Framework for SCADA Security Policy Dominique Kilman Jason Stamp [email protected] [email protected] Sandia National Laboratories Albuquerque, NM 87185-0785

Framework for SCADA Security Policy Dominique Kilman Jason Stamp Dkilman@Sandia.Gov Jestamp@Sandia.Gov Sandia National Laboratories Albuquerque, NM 87185-0785

1 Framework for SCADA Security Policy Dominique Kilman Jason Stamp [email protected] [email protected] Sandia National Laboratories Albuquerque, NM 87185-0785 Abstract – Modern automation systems used in infrastruc- 1.1. SCADA-Specific Security Administration ture (including Supervisory Control and Data Acquisition, or SCADA systems need a separate, SCADA specific secu- SCADA) have myriad security vulnerabilities. Many of these relate directly to inadequate security administration, which rity administration structure to ensure that all the special- precludes truly effective and sustainable security. Adequate ized features, needs, and implementation idiosyncrasies of security management mandates a clear administrative struc- the SCADA system are adequately covered. [2] contains a ture and enforcement hierarchy. The security policy is the table which lists the key differences in IT and SCADA sys- root document, with sections covering purpose, scope, posi- tem designs which can affect security and policy decisions. tions, responsibilities, references, revision history, enforce- Acceptable use of SCADA should be narrower than IT ment, and exceptions for various subjects relevant for system systems due to its different mission, sensitivity of data, and security. It covers topics including the overall security risk heightened criticality. SCADA systems are oftentimes used management program, data security, platforms, communica- to control time-critical functions. When time is an impor- tions, personnel, configuration management, audit- tant factor, some standard IT security practices may not be ing/assessment, computer applications, physical security, and manual operations. This article introduces an effective frame- appropriate for SCADA. For example, since anti-virus work for SCADA security policy. scanning can sometimes slow down a system, these may not be acceptable for some SCADA platforms. Therefore, Index Terms – SCADA systems, policy, administrative con- the blanket recommendation in IT policy to include anti- trol, security administration. virus scanning on every machine would not be appropriate for SCADA. 1. SCADA MANAGEMENT CONTROLS The mission in these automation systems may have SCADA systems support our critical infrastructures such safety-critical tasks which would preclude any significant as electrical power generation, transmission and distribu- downtime. While an IT system can at times allow down- tion, oil & gas transport, and water supplies. The primary time of hours, an electrical power plant cannot tolerate im- purpose of SCADA systems is to monitor and control infra- portant safety functionality being lost for any period of time structure equipment. The Sandia interpretation of the terms during operation. Also, since automation systems have PCS and SCADA include the overall collection of control more immediate physical consequences, interconnections systems that measure, report, and change the process. Es- between SCADA systems and external networks must be sentially, any subsystem that electronically measures state, better controlled, and access must be more strictly enforced alters process control parameters, pre- and monitored sents/stores/communicates data, or the management thereof Immediate adoption of security patches that are essential is subsumed in our definition of SCADA. in IT may be impractical in SCADA. At times, vendor con- One of the most common problems seen in modern tracts preclude SCADA systems from installing patches that SCADA environments is the lack of a SCADA-specific have not been approved and vetted by the vendor. Also, security policy. Other vulnerabilities include poor account the possibility of a patch disrupting critical functionality is maintenance, insecure network connections, and a lack of not tolerated in a SCADA system. maintenance and monitoring of equipment. See [1] for an Finally, the data produced by a SCADA system may in-depth discussion of observed vulnerabilities. have different sensitivity than the data generated in the business side of the operation. SCADA data also has a Copyright © 2005, Sandia Corporation. different lifetime, so some SCADA data may only need The submitted manuscript has been authored by a contractor of the U.S. Government protection for several minutes as opposed to under contract No. DE-AC04-94AL85000. Accordingly, the U.S. Government retains a nonexclusive, royalty-free license to publish or reproduce the published days/months/years for personnel data residing on a business form of this contribution, or allow others to do so, for U.S. Government purposes. network. Unlimited release – approved for public release. Administration and enforcement is simpler with a sepa- Sandia National Laboratories report SAND2005-1002C. rate policy. Trying to tailor a traditional IT policy to in- Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear clude SCADA may seem like a time saving effort, but in Security Administration under contract DE-AC04-94AL85000. reality it is probably not. Trying to capture all the caveats needed for SCADA could be counterproductive and may produce a document which is not easily understandable. The resulting policy will often be so convoluted, watered 2 down, inaccurate and vague that it is difficult to know what ogy. If the policy is not updated, the policies themselves is and is not allowed. Since SCADA systems also have a become obsolete, which is not an acceptable situation. small audience (including SCADA engineers, technicians, Security policies do not include configuration rules, sys- operators, and administrative personnel), the detail of the tem setup guidelines, or specific security settings. These policy sections can be more precisely targeted. Finally, elements are important in any sustainable security program, legislative requirements on automation systems are differ- but policy is not the proper place for this type of informa- ent than other IT systems. tion. Security plans and implementation guidance is where these should go. 1.2. Enforcement Hierarchy Policy is the cornerstone of any sustainable security sys- 1.4. Important Policy Sections tem. Systems without security policy and administration do A well written policy document must follow an easy-to- not possess measurable, self-perpetuating security, and ex- read and easily understandable format. Each policy will perience has shown that every ungoverned information include: network will eventually sprout vulnerabilities. Purpose: The purpose section explains why this policy sec- Business objectives are also a driving factor of policy. tion exists. As a business, environments that use SCADA need to iden- Scope: The scope specifies what is covered by the policy tify confidentiality, availability, and integrity requirements (for example, machines, people, and/or facilities). for the SCADA network and the data available from the Policy: These are the actual statements of the organiza- SCADA system. These requirements will drive policy tion’s rules on the topic – what can and cannot be done by statements. people, equipment, etc. Risk assessment drives policy by identifying where the Responsibilities: Who must do what in regards to this pol- system is vulnerable to attack. The risk assessment process icy is specified here. involves evaluation, reduction, transference, and mitigation. References/Authorities: Here, the policy is tied back to Security policy addresses the reduction, transference, and other policies that must be followed due to the organiza- acceptance steps. Policy also details when, who, and how tional structure. Also, external references to the policy are evaluations will be performed. cited (for example, legal requirements). A defined policy is the first step in creating a security Revision History: This is a record of what changes were program which is self-sustaining and enforceable. Once a made, by whom, and when they were done. policy has been created, other specific security documents Enforcement: This specifies the consequences of not fol- (including system security plans and implementation guid- lowing the policy. This may be general and apply to all ance) can be created to define the particular practices to be policies (i.e. subject to disciplinary action up to and includ- used within the SCADA environment. ing termination) or they may be specific (immediate dis- missal for knowingly and flagrantly disregarding a specific 2. SECURITY POLICY CONCEPTS policy). Enforcement may also describe if legal action may be pursued. SCADA security policy can be defined as follows: Exceptions: Exceptions might not be needed, but if they “Security policy for SCADA administration trans- exist, each must be documented in the policy. This in- lates the desired security and reliability control ob- cludes how to get an exception, who can approve it, and jectives for the overall business into enforceable di- were the documentation will be stored. Also, the details rection and behavior for the staff to ensure secure about how often the exception must be re-approved are SCADA design, implementation, and operation.” [3] described. 1.3. Policy Introduction and Background Some of the preceding sections must be included for A security policy is a formal statement of what will and every part of the security policy that is written, such as pol- will not be done by persons and systems within an organi- icy and scope. Others can be stated once and that statement zation.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us