Blog post by Kevin Garman, Project Engineer at SCADAware
Security breaches are becoming an almost daily occurrence. No useful computer system is truly safe from attack, but just a few basic precautions can go a long way. Complete security cannot be guaranteed, and to make such a claim would be ridiculous. Fortunately, the good news is that a computer system’s security can be exponentially increased by following some simple best practices.
Here are four ways to quickly improve the security of your SCADA (or other) system:
- Run with the lowest privilege possible.
If a user needs to access an application, give that one user access to that one application…not the entire machine. Many times a user or process is given many more permissions than are really needed simply because it’s easier than figuring out what level of security is actually appropriate. Blanket removal of security restrictions may be a useful troubleshooting tool, but should not be used as the final solution. Many a support call to SCADA software vendors has ended with the suggestion to just give “Everyone” permission…DCOM comes to mind. Naturally, these same SCADA vendors tout the security of their products!
- Multiple strong passwords
Long, complex passwords can be virtually uncrackable. The goal is to make brute force password cracking impractical. Using a random mixture of uppercase, lowercase, numbers, and symbols, and using a lot of them (at least 10), means that any attempt crack the password will take too long to be useful to the attacker. Additionally, don’t use one password for everything. If one portion of your system is compromised, you don’t want to simply give away the rest of your system.
- Keep your system up-to-date
This flies in the face of the conventional wisdom of “don’t fix what ain’t broke”. No one wants to risk downtime due to applying a bad Windows update, but an unpatched server can quickly become a sieve of security holes. One way to greatly reduce the risk of an update gone wrong is to use virtualization and snapshots.
- Use application whitelisting
Tell the OS (operating system) what applications are allowed to run. Take the stance of whitelisting a few, rather than blacklisting many. It’s much easier (and more effective) to give one app permission to run than it is to ban hundreds or thousands of apps from running.
The struggle is finding a balance between security and usability. A completely secure system would be useless and an infinitely flexible and easy to use system would have no security. The steps outlined here are very basic and should have low impact on usability of a SCADA system while at the same time greatly enhancing the security of the system. For more ideas on how to secure your SCADA/computer systems, take a look at this list of security practices published by the Australian Signals Directorate. [Strategies to Mitigate Targeted Cyber Intrusions]
Any SCADA system is only as secure as the operating system it runs under. Perversely the more popular choice is also the least secure and I would suggest that the security holes in Windows is an outcome of the OS being targeted at the average person. Linux, which is just an operating system in the traditional sense is more secure and there are other current operating systems that are almost totally secure like VMS. We have had users with 8 years of up-time on VMS. While it is likely more expensive, what is the cost of disruptions and successful attack? I have known of a steel plant (size measured in square miles!) being down for 2 days because of a virus in the crane system. Anyway, that is my self-serving pitch.
Excellent point! It’s unfortunate that all the big names in control/SCADA are so deeply tied to Windows. Being a Linux guy myself, I think it’s great to see products like Inductive Automation’s Ignition SCADA beginning to treat Linux as a first class citizen.