SCADA security concerns and our training solution

SCADA security concerns and our training solution

Henry Dalziel | Latest InfoSec News, SCADA News and Training | May 6, 2013

Before we start this piece, here are a couple of related blog posts on SCADA and ICS security that you might find interesting: Here’s the problem with SCADA and The SCADA Security Troika.

Several months ago, President Obama passed an Executive Order: Improving Critical Infrastructure Cyber Security which is clearly aimed at, amongst other categories: SCADA and ICS (Industrial Control Systems) systems. Right from the start of the bill, section 1, the order states, quote:

Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.

That first sentence says it all…

Section 1 of the bill continues:

The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.”

Pretty grim reading but Concise Courses is ready to pick up the mantle and do ‘our bit’ to combat SCADA weaknesses through training, courses and education!

However, before we get into our education piece, here’s the rub, there is no simple ‘magic bullet’ in securing our, or any other nation’s critical infrastructure. Firming up SCADA and ICS security, particularly Internet facing ageing systems will take a lot of time and considerable effort – not to mention investment and sourcing the necessary training and human resources.

Why does SCADA get such a bad rep with security?
SCADA systems facilitate the safe daily function of vital utilities and facilities such as power, oil, and gas pipelines, waste and water distribution. These systems were designed back in the 80’s with reliability taken as the priority, rather than security. There are many threat vectors to a modern SCADA/ ICS system – the main being unauthorized physical or remote access to the control software. The obvious example here would be Stuxnet back in 2010 but there are other serious threats such as packet access to the network segments hosting SCADA devices. We here at Concise Courses feel that social engineering is definitely a serious issue for SCADA systems. Stuxnet was introduced via a USB drive – and to further demonstrate this we have a SCADA security expert Marcelo Branquinho May 21st (at 1200 EST) showing us how this attack is actually achieved in the real world.

What’s the solution and the Concise Courses training approach
The daily increase in SCADA interest from both the government and people with bad intent is having a net effect of spawning a lot of research into detecting and patching SCADA vulnerabilities – now!

The Concise Courses SCADA training program is specifically aimed at Automation Security Managers, Industrial Managers and Industrial Directors who work within the following sectors: Water Management, Utilities, Oil & Energy, Public Health, Transportation, Public Security Services, Military, Telecommunication, Food & Beverages and with Chemicals.

You will have an opportunity to meet our SCADA Security expert and instructor May 21st (at 12 EST) and watch him explain how SCADA operators can implement controls that will prevent your SCADA network from attack (including disabling Autorun and deploying GPOs to control access to USB ports). Furthermore, Marcelo, our instructor, will also explain how hackers are using Social Engineering to attack your critical infrastructure. There will also be a section that explains how to develop an effective Security Policy that counters the belief that SCADA networks are secure because they are disconnected from the Internet.

About The Presenter for our May 21st event
Marcelo Branquinho is a SCADA security expert. With over 15-year experience in SCADA Systems and Critical Infrastructure Protection (CIP), Marcelo’s achievements include the creation of TI Safe´s Security Automation Training Program, and the curriculum for the Certified Automation Security Engineer (CASE). Marcelo is a senior member of ISA International, and a member of the WG5 TG2 Gap Analysis Task Group that is revising the ANSI/ISA-99 standard.

Marcelo has trained executives from leading private and public sector companies, including Siemens, ThyssenKrupp and Eletrobras CHESF, and holds numerous indutry certificates (CSSA – Certified SCADA Security Architect; Modulo Certified Risk Manager and Tofino Certified System Integrator).

Have you had an SCADA training and attended a course? We’d be fascinated to learn more – did you enjoy it, did it help you? Please leave a comment below.

Leave a comment or reply below...thanks!