk
management processes to assess the information and establish appropriate protection strategies.
5
spread_comp_02 TOC 9/9/02 5:16 PM Page 5
7. The following steps focus on management actions to establish an effective
cyber security program:
12. Clearly define cyber security roles, responsibilities, and authorities for managers,
system administrators, and users.
Organization personnel need to understand the specific expectations associated with protecting information
technology resources through the definition of clear and logical roles and responsibilities. In addition, key per-
sonnel need to be given sufficient authority to carry out their assigned responsibilities. Too often, good cyber
security is left up to the initiative of the individual, which usually leads to inconsistent implementations and
ineffective security. Establish a cyber security organizational structure that defines roles and responsibilities and
clearly identifies how cyber security issues are escalated and who is notified in an emergency.
13. Document network architecture and identify systems that serve critical functions
or contain sensitive information that require additional levels of protection.
Develop and document a robust information security architecture as part of a process to establish an effective
protection strategy. It is essential that organizations design their networks with security in mind and continue to
have a strong understanding of their network architecture throughout its lifecycle. Of particular importance, an
in-depth understanding of the functions that the systems perform and the sensitivity of the stored information is
required. Without this understanding, risk cannot be properly assessed and protection strategies may not be suf-
ficient. Documenting the information security architecture and its components is critical to understanding the
overall protection strategy, and identifying single points of failure.
14. Establish a rigorous, ongoing risk management process.
A thorough understanding of the risks to network computing resources from denial-of-service attacks and the
vulnerability of sensitive information to compromise is essential to an effective cyber security program. Risk
assessments form the technical basis of this understanding and are critical to formulating effective strategies to
mitigate vulnerabilities and preserve the integrity of computing resources. Initially, perform a baseline risk analy-
sis based on a current threat assessment to use for developing a network protection strategy. Due to rapidly
changing technology and the emergence of new threats on a daily basis, an ongoing risk assessment process is
also needed so that routine changes can be made to the protection strategy to ensure it remains effective.
Fundamental to risk management is identification of residual risk with a network protection strategy in place
and acceptance of that risk by management.
15. Establish a network protection strategy based on the principle of defense-in-depth.
A fundamental principle that must be part of any network protection strategy is defense-in-depth. Defense-in-
depth must be considered early in the design phase of the development process, and must be an integral consid-
eration in all technical decision-making associated with the network. Utilize technical and administrative con-
trols to mitigate threats from identified risks to as great a degree as possible at all levels of the network. Single
6
spread_comp_02 TOC 9/9/02 5:16 PM Page 6
8. points of failure must be avoided, and cyber security defense must be layered to limit and contain the impact of
any security incidents. Additionally, each layer must be protected against other systems at the same layer. For
example, to protect against the insider threat, restrict users to access only those resources necessary to perform
their job functions.
16. Clearly identify cyber security requirements.
Organizations and companies need structured security programs with mandated requirements to establish expec-
tations and allow personnel to be held accountable. Formalized policies and procedures are typically used to
establish and institutionalize a cyber security program. A formal program is essential for establishing a consistent,
standards-based approach to cyber security throughout an organization and eliminates sole dependence on indi-
vidual initiative. Policies and procedures also inform employees of their specific cyber security responsibilities
and the consequences of failing to meet those responsibilities. They also provide guidance regarding actions to be
taken during a cyber security incident and promote efficient and effective actions during a time of crisis. As part
of identifying cyber security requirements, include user agreements and notification and warning banners.
Establish requirements to minimize the threat from malicious insiders, including the need for conducting back-
ground checks and limiting network privileges to those absolutely necessary.
17. Establish effective configuration management processes.
A fundamental management process needed to maintain a secure network is configuration management.
Configuration management needs to cover both hardware configurations and software configurations. Changes
to hardware or software can easily introduce vulnerabilities that undermine network security. Processes are
required to evaluate and control any change to ensure that the network remains secure. Configuration manage-
ment begins with well-tested and documented security baselines for your various systems.
18. Conduct routine self-assessments.
Robust performance evaluation processes are needed to provide organizations with feedback on the effectiveness
of cyber security policy and technical implementation. A sign of a mature organization is one that is able to self-
identify issues, conduct root cause analyses, and implement effective corrective actions that address individual
and systemic problems. Self-assessment processes that are normally part of an effective cyber security program
include routine scanning for vulnerabilities, automated auditing of the network, and self-assessments of organiza-
tional and individual performance.
19. Establish system backups and disaster recovery plans.
Establish a disaster recovery plan that allows for rapid recovery from any emergency (including a cyber attack).
System backups are an essential part of any plan and allow rapid reconstruction of the network. Routinely exer-
cise disaster recovery plans to ensure that they work and that personnel are familiar with them. Make appropri-
ate changes to disaster recovery plans based on lessons learned from exercises.
7
spread_comp_02 TOC 9/9/02 5:16 PM Page 7
9. 20. Senior organizational leadership should establish expectations for cyber security
performance and hold individuals accountable for their performance.
Effective cyber security performance requires commitment and leadership from senior managers in the organiza-
tion. It is essential that senior management establish an expectation for strong cyber security and communicate
this to their subordinate managers throughout the organization. It is also essential that senior organizational
leadership establish a structure for implementation of a cyber security program. This structure will promote con-
sistent implementation and the ability to sustain a strong cyber security program. It is then important for indi-
viduals to be held accountable for their performance as it relates to cyber security. This includes managers, sys-
tem administrators, technicians, and users/operators.
21. Establish policies and conduct training to minimize the likelihood that organizational
personnel will inadvertently disclose sensitive information regarding SCADA system
design, operations, or security controls.
Release data related to the SCADA network only on a strict, need-to-know basis, and only to persons explicitly
authorized to receive such information. “Social engineering,” the gathering of information about a computer or
computer network via questions to naive users, is often the first step in a malicious attack on computer net-
works. The more information revealed about a computer or computer network, the more vulnerable the com-
puter/network is. Never divulge data related to a SCADA network, including the names and contact informa-
tion about the system operators/administrators, computer operating systems, and/or physical and logical loca-
tions of computers and network systems over telephones or to personnel unless they are explicitly authorized to
receive such information. Any requests for information by unknown persons need to be sent to a central net-
work security location for verification and fulfillment. People can be a weak link in an otherwise secure network.
Conduct training and information awareness campaigns to ensure that personnel remain diligent in guarding
sensitive network information, particularly their passwords.
8
spread_comp_02 TOC 9/9/02 5:16 PM Page 8
10. For further information, please contact:
The President’s Critical
Infrastructure Protection Board
Office of Energy Assurance
U.S. Department of Energy
202/287-1808
Office of Independent Oversight
and Performance Assurance
U.S. Department of Energy
301/903-3777
cover_comp_01 9/9/02 5:01 PM Page 1