One of the most thorough lists about how to achieve network security is "Seven Steps to ICS and SCADA Security" by Eric Byres, PE, CTO and engineering vice president of Tofino Security, a subsidiary of Belden, and John Cusimano, security director at exida Consulting.
SEE ALSO: Caring for Network Caregivers
The steps are:
• Assess Existing Systems. Perform a high-level risk assessment to quantify and rank dangerous risks. This will show users how to prioritize their security funding and projects.
• Document Policies and Procedures. Develop industrial control system (ICS)-specific documents that describe your company policy, standards and procedures for control system security. They should refer back to corporate IT security documents. Separate ICS security documents will help those responsible for ICS security to understand their security-related expectations and responsibilities. Also, become familiar with security regulations and standards for your industry.
• Train Personnel and Contractors. After documenting policies and procedures, make sure senior management supports them, and that staff is aware, trained and follows them.
• Segment the Control System Network. Network segmentation into zones connected by firewalled conduits is the most important tactical step you can take to improve the security of your industrial automation system.
• Control Access to the System. Once your network is partitioned, the next step is to control access to the assets in those zones with physical and logical controls. Physical access controls include locked cabinets, locked doors, fences, etc. Likewise, logical access should include multiple levels of control and authentication.
• Harden the Components. This means locking down functions of the components in your system to prevent unauthorized access or changes, remove unnecessary functions or features, patch any known vulnerabilities, and set configurable options to their most secure settings. This is especially important in modern control systems which use lots of commercial off-the-shelf technology.
• Monitor and Maintain System Security. Maintain vigilance by monitoring and maintaining security throughout the lifecycle of your system. This involves updating antivirus signatures and installing security patches on Windows servers. It also involves monitoring your system for suspicious activity.
Finally, periodically test and assess your system. Assessments involve audits to verify the system is still configured for optimal security as well as updating security controls to the latest standards and best practices. It's vital to remember that effective ICS and SCADA security isn't a one-time project. It's an ongoing, iterative process, so you'll need to repeat the seven steps and update materials and measures as systems, people, business objectives and threats change.
This article is a sidebar item in the 2013 Industrial Networking Q3 cover story "Identify the Network Threat."