Slashdot Mirror

← Back to Stories (view on slashdot.org)

Evaluating Or Testing Utility SCADA Security?

Posted by Soulskill on from the i-hear-stuxnet-has-a-nice-admin-suite dept.

EncryptedBit writes "I am a local elected official involved in bringing new water and waste water treatment plants online in a small town. The new plants will incorporate SCADA, which can be used to change operational aspects at the plants, up to forcing a shutdown or changing operational parameters. Can any Slashdotters recommend ways to make sure it is secure? Any testing recommendations? The operational engineers are oblivious to security and SCADA is a new factor, so this concerns me. Any pointers would be appreciated."

8 of 227 comments (clear)

  1. Re:From what I understand by Da_Biz · · Score: 3, Informative

    The systems I work on feed data to our SCADA systems. The entire network is completely walled off from the Internet, and even connectivity to our internal (non-operations) network is mediated by extremely secure bastion hosts.

    I can understand that there may be a need for some access (e.g., system pages an operator to send a warning or emergency message), especially as this is a small town. Keep these sorts of connections absolutely to a minimum, and wrap several layers of security around it.

  2. Do NOT connect to the Internet! by RedLeg · · Score: 2, Informative

    It's simple......

    Do NOT, under any circumstances, connect the SCADA systems, including workstations which can control or monitor them, to anything which touches or has access to the Internet. Make SURE that your control and monitor workstations have current AV in place. Do NOT connect them to the net to update the AV, figure out how to do it with sneakernet.

    Further, make SURE you use RFC 1918 addressing for the SCADA systems so that they are not readily routable to the 'net.

    Map the interfaces, and have a AAA (Authentication, Authorization and Accountability) strategy for each. Log EVERYTHING.

    If you use a carrier to link remote sites into a WAN, make them prove to you that their pipes are clean and secure.

    Have Fun......

    Red...

  3. At least you are aware of the risks. by Anonymous Coward · · Score: 1, Informative

    I personally witnessed Samba root level shares on SCADA boxes at an oil refinery in Brisbane. As far as I could tell the SCADA boxes were on an intependant network but were fully reliant on no internal security.

    Posting anon for obvious reasons.

    Seriously scarey.

    1. Re:At least you are aware of the risks. by j35ter · · Score: 2, Informative

      Same thing in steel mills (construction material), seamless pipe manufacturing plants and petrochemical plants in the middle east...oh, and they were just on a different *logical* network than the corporate machines. My former employer's (industrial automation) SOP is to hook up a WEP (yes!!!) encripted AP's on the net so that their specialists had access to the network from everywhere within the plant...

      --
      Delta-Mike November Bravo Tango
  4. VPN by AmericanInKiev · · Score: 2, Informative

    I'm working with an international firm on Scada - we use a VPN to provide a secure private network.

  5. Re:Don't put it on the Internet! by crossmr · · Score: 4, Informative

    The short answer is, every SCADA system in the Americas is Internet connected, and no one has the balls to tell them to stop

    That's incorrect.
    I used to build SCADA systems and we often included a separate "work terminal" that was connected to the corporate network for workers to access anything outside they needed. It was not connected to SCADA and the SCADA system was not connected to the main corporate network or the internet.

  6. Re:Don't put it on the Internet! by denobug · · Score: 5, Informative

    Wonderware InTouch happens to be one of the most popular flavor of local supervisory system platform. There are very few supervisory system NOT implemented with Windows platform. Even DCS nowadays runs on them as well.

  7. Re:Don't put it on the Internet! by Anonymous Coward · · Score: 1, Informative
    I agree with most of what you wrote and I design scada system for nuclear sites... Remote access is a necessity: when there's a (software) problem, I need to access the system and I'm not going to hop on a plane just to see that an operator has pushed the window off the side of the screen or stupid shit like that. Security in one current instance is done through 2 ssh hops with different username/passwords with a previous temp access request on the firewall with yet a different set of credentials. Oh, and also not permitting Windows anywhere near our systems, obviously. Sure, if some idiot publishes all those credentials on the web, we're owned...

    Posted anonymously for obvious reasons as well.