Necessity, the mother of invention
Data security should provide protection from threats of all sources – both friends and foes alike. Typically, we think of the classic foe: the “hacker”. These attackers can be smart, adaptive, determined, and even well-funded. They think like you think and know what you are likely to do.
However, a commonly overlooked threat comes from your own employees. In the end, people are people – we all get lazy and make mistakes. Sally can delete a database she meant to copy. Jimmy can leave a door unlocked. Furthermore, what stops a disgruntled employee from intentionally interrupting operations, or an opportunistic custodian from swiping a thumb drive to sell to the highest bidder? Security requires constant attention to detail and a documented plan to recover when disaster inevitably strikes.
SCADA users expect their data to be secure, and rightly so! Certain measures should always be taken so that SCADA data is highly available, kept private, and protected from deletion, corruption, and unauthorized alteration.
Daily, each of us are affected by security measures or “controls”. The door locks on your house and car. The alarm at your workplace. The pin or fingerprint required to unlock your smartphone. When those controls work as expected, security is a minor inconvenience which we all willingly suffer. However, when those controls fail, the fallout can be a nightmare for everyone affected. A SCADA host should make every effort to secure your critical data from all kinds of threats and protect your entity from suffering such losses.
The critical question is this: Do you know your SCADA data is secure and how that security is achieved?
Security Professionals and technically trained I.T. personnel are certainly important and must work constantly to defend against the latest threats. However, truly effective security requires every employee to play their individual defensive role to the best of their ability. These days, the front-line is everywhere, so every employee must be on guard. Every phone call and email message, every visitor allowed through the door, and every person asking for the guest wifi password – any employee can encounter these potential threats, and a chain is only as strong as its weakest link. Secure SCADA hosting should be built upon a foundation of controls and processes which make security considerations second nature.
Thankfully, you don’t have to trust unsupported claims. A reputable third-party audit can level the playing field by providing objective testing and review of a SCADA host’s claimed security controls against an established standard. One such standard, developed by the Association of International Certified Professional Accountants (AICPA), is SOC 2, which is specifically designed for service providers storing customer data in the cloud. A SOC 2 Type II report on the description of a SCADA host’s system and the suitability of the design and operating effectiveness of their controls gives you and your stakeholders the power to make an informed decision.