Securing a SCADA network from attack

Palo Alto Networks
By Gavin Coulthard, Palo Alto Networks’ Manager of Systems Engineering for Australia/New Zealand
Tuesday, 27 May, 2014

Organisations such as utilities companies must take extra steps to secure their SCADA and industrial control systems from cyberattack.

To avoid severe infrastructure attacks, manufacturing and utility organisations must deploy extra cybersecurity measures to reduce the risk of attacks on critical supervisory control and data acquisitions systems (SCADA) and industrial control systems (ICS).

SCADA and ICS are commonly used in the electrical, water, oil and gas industries.

“These systems have a much higher chance of being attacked by cybercriminals because of the pervasiveness of enterprise data centre environments,” says Gavin Coulthard, Palo Alto Networks’ Manager of Systems Engineering for Australia/New Zealand. “Attackers are attracted to the various monitoring tasks, from temperature and humidity to air flow and uninterruptible power supply losses.”

The most well-known SCADA attack was probably Stuxnet, a malware that launched a sophisticated attack on an Iranian nuclear facility back in 2010. Since then, SCADA and ICS systems have become more and more vulnerable.

There is also a new threat prevailing where an attack can occur from internal networks, not necessarily from the internet directly. Because of this, SCADA attacks now yield even more financial incentives to attackers aiming to access valuable data sources.

“In addition, many SCADA control systems are managed from ageing Windows servers and desktops, such as Windows XP, that cannot be upgraded as the control software doesn’t run on newer versions of Windows or the upgrade cost is prohibitive,” says Coulthard. “This leaves organisations in a precarious position.”

Coulthard says there are five ways to protect SCADA and ICS networks.

The first is to use advanced cyber protection. Measures such as next-generation firewalls work by building a SCADA security zone, which isolates processes from the rest of the network and creates a safety hub.

The second way is to secure access to the SCADA zone. Processes should be put in place to tie security policies with user identities to ensure non-authorised users are denied access. Systems such as a Secure Sockets Layer (SSL) Virtual Private Network (VPN) can achieve this.

The third step is to eliminate the risk of having to manage multiple ports. Management or backdoor applications like RDP and Telnet can help ensure each port is protected.

The fourth way is to deploy a complete vulnerability protection framework. An entire framework will inspect all traffic traversing the SCADA zone for exploits, malware, botnet and targeted threats.

And the fifth step is to ensure protection from unsupported operating systems. Using a next-generation firewall effectively detects and defends against Windows XP and SCADA application-specific attacks across the network so organisations using SCADA environments have ongoing protection despite the withdrawal of support for Windows XP.

“Today’s cyberattacks on SCADA and ICS systems are incredibly targeted, sophisticated and persistent, which means businesses must implement the right measures to guarantee complete protection of critical infrastructure,” says Coulthard.