Most security operations people I’ve spoken with at electrical utilities have a good handle on the security vulnerabilities within their own SCADA environments. Their problem is convincing their management to sufficiently fund remediation.
So here are just a few SCADA security related problems we’ve uncovered over the years, which may be of interest to those in control of the purse strings. I’ll mention them in order of NERC CIP compliance standards.
CIP 002-1 Critical Cyber Asset Identification
No central list of critical SCADA related software; no updated SCADA network diagram or configuration lists for SCADA servers.
CIP 003-1 Security Management Controls and CIP 007-1 Systems Security Management
Slim to none clearly written policies for: SCADA IT operations, for corporate IT operations, or for end user acceptable use. No structured regular process of communications between SCADA IT and an executive committee. I’ve never seen a good IT Security Governance process in place. No access privilege lifecycle process for network access for: previous employees, consultants, contractors, vendors, visitors.
CIP 004-1 Personnel and Training
No budget for IT security training for either SCADA operations or for end users. No security awareness program or budgeting for one. No reward system for employees who report suspicious or anomalous activity which might negatively affect security.
CIP 005-1 Electronic Security Perimeter(s)
Direct, unrestricted Internet access from network node points within junction boxes situated in the field. No ongoing regular self initiated internal or external vulnerability assessments. No logical and physical network diagram of key elements or segments of the network. No structured process for implementing patches / revisions including; testing the updates prior to implementation, testing to ensure all intended updates were implemented successfully, insufficient logs of updates or processes for rolling back to a previous stable state. No correlation of vulnerability assessments with current patch / revision levels. No recent evaluation of firewall rules to check for inconsistencies. SCADA network segment relying upon the corporate firewall for SCADA security. No IDS or improperly tuned IDS. No ongoing review of event logs; no correlation of event logs with firewall rules / IDS rules / vulnerability assessments / anti-virus or anti-spam filters.
CIP 006-1 Physical Security of Critical Cyber
Assets Unsecured junction boxes in the field; no physical security alarms on junction boxes or remote stations (attended and unattended) in the field; unsecured doors in at the SCADA operations perimeter. No visitor accompaniment or challenge policy.
CIP 008-1 Incident Reporting and Response Planning and CIP 009-1 Recovery Plans for Critical Cyber Assets
No incident reporting plan, documentation of any sort, or training; no definition of what an incident looks like. Untested or outdated DRP; no BCP. Ad-hoc recovery plan based upon knowledge stored in the heads of IT; difficult to have a recovery plan for critical assets when there is no list of critical assets. No updated, centrally stored list of emergency contacts for: employees, vendors, contractors, emergency services; no emergency escalation plan.
So Who’s to Blame?
In my opinion we certainly can NOT blame the IT folks. They know about the security problems. We especially cannot blame SCADA IT security groups at LDCs as NERC CIP does not mandate LDC compliance. So the blame and responsibility must rest with the senior executives who have governance responsibility for security and who need to create the appropriate IT security budgets to allow their SCADA IT security staff to do their jobs.
Have a secure week. Ron Lepofsky CISSP, CISM www.ere-security.ca