Wednesday, June 18, 2008

UK CPNI: new SCADA guidelines available

SCADA: CPNI has recently updated their guidelines on SCADA protection. I find these are among the best guidelines I have never read on the subject, as they mainly focus on the Strategy, Processes, Organization and People.

Here is the list of the 8 available guidelines (the Title is also the link to the Guideline):

Process control and SCADA security - General Guidance
An overarching summary to the following guidance documents

Process control and SCADA security guide 1 - Understand the Business Risk
The first step in improving the security of process control systems is to gain a thorough understanding of the business risk in the context of electronic security. Business risk is a function of threats, impacts and vulnerabilities. Only with a good knowledge of the business risk can an organisation make informed decisions on what should be the appropriate levels of security protection.

Process control and SCADA security guide 2 - Implement Secure Architecture
Designing a secure architecture for a control system can be a difficult exercise as there are so many different types of systems in existence and so many possible solutions, some of which might not be appropriate for the process control environment. Given limited resources it is important that the selection process ensures that the level of protection is commensurate with the business risk and does not rely on one single security measure for its defence.

Firewall deployment for SCADA and process control networks
This guide, produced by the former NISCC, documents the pros and cons of architectures used to separate the SCADA and process control network from the Enterprise network. These range from hosts with dual network interface cards to multi-tiered combinations using firewalls, switches and routers.

Process control and SCADA security guide 3 - Establish Response Capabilities
The capability to respond to both alerts and incidents is an important part of a process control security framework. Obtaining management support, determining responsibilities, establishing communication channels, drafting policies, and procedures, identifying pre-defined actions, providing suitable training and exercising the whole process prior to incidents enables a quick, effective and appropriate response which can minimise the business impacts and their cost, possibly avoiding such incidents taking place in the future.

Process control and SCADA security guide 4 - Improve Awareness and Skills
Raising awareness is potentially the single most valuable action in the ongoing task of process control security. Raising awareness endeavours to ensure all relevant personnel have sufficient knowledge of process control system security and the potential business impact of lapses in security. Personnel need to know what to do to prevent attacks and what to do in the event of an incident.

Process control and SCADA security guide 5 - Manage Third Party Risk
The security of an organisation's process control systems can be put at significant risk by third parties, e.g. vendors, support organisation and other links in the supply chain, and therefore warrants considerable attention. Technologies that allow greater interconnectivity, such as dial-up access or the internet, bring new threats from outside of the organisation. Third parties must therefore be engaged as part of the process control security programme and steps should be taken to reduce the associated risk.

Process control and SCADA security guide 6 - Engage Projects
Process control systems are usually installed with an expectation of a long service life and minimal changes to these systems during their lifetime. However saying this for all control systems in use is probably an over generalisation. In many organisations there are often a number of process control system related projects underway at any point in time, any of which could have security implications.

Process control and SCADA security guide 7 - Establish Ongoing Governance
Formal governance for the management of process control systems security will ensure that a consistent and appropriate approach is followed throughout the organisation. Without such governance the protection of process control systems can be ad-hoc or insufficient, and expose the organisation to additional risk.

No comments: