Supervisory control and data acquisition (SCADA) is a control system architecture comprising computers, networked data communications and graphical user interfaces (GUI) for high-level process supervisory management, while also comprising other peripheral devices like programmable logic controllers (PLC) and discrete proportional-integral-derivative (PID) controllers to interface with process plant or machinery. SCADA systems are commonly utilized in industries such as energy, oil and gas, water, power, manufacturing, and many more.
Both the scale and frequency of cyberattacks on SCADA systems has been growing recently. This past February, hackers broke into a water treatment facility in Florida, gained access to an internal ICS platform and changed chemical levels, attempting to making the water unsafe to consume. Luckily, a plant operator immediately noticed and corrected the chemical levels. This type of attack highlights the extreme consequences that attacks on our nation’s SCADA systems can have. To assist SCADA organizations in enhancing their cybersecurity posture, Compass IT Compliance has developed the following checklist of recommendations and best practices:
The Non-Patched Question
A significant number of SCADA systems have not had their operating system (OS) patched for a long time
Improve Authentication
SCADA software has a very basic authentication and authorization, a malicious attacker can very easily crack it and penetrate a SCADA environment
The Data-Communication Threat
Many SCADA protocols were created before the internet era and are not adapted to the web environment
Assess Remote Sites Connected to the SCADA Network
Involve Top Management
Management should establish clear directions regarding its expectations in terms of cybersecurity performance on SCADA environments and interconnecting systems
Steps to Securing SCADA
Following the best practices listed above is only the first step. All organizations should be conducting some form of security assessment with a trusted third-party assessor at least annually, to have an unbiased set of eyes confirm that all risks are being mitigated as much as possible. Compass IT Compliance has spent the past decade serving as that trusted, highly certified third-party IT security assessor for numerous SCADA organizations across the United States. Contact us today to speak with one of our security experts and discuss your unique situation!