SCADA systems contain computers and applications that are key to providing essential services like electricity, water, wastewater treatment and transportation. Such systems are critical for organizations and need to be vigilantly protected.
SCADA owners do not perform regular cyber assessments as they only consider cybersecurity modifications and enhancements when a capital project is in design. Even then, security considerations are often given only to new equipment and the existing system is not evaluated. This is particularly worrisome because, though the system element may not change, its security level might. Without a cybersecurity assessment, operators will not know about vulnerabilities until they are exploited.
What is the Cybersecurity Risk Management Lifecycle?
The cybersecurity risk management lifecycle is broken into three phases: assess, design and implement, and maintain. For this article, we will discuss the assess phase, what is included in it, and what the product should be.
The goal of the assess phase is to evaluate an industrial control system’s topology and configuration to identify weaknesses, evaluate risks, and document information for future action. Completing the assessment will lay the groundwork for security measures on all future improvements.
What are the Three Steps to Assessing a SCADA system?
Step One – Establish the scope of the system network.
- Evaluate and document the network, including collecting existing system documentation, architecture drawings, network diagrams, and asset inventory.
- Verify documents with a combination of visual inspection and automated network scanning tools to ensure no undocumented devices are on the network.
- Collect vital information about the devices on the network to make sure there is an understanding of what is installed and what components are critical to operations.
Step Two – Evaluate the system to assess vulnerabilities and gaps.
- Perform gap assessments to review operational and technical cybersecurity procedures and compare them to industry best practices.
- Determine staff’s understanding of procedures and implementation, including password policies, processes for updating software and installing patches, how intrusions are detected and handled, and processes for evaluating system expansion.
- Collect network information by using passive tools to listen to network traffic, using active tools that attempt to connect to assets, or even using penetration testing to find weaknesses.
Step Three – Perform a risk assessment using gathered information.
- Consider the risk of the combined results of the threat, vulnerability, and consequence of the risk assessment.
- Address risks using one of the four typical methods: Tolerate: Accepting the risk. Transfer: Moving the consequence to others, i.e., buying insurance to cover the cost of an attack. Terminate: Eliminate the risk by removing the item causing the risk. Treat: Implementing a device of tool to eliminate or reduce the risk.
- Assemble a team and conduct a workshop to review the collected information. The team should consist of a cross-section of the organization with all critical stakeholders represented.
Once the risk assessment is complete, the information is assembled and formalized into a report that can be used to guide the next phase: implementation. Performing a risk assessment is a crucial element in a cybersecurity program. If the assessment is well thought out and critical stakeholders are included, the results can be used as a roadmap to guide future projects and investments.
From cybersecurity certification of SCADA cyber solutions, our team equips municipalities with the tools they need to stay protected. Consult with our Electrical experts to learn more about our services and to find out how we can help keep your community protected.