Security Best Practices for ICS/SCADA implementations
Original Issue Date: June 23, 2017
The attacks on SCADA systems are on the rise, and it is possible that many infiltrated systems have gone undetected. Cyber criminals often
infect systems and silently monitor traffic, observe the activities and wait for months or even years before taking any action. This allow
them to strike when they can cause the maximum damage.
Threats like the Stuxnet, Havex, BlackEnergy and CrashOverride attacks give us clear ideas about how much damage a determined
adversary can inflict not only on the business or operation concerned, but also on the general public.
Vulnerabilities in HMI
A Human Machine Interface (HMI) displays data from machines to a human and accepts commands from a human operator to machines. A
modern HMI provides a highly advanced and customizable visualization about the current state of a system. If you control the HMI, you
typically control the entire SCADA system.
Researchers pointed out that attackers may target the HMI of a SCADA system for several reasons. Since HMI is a critical component
in the management of industrial systems, including critical infrastructure, it can provide access to information that may be highly
valuable in a sophisticated attack. Attackers can also cause physical damage to SCADA equipment once they have compromised the HMI.
Furthermore, malicious actors could leverage the HMI to disable alarms and notifications designed to alert operators of dangerous
configurations or values.
Attackers infiltrate SCADA systems through various means, one of which is through the exploitation of software vulnerabilities prevalent
in HMIs. According to researchers, the most common types of flaws in HMIs uncovered in the past two years are the following:
Issues in Patch management
Every organization may not be able to install immediately all critical updates on its various industrial system components. In
fact, updating SCADA software is a complicated procedure that is potentially risky for the stability of the systems involved and for the
entire industrial process of the enterprise.
This state of affairs inevitably results in a large number of unclosed vulnerabilities, including critical, not only in software
components of industrial automation systems, but also in those parts that are traditionally regarded as the classical IT components of
ICS, including OS, back office automation software and other programs used in the industrial infrastructure. Despite all the difficulties
in installing critical updates, owners of industrial automation systems need to have an objective view of their systems┐ security status.
Implementing a set of best practices could minimize the chances of critical vulnerability exploitation in SCADA systems, which are
- Perform an audit of ICS component access control; try to achieve maximum access granularity - whenever possible, overlapping of
authentication credentials for different ICS components should be avoided. Restrict user privileges to only those that are required to
perform each person's job. File access should be restricted to those who require access. If network access to a file is necessary,
restrict access as much as possible.
- Develop a password management plan to enforce strong passwords with minimum length, mixed character sets, expiration, no
password reuse, etc. and change all default passwords. Unless required by the control systems software, default passwords should always be
changed to robust, unpublished passwords.
- Carry out an audit of network activity inside the enterprise┐s industrial network and on its boundaries. Eliminate any network
connections found with other adjoining information networks that are not required by the industrial process.
Check that remote access to the industrial network is provided securely; place special emphasis on ensuring that multiple DMZs are set
up in accordance with IT security requirements. Network administrators need to understand security concepts such as layering, security and
functionality zones and specific access rules to restrict all communication to only that is necessary for system functionality. Try to
minimize or completely avoid using remote administration tools (such as RDP or TeamViewer).
Make an inventory of installed software. Refrain from using any software that is not absolutely essential part of ICS, without
which the system or the system┐s users cannot work. Always use genuine, supported systems and softwares.
Implement Application whitelisting: Application whitelisting is a security approach designed to protect against unauthorised
or malicious code executing on a system. It aims to ensure that only approved software applications are permitted to be present and active
on the system. Testing should be undertaken on a regular basis to check for misconfigurations of file system permissions and other ways of
bypassing application whitelisting rules or gaining execution of unauthorised content on a system.
Carry out audits of policies and practices related to using removable media and portable devices. Block mobile phones, tablets
and untrusted removable media from connecting to the industrial network┐s hosts. Wherever possible, disable the relevant ports or control
access to these ports using properly configured dedicated tools.
Expeditiously deploy security patches after testing all patches under field conditions on a test system before installation on
the production environment. The patching process should be worked closely with vendor support to ensure SCADA application integrity is
maintained. Any patch process test should be performed on a backup or development system first, to isolate the primary system from any
potential damage. Keep signature databases, heuristics, and decision algorithms of security software on endpoints up-to-date.
Conduct continuous product cyber security improvement through internal and external audits. Analyze identified vulnerabilities
to determine their significance and take appropriate corrective actions. Retest systems after corrective actions have been taken to ensure
that vulnerabilities were actually eliminated.
Implement network traffic monitoring and cyber attack detection tools on industrial networks. Control system traffic should be
monitored and rules should be developed that allow only necessary access. Any exceptions created in the firewall rule set should be as
specific as possible, including host, protocol and port information.
Monitor security policy compliance by suppliers, vendors of ICS systems and components, and contractor organizations that
perform work on the enterprise┐s industrial control system and that have access to the industrial network's components.
Provide staff with training in the relevance of security threats for SCADA systems. Establish a process for regular briefings
and periodical training of employees. Place particular emphasis on the most popular infection and attack methods, including social
Trend Micro: The State of SCADA HMI Vulnerabilities
Kaspersky: Threat Landscape for Industrial Automation Systems in Q2 of 2016
ICS CERT: Understanding Control System Cyber Vulnerabilities
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003