Alphabet Soup: Navigating SCADA, and Industrial Control Systems and VPNs increasing importance in all of these technologies.

SCADA VPN-01

All the terminology is daunting. Whether, Operational Technology (OT), Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) or Internet of Things (IoT), it’s important for the C-suite of executives to understand the differences and find a way to maintain the accessibility of these technologies while complying with local regulations.

One greatest common denominator behind all of these technologies is the important and increasing role that Virtual Private Networks (VPNs) are having on these technologies. But before we go there, let’s spend a little more time discussing the differences between each technology.

In many ways, the pressure is on the shoulders of the owners of these technologies. Hackers and cyber-attackers can afford to be wrong a million times a day, while industrial and manufacturing organizations wrong only once stand to lose revenue, compromise lives and damage the environment.

Without proper cybersecurity controls in place, Organizations with these technologies are vulnerable to attack and vulnerable to compliance issues from strict regulatory requirements. In sectors like oil and gas, which employ mostly Operational Technology (OT), chemicals, pharmaceuticals and manufacturing, organizations build SCADA to rely predominantly on its accessibility and integrity of data. The reading from a pressure valve, for example, has to been easy for engineers to get to, and the number it displays must be accurate. Failure to do so can at best cost a company a lot of money and at worst cause people to get hurt, or could harm the environment.

The problem is that Information Technology is developed with different goals in mind than SCADA. With IT, confidentiality of the data is the center of focus. The data must be protected and then easily available. This seemingly innocuous difference between SCADA and IT can cause a gap that hackers can leverage to gain access to the network.

IT systems are updated and upgraded frequently in a rapidly-evolving environment. SCADA operates in a more static environment where accessibility and system integrity are paramount and change such as updates provide a risk to the integrity of the operational technology. Therefore, SCADA, ICS and Operational Technology are often made up of electro-mechanical devices never intended to be networked with digital equipment.

Exacerbating the issue is that few IT security and management tools are designed to work with SCADA. Often companies resort to trying to get IT solutions to fit into SCADA networks, but these approaches are often unsuccessful- the two technologies are just too different.

By trying to rig-up an off-the-shelf technology such as a PC running Microsoft Windows with a run of the mill antivirus solution to monitor a piece of operational technology, organizations may inadvertently null and void the license of the information technology.

Finally, often these fixes do little to nothing towards addressing regulations, which often require all networked SCADA assets to be identified and tracked. Often companies aren’t even aware of how many SCADA assets they have. This produces a huge time constraint and resource burden on SCADA dependent companies.

Top 3 Tips to Protect SCADA and Corporate Networks

1.Separate the SCADA world from the corporate world:

Too often I see organizations maintain SCADA and their corporate networks under the same firewall and living off shared network resources. By splitting these two functions into separate networks that have limited and highly monitored access to each other, organizations can go a long way in better protecting and mapping each environment.

Performing this separation also often requires having a good grasp on managing Privileged Account information that extends to the vendors so that organizations understand who, what, where when and how data was accessed in both networks.

2.Map the SCADA systems and understand what must be protected:

After separating the networks, organizations need to take time to inventory and assess each environment. Performing this function on the SCADA side helps add greater integrity to the data being evaluated by the plant technicians and often helps satiate regulatory requirements.

What to look for in mapping your SCADA:

Operating Documents

  • Operating conditions
  • Plant drawings
  • Process models
  • Network drawings
  • Failure History

Operating Procedures

  • Standard Operating Procedures
  • Standard Jobs Procedures
  • Maintenance Procedures

Current State Data

  • Instrumentation ranges and settings
  • Control logic
  • Firewall configuration rules
  • Distributed control system data
  • Internet Protocol addresses

Remove the noise by disabling unnecessary services and devices

Hypersocket VPN: The Greatest Common Denominator

Regardless of the technology, within these sectors secure accessibility is pivotal to an organization’s increasing revenue and decreasing risks and costs. Virtual Private Networks, like Hypersocktes’ VPN, provide secure remote access to mission-critical applications and data, with granular, least privileged, role-based policies ensuring that remote employees, partners and contractors access only the resources they need.

Hypersocket VPN provides a unique hybrid solution that gives remote workforce security including least-privileged access to a company’s resources anywhere in the world. It also supports simultaneous access to multiple on-premise servers and cloud networks through our multihomed client.

The result is greater productivity and more flexibility through a virtual network that adapts to your business needs and improves your productivity without compromising your SCADA, ICS, or OT security.

This Blog was brought to you by Hypersocket and its CEO, Lee David Painter. With over 20 years of industry experience as a pioneer in IT Security, Lee developed the world’s first OpenSource browser-based SSL VPN (SSL-Explorer). Today Lee runs Hypersocket, a leader in virtual private network technology.
LogonBox Password Self Service

Like that? Check these out:

Leave a Reply