Blog post by Kevin Garman, Project Engineer at SCADAware
Security breaches are becoming an almost daily occurrence. No useful computer system is truly safe from attack, but just a few basic precautions can go a long way. Complete security cannot be guaranteed, and to make such a claim would be ridiculous. Fortunately, the good news is that a computer system’s security can be exponentially increased by following some simple best practices.
Here are four ways to quickly improve the security of your SCADA (or other) system:
- Run with the lowest privilege possible.
If a user needs to access an application, give that one user access to that one application…not the entire machine. Many times a user or process is given many more permissions than are really needed simply because it’s easier than figuring out what level of security is actually appropriate. Blanket removal of security restrictions may be a useful troubleshooting tool, but should not be used as the final solution. Many a support call to SCADA software vendors has ended with the suggestion to just give “Everyone” permission…DCOM comes to mind. Naturally, these same SCADA vendors tout the security of their products!
- Multiple strong passwords
Long, complex passwords can be virtually uncrackable. The goal is to make brute force password cracking impractical. Using a random mixture of uppercase, lowercase, numbers, and symbols, and using a lot of them (at least 10), means that any attempt crack the password will take too long to be useful to the attacker. Additionally, don’t use one password for everything. If one portion of your system is compromised, you don’t want to simply give away the rest of your system.
- Keep your system up-to-date
This flies in the face of the conventional wisdom of “don’t fix what ain’t broke”. No one wants to risk downtime due to applying a bad Windows update, but an unpatched server can quickly become a sieve of security holes. One way to greatly reduce the risk of an update gone wrong is to use virtualization and snapshots.
- Use application whitelisting
Tell the OS (operating system) what applications are allowed to run. Take the stance of whitelisting a few, rather than blacklisting many. It’s much easier (and more effective) to give one app permission to run than it is to ban hundreds or thousands of apps from running.
The struggle is finding a balance between security and usability. A completely secure system would be useless and an infinitely flexible and easy to use system would have no security. The steps outlined here are very basic and should have low impact on usability of a SCADA system while at the same time greatly enhancing the security of the system. For more ideas on how to secure your SCADA/computer systems, take a look at this list of security practices published by the Australian Signals Directorate. [Strategies to Mitigate Targeted Cyber Intrusions]