Most organizations do not have the ability to detect cyber security incidents within their SCADA System
Our team travels all around the world to conduct onsite SCADA Security assessments of industrial facilities where these plants, factories, and control centers are located. We also travel to conduct SCADA Security training onsite for technicians, operators, and IT personnel. Our field assessments and training events have taken us to almost all of the major industrial areas around the world including: Asia, Australia, Europe, the Middle East, South America, and many locations here in North America.
One thing that we have learned through the years is that most organizations do not have the ability to detect when their SCADA and Industrial Control Systems have been impacted with a cyber security incident. Most industrial organizations agree with the need to secure the perimeter of their control systems with firewalls and tight access control lists, but most facilities have stopped at this point.
The unfortunate truth is that implementing active defense controls is only half of the solution, and most organizations are exposed right now because they do not have the detective controls in place to even know if their SCADA or industrial control systems have been compromised. The fact that recent SCADA and APT attacks like Stuxnet and Night Dragon worked for over 18 months before being identified and detected is reflective of this situation.
Only implementing active defensive cyber security controls is like locking your house door, but forgetting to set the home alarm system. Anyone who picks the door lock, breaks a window, or pushes hard on the door to burst through the door lock can still rob your house, and if you are on vacation, you will not know this until you return to a shell of a house with all of your valuables gone.
A comprehensive defense-in-depth cyber security program must utilize intelligent detection capabilities to complement the active defense systems. IDS / IPS systems, centralized log aggregation from all critical servers and desktops, as well as implementing a centralized SIEM (Security Incident Event Management) console with event correlation can provide vital situational awareness. You cannot control what you do not measure, and if your organization is not measuring the effectiveness of the security controls in place to secure your SCADA and Industrial Control Systems, there is no method for you to know if you are truly secure or not.
If you are responsible for securing your organization's SCADA and Industrial Control Systems, ask yourself this one question: "How do you know if you have been compromised, and how do you know that you are truly in control of your control systems?" Often this will lead you down a path of discussions with system administrators that can hopefully point to security logs, IDS / IPS systems, or other key metrics that can indicate if your system has been compromised.
If you cannot answer this question, now is the time to implement the next wave of security solutions that can provide you with the second half of a sound cyber security program. We recently provided a 4-hour workshop on Incident Management for SCADA and Industrial Control Systems for UTC and NERC, and we have uploaded the PDF for this workshop to our website under the "Presentations" link. Once you register with our site, you can access it here. Don't worry, we never send out any emails to our registered users, and we protect the privacy of our users. We hope this is a helpful briefing, and contact us if you would like more information about assessing the security of your SCADA and Industrial Control Systems.