SCADA is a critical infrastructure used in all kind of large process industries such as electrical power generation, transmission and distribution, oil & gas transport, and water supplies.
SCADA is useful to deliver a complete overview of the process industry. But, one of the most common problems seen in modern SCADA environments is the lack of a SCADA-specific security policy.except for one problem SCADA systems are vulnerable.
Vulnerabilities Listed:
- HMI controller: Can falsify what the operator sees
- sensor-HMI link: Can spy on what the operator sees
- actuator-controller link: Can see what actuators are told to do
- sensor threshold values and settings: Can modify settings
- actuator settings: Can modify settings
Security for SCADA:
SCADA systems require a separate, SCADA-specific security management structure to ensure adequate coverage of all the SCADA system’s advanced features, requirements, and implementation.
The security policy for SCADA administration translates the desired safety and reliability control objectives for the overall business into enforceable di-rection and behaviour for the staff to ensure safe design, implementation and operation of SCADA.
SCADA security framework:
The SCADA policy framework was created to promote the development of a security policy for SCADA.
Using a structure helps writers to use a systematic approach that ensures that all-important issues are adequately addressed by policy.
The model presented here is the result of multiple reviews of SCADA systems and our research to promote the implementation of unique SCADA policies. Over several years, it has been through a lot of development and is still regularly re-evaluated and refined. Any organization can tailor the framework itself.
The framework’s hierarchical nature allows the policy document to adapt to each organization that uses it.
The following sections provide details of what should be included in each part of the policy framework.
SCADA Security Program:
The policy framework’s first box acts as an introduction to the target system and provides context for the remainder of the policy. The information in this class will rarely be policy statements, but it will provide the specifics and concepts required for the rest of the policy.
Organization and Relationships:
It is important to determine the organizational structure and relationships with external entities when deciding that mandatory and optional policy requirement must be implemented by other entities.
An organization’s internal structure is also important for a well-developed security program. It is necessary to define the duties and general obligations of individuals. It allows responsibility to be delegated in subsequent policy chapters.
Information Architecture:
The architecture of SCADA information will provide a common reference point for all policy readers. This section defines system boundaries and equipment, identifies common terminology and any relevant standards of engineering/performance.
Data Categorization and Ownership:
You have to evaluate the process. Some systems can identify data classes so that different data types can be easily identified and different security and processing specifications for each classification can be identified.
Risk Management:
All administration of system security revolves around a program of risk management. Risk management is the reason for the initial creation of policy. It is also the driving factor behind the implementation and security technology.
The objective of all risk management programs is to create an acceptable level of risk by identifying, analyzing and reducing / transfer.
Data Security Policy:
The data security policy defines how the categories of information identified in the Security Program are handled. Different categories of information may have different security criteria that should be defined in this policy.
All software forms (e.g. paper, digital, video, etc.) must be protected by their system criticality. Software labelling and controls that need to be identified are important considerations.
Data Backup Policy:
The rule would specify all the specifics of what information will need to be backed up, how often, and where backups will be kept. It will also define the maintenance schedule for the backups. If there are groups of devices that are excluded from the criteria for backup, they need to be listed.
Platform Security Policy:
Security of the network must recognize defaults in the safe configuration provided by the SCADA framework. Account formation and termination procedures are defined. Clients, Servers, and SCADA systems (RTU / PLC / IED) will each have a different set of rules defining what will entail a stable setup.
Important concepts need to be addressed such as virus checking, intrusion detection, access control, and encryption. Due to the different capabilities of machines, the process for acquiring exceptions to this policy is necessary.
Communication Security Policy:
Communication security defines the routes that data can take through a network, details safety mechanisms for different network segments, establishes security zones, and specifies permissions for external connections.
Personnel Security Policy:
Compared to others on the traditional IT network, staff on the automation network will have different functions and security needs. The plan should represent the SCADA staff’s job requirements and recruitment policies. Such requirements may include requirements for citizenship and employment, background investigations, and clearance requirements.
Configuration Management Policy:
The architecture for configuration management ensures the implementation of a suspendable configuration management program. The plan should list the information and specifications essential for a functional security system.
Internal/External Audit:
The policy of configuration management ensures the implementation of a sustainable process of configuration management. The policy will list the documentation and requirements necessary for a sustainable security system.
Application Policy:
The configuration policy ensures that programs are designed and used in a way that matches the automation system’s security needs. The policy will cover specifics of the criteria for program-level access control, software preparation, and testing and development.
SCADA Applications:
SCADA’s basic software will sometimes have administrator control specifications. These applications can also enable separation of data, separate user logins, and password protection. This section will only concentrate on applications written to communicate with SCADA equipment and apps.
SCADA Asset Protection:
The specifications for SCADA systems would vary from the standard office equipment used in the process. Different aspects of this equipment require a separate safety guidance document.