Protecting SCADA (supervisory control and data acquisition) systems has become an important topic within the context of Security over the years. If you’re planning on taking the Security+ exam, it’s important topic to understand.
As an example, can you answer this sample Security+ practice test question?
Q. Lisa oversees and monitors processes at a water treatment plant using SCADA systems. Administrators recently discovered malware on her system that was connecting to the SCADA systems. Although they removed the malware, management is still concerned. Lisa needs to continue using her system and it’s not possible to update the SCADA systems. What can mitigate this risk?
A. Install HIPS on the SCADA systems.
B. Install a firewall on the border of the SCADA network.
C. Install a NIPS on the border of the SCADA network.
D. Install a honeypot on the SCADA network.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
SCADA Systems as Static Environments
Static computing environments are relatively constant, especially when compared with typical computers connected to a network. Historically, administrators didn’t see a need to provide much protection to these environments, but as with just about anything security related, things change. The need to protect them has become clearer in recent years.
As an example, SCADA systems are typically industrial control systems within large facilities such as power plants or water treatment facilities. These systems are normally contained within isolated networks that do not have access to the Internet.
However, when they’re placed within the same network that has access to the Internet, their risk increases greatly. Even when they are some isolated, they are still at risk though.
As an example, Stuxnet infected nuclear enrichment facilities and caused centrifuges to spin fast enough to tear themselves apart. It reportedly gained a foothold by someone plugging in an infected USB drive into a computer in the isolated network.
One of the architects of Stuxnet reportedly said “…there is always an idiot around who doesn’t think much about the thumb drive in their hand.” Indeed, USB sticks have been the source of many infections and they continue to be so today.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Protecting SCADA Systems
There are several methods recommended to mitigate risks and protect SCADA environments. They include:
- Redundancy and diversity controls. Redundancy controls ensure a system continues to operate even when it suffers a failure. For example, a redundant array of inexpensive disks (RAID) includes one or more extra or redundant disks that take over if another disk fails. SCADA systems often include redundant controls to take over if one fails. Diversity refers to protecting systems with diverse security controls. This is often done by using security controls from different vendors. For example, it’s common to create a demilitarized zone (DMZ) with two firewalls, but use firewalls from different vendors, providing a diverse defense.
- Network segmentation. By placing systems in separate networks, it protects them from potentially malicious traffic in a primary network. An extreme form of network segmentation is removing the systems from any access to the primary network. For example, SCADA systems can be connected to each other, but not to any other network. Virtual local area networks (VLANs) provide another method of network segmentation.
- Security layers. Defense-in-depth methods ensure that systems have multiple layers of security. For example, installing firewalls to block unauthorized traffic into a SCADA network provides one layer of security. Installing a network intrusion prevention system (NIPS) provides an additional layer of security for a SCADA network. The NIPS can inspect data streams for malicious traffic and block it. Layered security helps protect a system even if an attacker is able to breach one layer of security.
- Application firewalls. Application firewalls can inspect traffic and identify specific commands within a protocol. Although they are sometimes difficult to implement in a full network supporting multiple protocols, they can be quite effective at protecting static environments that only support a minimum number of protocols.
- Manual updates. One challenge with automatic updates is that they require frequent access to the Internet. By using manual updates, it allows administrators to download the updates on a separate environment, and verify they are valid before applying the updates to systems in static environments.
- Firmware version control. Most static systems have embedded firmware installed on them. When vendors discover bugs or security flaws, they write and release firmware updates to correct the issue. Firmware version control is a management control that ensures systems are periodically examined to verify the firmware is up to date with the most current version.
Remember this
Incorporating control redundancy and diversity into security designs is a key method of protecting static environments such as supervisory control and data acquisition (SCADA) systems. Methods of protecting SCADA systems within a network include using virtual local area networks (VLANs) to segment traffic and network-based intrusion protection systems (NIPS) to block unwanted traffic.
Q. Lisa oversees and monitors processes at a water treatment plant using SCADA systems. Administrators recently discovered malware on her system that was connecting to the SCADA systems. Although they removed the malware, management is still concerned. Lisa needs to continue using her system and it’s not possible to update the SCADA systems. What can mitigate this risk?
A. Install HIPS on the SCADA systems.
B. Install a firewall on the border of the SCADA network.
C. Install a NIPS on the border of the SCADA network.
D. Install a honeypot on the SCADA network.
The correct answer is C.
A network intrusion prevention system (NIPS) installed on the supervisory control and data acquisition (SCADA) network can intercept malicious traffic coming into the network and is the best choice of those given.
The scenario states you cannot update the SCADA systems, so you cannot install a host-based IPS (HIPS) on any of them.
A firewall provides a level of protection. However, it wouldn’t be able to differentiate between valid traffic sent by Lisa and malicious traffic sent by malware from Lisa’s system.
A honeypot might be useful to observe malicious traffic, but wouldn’t prevent it.
