Fri Apr 8 06:49:41 PDT 2016
Zones: SCADA placement and controls: What protection mechanisms should be used between a SCADA system and a network?
Option A: No special protection is used for the SCADA.
Option B: Use a restricted access network zone for the SCADA.
Option C: Use encrypted communications for the SCADA.
Option D: Use a custom FSM wrapper for the SCADA input.
Option E: Do not connect the SCADA to the network.
Option F: Use a digital diode to exfiltrate SCADA data.
SCADA connected to networks should be protected as follows:
Protection between SCADA systems and networks
| Consequence || Approach
| High ||
IF no communication is required to the SCADA,
THEN Do not connect the SCADA to the network.
IF data from the SCADA is required,
THEN Use a digital diode to exfiltrate SCADA data.
IF external control of the SCADA is required,
THEN Use a custom FSM wrapper for the SCADA input.
ALSO Use all applicable methods from Medium.
| Medium ||
IF the SCADA interaction rate allows for encryption AND encryption does not interfere with an FSM wrapper,
THEN Use encrypted communications for the SCADA.
IF a restricted network zone for SCADA operations is in place in the enterprise,
THEN Use a restricted access network zone for the SCADA.
| Low || No special protection is used for the SCADA.|
Connection to external control systems:
Regardless of the technology approach, the basic options for connectivity to external systems are:
Complete independence: This is the "Do
not connect" approach. In this approach, the ICS network is segregated
from the rest of the world, typically by physical isolation for high
surety and logical separation for medium surety.
Information only: In this approach,
information from the ICS is sent to anything else with no external
influences intended back on the ICS. For high surety, this is done
with a digital diode, and for medium surety with a firewall or similar
separation mechanism properly configured.
Shared flows with islanding and
reconnection coordination: In this approach, ICS components share
flows, such as Internet-based communications or other shared
infrastructure, but are able to operate without the external
connection, albeit perhaps with less efficiency. External command and
control, changing set points, and ordering the ICS to do anything it
is physically capable of are all feasible, and thus more negative
consequences are attainable from external influences. In this scheme,
the external networks are disconnected and the system islanded when
the desired level of surety cannot be otherwise attained, and
reconnect over time as surety of connectivity increases to adequate
Continuous interconnect: In this
approach, the ICS environment is always connected to other networks,
making for higher dependency and more efficient coordination when the
network is working. However, when the network fails, is taken over, or
misoperates for whatever reason, the ICS cannot be disconnected, and
consequences over the entire operating and failure range are often
attainable from remote actions.
Encryption: Encryption takes substantial
time. For a SCADA that has to interact in real-time with feedback
times on the order of milliseconds, encryption isn't fast enough in
most cases to allow both the necessary SCADA computations and the
encryption to take place in time to meet the demands of the SCADA
Restricted access network zone: Such a zone
reduces the sources that can be used to directly influence and observe
SCADA inputs and outputs. When such a zone is available, it should be
used unless there is a reason not to use it.
Use a custom FSM wrapper for the SCADA input: A
custom FSM for the input of a SCADA provides a means by which all inputs
can be checked for validity in the context of the expected machine
state. This provides a high degree of certainty that unauthorized and
unanticipated input sequences cannot appear at the SCADA input.
Use a digital diode to exfiltrate SCADA data: A
digital diode can be used to prevent output channels from being used
for input to a high degree of certainty. This will normally require
protocol alterations, such as TCP to UDP and UDP to TCP proxies on
sending and receiving sides of the diode in order to interface with
technologies that depend on 2-way transport.
Do not connect the SCADA to the network: When
the situation has consequences too high to risk connection, it should
be run in an isolated manner.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved