7 SCADA Security ‘Do’s’ & 4 SCADA Training ‘Don’ts’7 minute read
At Inductive Automation, we’ve always tried to assist integrators and end users by sharing valuable information. As with all things in life and automation, that means spreading awareness about what you should do as well as what you shouldn’t. In that spirit, we’ve collated two recent articles from Water & Wastes Digest that examine best practices to help keep your system safe along with training misconceptions to avoid so that nothing holds your organization back.
7 SCADA Security Best Practices to Consider Right Now
When organizations implement security measures for their SCADA system, “most folks want everything fully secured,” says Kevin McClusky, Co-Director of Sales Engineering at Inductive Automation. But deciding what “fully secured” looks like will depend on specific needs and resources, from available budget and existing software and hardware to actual security risk.
While circumstances may differ, these best practices can guide any organization looking to step up their security. Each step builds on the ones before it, so consider sequential implementation.
1: Diagram all network traffic.
Creating a diagram that shows all network traffic between PLCs, devices, external software systems, and your chosen HMI/SCADA/MES/IIoT platform is the foundation for intelligent decision making, says McClusky. “Think of this as the item that allows you to have a picture of how your security is looking at the moment. It lets you know where the weak points are and where potential attack factors could be from bad actors trying to get to the system overall,” he says.
While some security tools can automate this diagram, McClusky still recommends creating the diagram manually. “There’s nothing like getting your hands dirty to understand your connections and how everything works inside the system,” McClusky said.
2: Encrypt any unencrypted connection.
If any connections aren’t encrypted, make sure access to that network is secured. Database connections may be easy to encrypt, while a PLC connection could be difficult. Examine the firewalls that are in place and decide which connections should be encrypted.
To ensure that data transferred is kept secure, the Ignition platform supports SSL/TLS security as a best practice. The “s” in a URL that begins with “HTTPS” signifies the website is secured by an SSL/TLS certificate. Cryptographic algorithms scramble data in transit, thus preventing bad actors from reading or modifying any information being transferred.
3: Invest in an Intrusion Detection System (IDS).
Having an IDS for a controls network allows easy detection of unauthorized access. An IDS is even more valuable when there is unencrypted traffic over a network, though keep in mind that an IDS won’t detect something like a network tap that can read unencrypted data.
4: Consider a data diode.
For extremely sensitive networks that don’t need outside data, consider using a data diode, which only allows data to flow out of a network, but not flow into it, thus cutting off one major vector of attack.
5: Determine your risk profile.
Organizations can spend large amounts of time and money implementing security procedures, layering security effort over security effort, and some of it may be unnecessary. To help decide what’s “secure enough” for each organization, McClusky offers an analogy: think of security procedures for a SCADA system like security measures added to a house.
“If you’re in your home, are you going to have one-foot thick concrete walls around your house? No. Do you want your house to be secure? Yes,” McClusky says. “You can keep layering on layers of security, but is it worth the investment?”
6: Understand the options and the limits of software and hardware.
While there are some exceptions, many modern PLCs do not have security tools built inside of them, McClusky says.
“If you don’t know the options when you purchase hardware, there’s no way to do a good job with your security,” says McClusky. To prevent retrofitting software and hardware, look out for the growing number of devices, PLCs and products that have security directly built in.
7: Employ two-factor or multi-factor authorization (MFA/2FA) and single sign-on (SSO).
With remote access to your SCADA system through software like the Ignition Perspective Module, organizations can allow more access to system data than ever before. However, wider access can lead to greater security risk in the event of compromised login credentials.
Using a single sign-on (SSO) allows users to use one set of credentials to access more than one application. This can streamline the login process as well as make it easier to monitor user activity. Two-factor or multi-factor authentication (MFA/2FA) requires users to enter multiple identifying factors to gain access to the system.
4 SCADA Training Misconceptions That Hold Organizations Back
The learning curve for implementing new SCADA software can be steep, and as a team prepares to learn new software, avoiding these four training misconceptions will help set them up for success.
Misconception 1: Training is too expensive and time-intensive.
Effective training requires dedicated staff time and resources. As a result, some organizations forego training and ask staff to figure things out on their own. According to Kent Melville, Sales Engineering Manager at Inductive Automation, this strategy is flawed.
“The greatest cost associated with a well-trained team is the opportunity cost,” Melville says. When companies skip training, he says, they risk making mistakes, producing lower-quality work and weakening their ability to prevent issues in the future.
When organizations invest in training, however, “the solutions put into place tend to be higher quality because they are not thrown together,” Melville says. “They’ve had some time to think about what a good system looks like, and so they’re able to put it in right the first time.”
While traditional training solutions often required traveling to expensive off-site classes, online options are now more readily available.
Misconception 2: The best way to learn new software is by attending a one-time intensive class.
To help limit costs, teams will often send one team member to an in-person training class, who, upon return, must then train the rest of the team. Since intensive training classes do not allow people to learn in their own environment, this practice may not be as effective or long-lasting.
“People find that when they go, they have this positive experience because it’s a very carefully cultivated environment for them to learn,” Melville says. “When they come back to the real world, they find that everything isn’t exactly like they saw in the class.”
If a team member struggles to translate training to their work environment, it can make it more difficult for them to train others. Providing all staff with direct access to training resources will ensure everyone receives the most accurate information from a first-hand source and empowers them to drive their own learning.
Dedicating time to train staff is necessary to conquering the software learning curve, but it pays dividends, Melville says. When onboarding teams to Ignition, Melville recommends staff devote a week to learn the platform piece by piece.
Misconception 3: Everyone learns best by sitting through a presentation.
While some team members prefer written documentation and online user manuals, others prefer watching demonstrations, or even performing the task themselves. Effective training must be designed for all types of learners.
To help first-time Ignition users learn by doing, Inductive Automation created the Quick Start feature, which launches Ignition with built-in templates and configurations so that “out of the gate, Ignition is in a useful state,” Melville says.
Misconception 4: One training session is all you need to learn new software.
Software is constantly updating. Regular training on the latest functionality is necessary to keep skills current and prevent a team from implementing outdated processes.
“It’s one thing to train new staff, but it’s the next level to constantly train all of your staff,” Melville says. “When your staff is better trained, then they’re able to make sure your product or system stays relevant and you’re following best practices. They’re going to set up the business to succeed long-term rather than just being focused on maintaining the status quo.”
Keep Your System Protected & Your Team Well-Trained
Knowing what to do — and what not to do — is only part of establishing a secure SCADA system and an effective, knowledgeable team. Having a robust platform like Ignition, built on trusted security technologies and with hours of free tutorial videos available on-demand, will help you focus on what you can do, not what you can’t.