Data Security for SCADA Users
©2020, zdSCADA, LP. All rights reserved.
As data security becomes more critical every day, smart businesses have some level of defense in place. The most common sets of standards for data security are promulgated by the American Institute of Certified Public Accountants (AICPA). Standards for businesses are contained in “System and Organization Controls (SOC) for Cybersecurity”. The more rigorous standards intended for service organizations are found in SOC 2®.
Operators that self-host SCADA data should implement SOC or similar controls, and any operator that choose SaaS (Software as a Service) web-hosted solutions should require an SOC 2® audit of their provider. SCADA users face unique security issues, but zdSCADA®, operator of one the largest SaaS SCADA solutions in the industry, has the experience to help.
The Scams
“Phishing” is one of the most effective cybercrime schemes. The ruse uses seemingly legitimate communication to trick a user into revealing sensitive information. In 2019, a midstream operator with self-hosted SCADA fell victim to a phisher who gained a logon and password. Their data was scrambled, and the hacker demanded a large ransom. The ransom was not paid, but the operator spent weeks getting their systems back up, and a huge amount of data were lost forever.
This episode highlights both sides of the security coin: the human and the technical. On the human side, employee training programs could have prevented the credentials being divulged. On the technical side, high-quality back-up procedures like zdSCADA®’s would have drastically reduced the costs, time, and resources consumed in responding to this attack.
The Human Issue
The more challenging aspects of data security concern the unpredictable human element. Regardless of the system, users make mistakes, and these mistakes can have big implications for company data. When possible, actions are controlled through behavior such as mandatory password strength, restrictions on software installation, and multifactor authentication.
Other human elements are addressed with regular, in-depth training programs. Strong companies create a culture of security awareness where best practices become second nature. Prevention of attacks like the above “phishing” requires critical thinking on the part of the user. Users must be trained to be cautious. Does an e-mail look sketchy? Does the URL seem odd? Why do they need my password?
Implementing thoughtful procedures can drastically reduce risks posed by human error. For example, require phone calls to trusted numbers to confirm instructions for sensitive activities, like changing admin permissions. Changes to code should require review and testing by someone other than the author, plus management approval, before publishing.
Cybercrime schemes are ever evolving, requiring constant attention to training and procedures. The bottom line is that management should equip employees to serve as an effective defense.
The Technical Tools
To tweak a common adage: “a byte of prevention is worth a gigabyte of cure”. There is a wide array of technical tools to support security. Encryption is used to protect sensitive communications, a common example being Transport Layer Security or “TLS”. (If your browser displays “https” instead of “http” you are using a connection likely secured by TLS). Other tools are used to prevent “injection attacks”. Usually malicious, these attacks involve using knowledge of SQL or XML code to crash, or even destroy, a system. This is prevented by comprehensively “sanitizing” all input. These and other techniques prevent many attack vectors.
Vigilant monitoring is the next link in the chain. System administrators cannot respond to an attack or system failure unless they know it occurred. Implementing custom detection is burdensome, as it requires multiple layers of redundancy and is technically strenuous. Meanwhile, third party monitoring can be effective, but must be thoroughly vetted.
Once an attack is identified, the response team must be ready to act. Planning a response while the battle is raging wastes precious time. Technicians should be prepared to deal with the stress of recovering services while the clock is ticking. Recovery guidance should be documented, current, and straightforward. Rapid response limits the impact of an incident, reducing resources required to restore functionality.
Finally, the most important technical tool is comprehensive data backups with full off-site redundancy. The integrity of those back-ups should be routinely tested. Most companies also choose to maintain a hot-standby – a duplicate system which is warmed up and ready to go. This level of readiness allows for confidence in the face of whatever threats may come.
Are You Prepared?
These are just a handful of the fundamental security items relevant to SCADA hosting for oil and gas companies. Those with self-hosted systems should comply with SOC guidelines to ensure effective defenses of their data. A trustworthy and experienced SaaS SCADA hosting company, like zdSCADA®, will have robust procedures in place, confirmed by a SOC2® audit.