SCADA and Secure Infrastructure
Recently Chuck McAuley wrote on how his father taught him how to “think sideways” or maintain a fresh perspective. I would even go so far as to suggest that in an environment like infosec where the technology is in a constant state of rapid flux, that the biggest and most important takeaways would not be around any particular infosec trick, fact or nugget but rather in learning some general heuristics and guidelines with the ability to take concepts like sql injection and overflow exploits and look for new variants and twists on a theme.
In a way it reminds me of a scene from one of my favorite movies, Serenity, where a teacher explains to her class, “….we're not telling people what to think. We're just trying to show them how.”
So one of the first things to work on is getting industrial infrastructure folks to think more like security folks – which would be the first step on the necessary road to “baking security it” rather than “bolting it on.” It can be hard to grasp how large the difference in mindset can be until you reflect upon the fact that with SCADA systems you may have machines and equipment with lifespans measured in decades with expectations being more set and forget than patch often.
Once you bridge the Great Divide and get away from magical thinking like “nobody knows this system is here so how will they hack it?” or “nobody outside this industry understand SCADA or other industrial control protocols” btw one of our all time most popular blog posts is “SCADA Distributed Network Protocol (DNP3),” there are some other things you can do to help enhance security of the systems in question, whether a petrochemical plant or water treatment facility.
Segment that network – or better yet, air gap it. As Stuxnet so capably illustrated, sufficiently stupid users can bridge an air gap for the bad guys, but excepting some edge cases, hard to bridge. Regardless, don’t allow connections to the internet.
Defense in Depth – your SCADA systems are like the castle at the center of a series of concentric walls and moats. No wall is unscalable, no moat uncrossable, no NGFW unbreachable, but when deployed in depth, it becomes very hard to get to the chewy middle.
Updates – even though it may be harder than you would like after you have isolated your SCADA systems from the internet, there are going to be opportunities to patch and update systems and where it makes sense you should seize these opportunities and keep those systems as up to date as you can. You should probably not open holes in the firewall to allow machines to update themselves – nor would you really want to expose yourself to the risks of autoupdate clobbering a system when you can do manual, scheduled and planned updates rather than having your SCADA systems launch inadvertent DOS attacks via failed update.
Security by obscurity is dead and the more that this is understood the better. While no defense is perfect, one of the best things you can do to start down the path to more secure SCADA is to start getting infrastructure teams into a security mindset. Once that is done, much of the rest just comes down to details.