Remote Monitoring Learning Center logo
Phone headset
Expert Helpline
1-800-693-0351
4396

Top 6 ICS Security Weaknesses And How To Avoid Them

Morgana Siggins
Morgana Siggins
Monitoring Specialist

ICS (Industrial Control Systems) security aims to safeguard industrial processes and control networks.

Every network element has to have data protection to keep people out of where they shouldn't be. With increased automation of your systems, the impacts of these attacks on your elements could impact core system operations.

People and technology must work together to develop processes that can fight intentional - or accidental - security threats. So, let's take a look at some facts about ICS network security, its top six weaknesses, and what you can do to avoid them at your company.

 

ICS Security and SCADA Security

SCADA (Supervisory Control and Data Acquisition) is one of the most common types of ICS. SCADA networks are responsible for providing automated control and remote human management of essential services, such as water, natural gas, electricity, and transportation to millions of people.


SCADA is one of the types of ICS. In order to protect your SCADA implementation, it's important for you to adopt strong ICS security measures.

SCADA security involves the protection used for SCADA networks. SCADA systems need to be protected because, just like any other network, they are under threat from cyber-attacks that could bring them down quickly.

 

Quick Stats about ICS Security

In 2016, the US Cybersecurity and Infrastructure Security Agency (CISA), conduct 130 assessments in FY 2016. The following image shows us their results.


You can read all of the details in the full CISA PDF report

 

The 6 Common ICS Security Issues

Let's dive into the six most commons security breaches in the ICS environment and how you can handle them in order to protect your system.

 

1. Boundary Protection

Network experts are growing concerned that fundamental network equipment might be vulnerable to Internet-based attacks. New best-practice standards recommend that network equipment should be secured from open Internet access.

NERC (North American Electric Reliability Council) is developing a new reliability standard called Cyber Security Standard CIP-002-1. This new standard recommends a number of security procedures for computer-controlled systems, including restriction of unnecessary network services, securing dial-up modem connections, anti-virus software, and formal policies for managing user access and passwords.

 

2. More Capability than Necessary

SCADA systems are capable of providing you with a wide variety of functions. Some of these functions, normally provided by default, may not be necessary for your monitoring needs. Extraneous features, such as 3rd-party modules or "bells & whistles" potentially compromise your network without any added value.

When you have unused or unnecessary features, it increases the danger of unauthorized connection on your devices, unauthorized transfer of information, and unauthorized tunneling.

Review the functions and features provided by your SCADA system to determine which capabilities are candidates for removal.

 

3. Identification and Authentication

Securing your SCADA & ICS systems from unauthorized users can be difficult.

So, you need an RTU platform that includes SNMPv3 (remember that SNMP is a communications protocol) encryption as a standard feature.


Individual remote devices like the NetGuardian 832A G5 are used to convert data to encrypted SNMPv3 at each individual site.

Here are the 2 types of security available in SNMPv3:

  1. Authentication

    Authentication is used to ensure that traps are read by only the intended recipient.

  2. Privacy

    Privacy encrypts the payload of the SNMP message to ensure that it can't be read by unauthorized users. Any intercepted traps will be filled with garbled characters and will be unreadable.

4. Physical Access Control

Security of critical infrastructure is an especially important consideration. Regulating and controlling personnel access is vital to protecting and maintaining expensive gear. Increased site security acts as an obstacle to vandalism and theft due to your ability to monitor facility access.

This added security can give you peace of mind that only authorized personnel access your facilities.


To get the best security of remote entries, you need keyless access control, such as the Building Access System (BAS).

You need a comprehensive building management system that integrates into an existing alarm management platform. With this system in place, a log of all site access, including the time of day and location that access was granted, is maintained.

 

5. Audit Review, Analysis, and Reporting

Sometimes it's impossible to find security breaches without gluing yourself to your screen 24x7. Unless, of course, your RTU box supports analog trending and graphing.

Trending is a massive help for multiple reasons - it ultimately makes the invisible become painfully obvious.


The NetGuardian 480 G4 web interface features analog graphing.

Some monitoring devices have analog trending capabilities built into their web interface. If you have this feature, then you're ahead of the game. The next step is utilizing it to understand your analogs and overall network health.

Looking at raw analog trend data is a good first step, but it's still easy to miss something.

Using graphs to visually represent analog data can make trends and potential problems stand out like a sore thumb.

 

6. Authenticator Management

Without the ability for a technician to access the database of alarms and activities, or for the administrator to edit permissions and usage restrictions, you may as well be attempting to fly blind. While allowing wide open access from across the network is out of question, many people have tried to implement various security measures to verify the user attempting to gain access.


Having an RTU with RADIUS provides an easy way to control and monitor extensive access to your critical network equipment.

RADIUS - Remote Authentication Dial-In User Service - is a way to manage logins to many different types of equipment in one central location. Using the client/server format, RADIUS passes user information to designated servers and acts on the response that is returned.

Every time a device receives a login attempt (usually a username and password), it requests authentication from the central RADIUS server. If the username and password combination is found in the server's database, an affirmative "access granted" reply is sent back to the device, allowing the user to connect.

 

It's Time to Review Your ICS Security Practices

It's vital that you take some time to review your general security practices surrounding the remote monitoring of your automation and control system.

If you're looking for a secure RTU, consider the NetGuardian 832A with SNMPv3 support to send encrypted traps to your master so unintended recipients can't simply look at the messages.

If you're looking for a secure master station, our T/Mon also has the option to support HTTPs web viewing, and - like the NetGuardian line - it has passwords that control the level of access individual users have to the system.

Give us a call - we can help you start enhancing your ICS security today.


Get a Custom Application Diagram of Your Perfect-Fit Monitoring System

There is no other network on the planet that is exactly like yours. For that reason, you need to build a monitoring system that's the right fit for you.

"Buying more than you need" and "buying less than you need" are real risks. You also have to think about training, tech support, and upgrade availability.

Send me a quick online message about what you're trying to accomplish. I'll work with you to build custom PDF application diagram that a perfect fit for your network.


Don't make a bad decision

Your network isn't off-the-shelf.

Your monitoring system shouldn't be, either.

Customized monitoring application drawing

We'll walk you through this with a customized monitoring diagram.

Just tell us what you're trying to accomplish with remote monitoring.

Get Your Custom Diagram Now
Return to DPS Telecom

DPS logo