The three most important structures you must get right when setting up SCADA networking for cybersecurity are:
- Network segmentation
- User privilege management
While there are many other improvements that can be made as a part of an overall defense-in-depth strategy, these three structures will set the base of a strong, cyber-secure SCADA system.
What is Network Segmentation?
Network segmentation means not having just one open network where everything can talk to everything else. Instead, you break up the network into logical segments based on function. That way, if a device were compromised in one segment, you limit the potential spread of malicious behavior. Typically, our segments are divided like this:
- Management network for host servers and switches
- SCADA network for all virtual servers
- Client network for operator workstations and printers
- PLC network for controllers and devices
- I/O network for I/O racks and panel connections
In this situation, if a Windows server were compromised, a malicious actor would not be able to directly compromise a PLC, or vice versa. Only the necessary devices are allowed on each segment, and, with a firewall, only the necessary information is shared between segments.
Why Use Firewalls and Where?
Firewalls go hand in hand with network segmentation. While the segmentation is the structure, the firewall is the enforcer. It controls your security policy about what information is allowed to be exchanged between network segments. The best practice for the most secure system is to whitelist (allow) what is necessary and deny by default anything that is not specifically allowed. Typically, with your home network firewall, it is only blocked in one direction. That is, you are able to send whatever you want out to the internet, but the firewall is only picky about what is allowed in. For SCADA systems, we block everything in both directions by default. This is the most secure scheme, and it works because the applications within a SCADA system are fairly static (unlike your home network, where your family is constantly downloading new apps or connecting new things), so you know where you need data to flow. Because the data flow is defined, we are able to lock things down completely, making it more secure.
How Should We Set Up User Privileges?
Once the system is structured and secured, it is important to appropriately manage user privileges. This is most often accomplished using Active Directory, a software component included in Windows Server. Active Directory provides a central database for user management and authentication. It is critical to thoughtfully assign privileges; all users should not be administrators with the ability to install software or configure the operating system. Instead, work from the principle of “least privilege.” Only give users access to what they need and nothing beyond that. Yes, it can be annoying to have to ask an IT administrator to take care of an occasional task that you have the knowledge to complete. However, keep in mind that the principle of “least privilege” is not the principle of “least trust.” Locking down user access is not, primarily, to protect from an employee’s malicious intent. Instead, it limits the number of access points that a hacker or malicious software could exploit. If you’ve set up a strong network and firewalls, you don’t want to weaken that defense by allowing access – intentional or unintentional – to destroy it.
Stay Safe, SCADA
Making sure that a SCADA system is secure from outside threats, the internet, or from within the business itself requires a defense-in-depth strategy where cybersecurity best practices are applied at many different levels. The combination of segmentation, firewalls, and user privilege management presented here is a good first step towards building a secure SCADA system that achieves that strategy.