Protecting SCADA Systems

Posted by in Security+ | 0 comments

Protecting SCADA (supervisory control and data acquisition) systems has become an important topic within the context of Security over the years. If you’re planning on taking the Security+ exam, it’s important topic to understand.

As an example, can you answer this sample Security+ practice test question?

Q. Lisa oversees and monitors processes at a water treatment plant using SCADA systems. Administrators recently discovered malware on her system that was connecting to the SCADA systems. Although they removed the malware, management is still concerned. Lisa needs to continue using her system and it’s not possible to update the SCADA systems. What can mitigate this risk?

A. Install HIPS on the SCADA systems.

B. Install a firewall on the border of the SCADA network.

C. Install a NIPS on the border of the SCADA network.

D. Install a honeypot on the SCADA network.

More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.

SCADA Systems as Static Environments

Static computing environments are relatively constant, especially when compared with typical computers connected to a network. Historically, administrators didn’t see a need to provide much protection to these environments, but as with just about anything security related, things change. The need to protect them has become clearer in recent years.

As an example, SCADA systems are typically industrial control systems within large facilities such as power plants or water treatment facilities. These systems are normally contained within isolated networks that do not have access to the Internet.

However, when they’re placed within the same network that has access to the Internet, their risk increases greatly. Even when they are some isolated, they are still at risk though.

As an example, Stuxnet infected nuclear enrichment facilities and caused centrifuges to spin fast enough to tear themselves apart. It reportedly gained a foothold by someone plugging in an infected USB drive into a computer in the isolated network.

One of the architects of Stuxnet reportedly said “…there is always an idiot around who doesn’t think much about the thumb drive in their hand.” Indeed, USB sticks have been the source of many infections and they continue to be so today.

CompTIA Security+ Study Guide (SY0-401)

The 401 Version of the Study Guide is Now Available

SY0-401 Study GuideThe CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide is an update to the top-selling SY0-201 and SY0-301 study guides, which have helped thousands of readers pass the exam the first time they took it.

CompTIA Authorized Quality Content (CAQC)After a comprehensive review by ProCert Labs, the SY0-401 version has been certified as CompTIA Approved Quality Content (CAQC) and covers every aspect of the SY0-401 exam.

It includes the same elements readers raved about in the previous two versions.

Each of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.

You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.


Click for Free Preview


Over 400 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:

  • A 100 question pre-test
  • A 100 question post-test
  • Practice test questions at the end of every chapter.

Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.

If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-401 study guide is for any IT or security professional interested in advancing in their field, and a must read for anyone striving to master the basics of IT security.

Kindle edition also available.

Protecting SCADA Systems

There are several methods recommended to mitigate risks  and protect SCADA environments. They include:

  • Redundancy and diversity controls. Redundancy controls ensure a system continues to operate even when it suffers a failure. For example, a redundant array of inexpensive disks (RAID) includes one or more extra or redundant disks that take over if another disk fails. SCADA systems often include redundant controls to take over if one fails. Diversity refers to protecting systems with diverse security controls. This is often done by using security controls from different vendors. For example, it’s common to create a demilitarized zone (DMZ) with two firewalls, but use firewalls from different vendors, providing a diverse defense.
  • Network segmentation. By placing systems in separate networks, it protects them from potentially malicious traffic in a primary network. An extreme form of network segmentation is removing the systems from any access to the primary network. For example, SCADA systems can be connected to each other, but not to any other network. Virtual local area networks (VLANs) provide another method of network segmentation.
  • Security layers. Defense-in-depth methods ensure that systems have multiple layers of security. For example, installing firewalls to block unauthorized traffic into a SCADA network provides one layer of security. Installing a network intrusion prevention system (NIPS) provides an additional layer of security for a SCADA network. The NIPS can inspect data streams for malicious traffic and block it. Layered security helps protect a system even if an attacker is able to breach one layer of security.

Protecting SCADA and NIPS

  • Application firewalls. Application firewalls can inspect traffic and identify specific commands within a protocol. Although they are sometimes difficult to implement in a full network supporting multiple protocols, they can be quite effective at protecting static environments that only support a minimum number of protocols.
  • Manual updates. One challenge with automatic updates is that they require frequent access to the Internet. By using manual updates, it allows administrators to download the updates on a separate environment, and verify they are valid before applying the updates to systems in static environments.
  • Firmware version control. Most static systems have embedded firmware installed on them. When vendors discover bugs or security flaws, they write and release firmware updates to correct the issue. Firmware version control is a management control that ensures systems are periodically examined to verify the firmware is up to date with the most current version.

Get Certified Get Ahead

Remember this

Incorporating control redundancy and diversity into security designs is a key method of protecting static environments such as supervisory control and data acquisition (SCADA) systems. Methods of protecting SCADA systems within a network include using virtual local area networks (VLANs) to segment traffic and network-based intrusion protection systems (NIPS) to block unwanted traffic.


Q. Lisa oversees and monitors processes at a water treatment plant using SCADA systems. Administrators recently discovered malware on her system that was connecting to the SCADA systems. Although they removed the malware, management is still concerned. Lisa needs to continue using her system and it’s not possible to update the SCADA systems. What can mitigate this risk?

A. Install HIPS on the SCADA systems.

B. Install a firewall on the border of the SCADA network.

C. Install a NIPS on the border of the SCADA network.

D. Install a honeypot on the SCADA network.

The correct answer is C.

A network intrusion prevention system (NIPS) installed on the supervisory control and data acquisition (SCADA) network can intercept malicious traffic coming into the network and is the best choice of those given.

The scenario states you cannot update the SCADA systems, so you cannot install a host-based IPS (HIPS) on any of them.

A firewall provides a level of protection. However, it wouldn’t be able to differentiate between valid traffic sent by Lisa and malicious traffic sent by malware from Lisa’s system.

A honeypot might be useful to observe malicious traffic, but wouldn’t prevent it.

See Chapters 4 and 5 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide for more information on SCADA Systems.

Full Security+ Course

Full Security+ Course Now Available

Helping you Pass the First Time

Online access includes all of the content from the

CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide

  • Introduction
  • About the exam (including types of questions and strategies for performance-based questions)
  • 100 question pre-assessment exam
  • Mastering Security Basics (full content from Chapter 1 of the study guide including the exam topic review and 20 practice test questions)
  • Exploring Control Types and Methods (full content from Chapter 2 of the study guide including the exam topic review and 20 practice test questions)
  • Understanding Basic Network Security (full content from Chapter 3 of the study guide including the exam topic review and 20 practice test questions)
  • Securing Your Network (full content from Chapter 4 of the study guide including the exam topic review and 20 practice test questions)
  • Securing Hosts and Data (full content from Chapter 5 of the study guide including the exam topic review and 20 practice test questions)
  • Understanding Malware and Social Engineering (full content from Chapter 6 of the study guide including the exam topic review and 20 practice test questions)
  • Identifying Advanced Attacks (full content from Chapter 7 of the study guide including the exam topic review and 20 practice test questions)
  • Managing Risk (full content from Chapter 8 of the study guide including the exam topic review and 20 practice test questions)
  • Preparing for Business Continuity (full content from Chapter 9 of the study guide including the exam topic review and 20 practice test questions)
  • Understanding Cryptography (full content from Chapter 10 of the study guide including the exam topic review and 20 practice test questions)
  • Exploring Operational Security (full content from Chapter 11 of the study guide including the exam topic review and 20 practice test questions)
  • 100 question post-assessment exam
  • Security+ Acronyms

Get the Full Security+ Course Here

 Full Security+ Course Now Available


Test your readiness with these quality materials

Random 100-question tests

Random practice tests from the all of the practice test questions in the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide. All questions include explanations so you'll know why the correct answers are correct, and why the incorrect answers are incorrect.

34 Simulated Performance-based Questions

Eight sets of performance-based questions with multiple questions in each set. These questions help you understand and prepare for performance based questions.

22 Realistic Performance-based Questions

Two new sets of performance-based questions with a total of 22 questions. These new questions use a new testing engine that includes realistic drag and drop, matching, sorting, and fill in the blank questions.

Flashcard Set

  • 273 Security+ Flashcards to reinforce key testable concepts
  • 280 Security+ acronyms flashcards to help you master the required acronyms
  • 204 Security+ Remember This slides

Audio - SY0-401 Security+ Remember This Audio Files

Learn by Listening. Over one hour and 15 minutes of audio (MP3 downloads.)

Audio - SY0-401 Security+ Question and Answer Audio Files

Learn by Listening. Over three hours hour and 15 minutes of audio (MP3 downloads.)

Bonus #1

Audio from the end of chapter reviews from each of the chapters in the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide. Over one hour and 15 minutes of additional audio.

Bonus #2

Subnetting mini-tutorial that will help you answer two key question types:
  • Identify how many hosts a subnet supports
  • Identify valid IP addresses within a subnet

Bonus #3 

Access the study materials for a total of 60 days because sometimes life happens.

Get the Full Security+ Course Here

Leave a Comment

CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide

Subscribe To Our Newsletter

Join our mailing list and get a free excerpt of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.  This excerpt includes the introduction and Chapter 1. 

You have Successfully Subscribed!

Get Certified Get Ahead is a participant in the Amazon Services LLC Associates Program,
an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.

Copyright © 2015 Get Certified Get Ahead. All Rights Reserved.