Mon Nov 24 05:37:58 PST 2014

Zones: SCADA placement and controls: What protection mechanisms should be used between a SCADA system and a network?


Options:

Option A: No special protection is used for the SCADA.
Option B: Use a restricted access network zone for the SCADA.
Option C: Use encrypted communications for the SCADA.
Option D: Use a custom FSM wrapper for the SCADA input.
Option E: Do not connect the SCADA to the network.
Option F: Use a digital diode to exfiltrate SCADA data.

Decision:

SCADA connected to networks should be protected as follows:

Consequence Approach
High IF no communication is required to the SCADA,
    THEN Do not connect the SCADA to the network.
OTHERWISE
    IF data from the SCADA is required,
      THEN Use a digital diode to exfiltrate SCADA data.
    IF external control of the SCADA is required,
      THEN Use a custom FSM wrapper for the SCADA input.
    ALSO Use all applicable methods from Medium.
Medium IF the SCADA interaction rate allows for encryption AND encryption does not interfere with an FSM wrapper,
    THEN Use encrypted communications for the SCADA.
IF a restricted network zone for SCADA operations is in place in the enterprise,
    THEN Use a restricted access network zone for the SCADA.
Low No special protection is used for the SCADA.
Protection between SCADA systems and networks

Basis:

Connection to external control systems:
Regardless of the technology approach, the basic options for connectivity to external systems are:

Encryption: Encryption takes substantial time. For a SCADA that has to interact in real-time with feedback times on the order of milliseconds, encryption isn't fast enough in most cases to allow both the necessary SCADA computations and the encryption to take place in time to meet the demands of the SCADA signal timing.

Restricted access network zone: Such a zone reduces the sources that can be used to directly influence and observe SCADA inputs and outputs. When such a zone is available, it should be used unless there is a reason not to use it.

Use a custom FSM wrapper for the SCADA input: A custom FSM for the input of a SCADA provides a means by which all inputs can be checked for validity in the context of the expected machine state. This provides a high degree of certainty that unauthorized and unanticipated input sequences cannot appear at the SCADA input.

Use a digital diode to exfiltrate SCADA data: A digital diode can be used to prevent output channels from being used for input to a high degree of certainty. This will normally require protocol alterations, such as TCP to UDP and UDP to TCP proxies on sending and receiving sides of the diode in order to interface with technologies that depend on 2-way transport.

Do not connect the SCADA to the network: When the situation has consequences too high to risk connection, it should be run in an isolated manner.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved