1. © 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive property of their original owner. Securing SCADA Networks from Cyber Attacks -A Vendor Perspective Presented by Shawn A. Sabo, National Sales Manager, QEI Inc.

2. The Need Loss of service Cost of countermeasures Customer confidence factor

3. Vendors have many of the Same Security Concerns as Utilities 1.Networks 2.Information 3.Personnel 4.Access and tools.

4. - Extending the network to the substation and beyond The Changing Nature of SCADA Systems - Incorporation of SCADA into the Enterprise Network - Implementation of “Open Systems” - Remote access to monitoring and control - Put SCADA data on every applicable desktop - “Control your SCADA system from your cell phone”

5. Extended Enterprise Network

6. 1.Identify all connections to SCADA networks. 2.Disconnect unnecessary connections to the SCADA network. 3.Evaluate and strengthen the security of any remaining connections to the SCADA network. 4.Harden SCADA networks by removing or disabling unnecessary services. 5.Do not rely on proprietary protocols to protect your system. 6.Implement the security features provided by device and system vendors. 7.Establish strong controls over any medium that is used as a backdoor into the SCADA network. 8.Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring. 9.Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns. 10.Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security. 11.Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios. 12.Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users. 13.Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection. 14.Establish a rigorous, ongoing risk management process. 15.Establish a network protection strategy based on the principle of defense-in-depth. 16.Clearly identify cyber security requirements. 17.Establish effective configuration management processes. 18.Conduct routine self-assessments. 19.Establish system backups and disaster recovery plans. 20.Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable for their performance. 21.Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls. Twenty One Steps to Improve Cyber Security of SCADA Networks SOURCE: Office of Energy Assurance, U.S. Department of Energy.

7. 4. Take a fresh look Twenty One Steps fall into Four Categories 1. Control access 2. Get rid of the unnecessary and harden what’s left 3. Know and use the tools you have available

8. Control Access Look to designs with security in mind. Deal with vendors who protect their product and documentation. Restrict vendor access for maintenance purposes. Don’t keep compromises a secret from a vendor (if applicable) and expect the same.

9. Get Rid of the Unnecessary (and Harden what’s Left) Have your Vendor deliver systems with unnecessary server services and ports disabled. (DCOM, UPnP, Automatic update, Messenger,etc.) Have vendor incorporate security aspects into your training. Expect a vigorous patch policy from vendors to include testing. Receive vendor guidance on third party protective software (antivirus, spyware, etc.).

10. Get Rid of the Unnecessary (and Harden what’s Left) Make sure your vendor has the ability to partner with your IT department’s security scheme. Take active control of your security (Password control, SCADA system defaults, etc.). Sort out your problems with speed and expect the same from your vendor.

11. Know and Use the Tools You Have (or Should Have) Available Use Vendor resources for your own testing. (Red team concept) Request your vendor offer system manager courses which include auditing and monitoring tools. Monitor intrusion detection tools. Work with your vendor’s users group for pooling of risk. (stockpiles spares, CPUs, etc.). Encourage user group addressing of security concerns.

12. Take a Fresh Look Monitor the industry concerning items beyond your particular SCADA applications package. (hardware platform, operating system, etc.) Become familiar with the industry security resources (DOD-CERT, ESISAC, etc.) Examine the various failure modes and plan accordingly. Enlist your vendor in formulating bypass, manual operation and backup contingencies. Test all contingency plans before they have to work (Vendor 24/7 support, offsite backup, recovery plans, etc.)

13. Put your Security Requirements into your System Specifications Deal with Vendors who take Security as Seriously as you

14. Now that we are all Sufficiently Concerned….. All industries seem to think they are behind others when it comes to Cyber-Security.

15. 1.Control access 2.Get rid of the unnecessary and harden what’s left 3. Know and use the tools you have available 4. Take a fresh look Four Categories

16. Questions ?