Securing SCADA Networks in the Digital Age

Most supervisory control and data acquisition (SCADA) systems were never meant to connect to the outside world. But, as business leaders in the energy and utilities sectors have started to demand more visibility into their organizations’ operations in recent years, these operational technology assets have become increasingly linked to IT networks. This has made them more vulnerable to ransomware, malware and attackers who seek to cause chaos by crippling important infrastructure.

Oil, gas and utility companies cannot afford to ignore these threats. This checklist of best practices will help organizations better understand their cybersecurity environments, detect potential threats and respond effectively when they are breached.

According to Fortinet, 17 percent of operational technology (OT) security professionals rate security analysis, monitoring and assessment tools as the single most important solution for cybersecurity. In addition to discovery tools, organizations must conduct a thorough inventory of all assets connected to their networks.

When I work with organizations to secure their SCADA networks, IT leaders usually tell me that they can already provide a full accounting of their networked equipment. However, when we inventory their environment, we inevitably find connected legacy equipment that no one knew about.

The only way to be sure that a cybersecurity environment will stand up to attack is to attack it. Through penetration testing, red team exercises and other exercises that simulate real-world attacks, IT and OT leaders can identify previously hidden gaps in their defenses.

Effective, real-time monitoring is a cornerstone component of any comprehensive cybersecurity strategy. Fortinet notes that “top-tier” organizations — meaning those that reported zero network intrusions over the previous 12 months — are 32 percent more likely than bottom-tier organizations to monitor and track OT security through their security operations centers. Many organizations lack the internal IT staff necessary to constantly monitor logs from all of their different systems, so they outsource monitoring to SOC as a Service providers that alert them to anomalous or suspicious network activity.

It may be a well-worn cliché by now, but that’s because it’s true: When it comes to a network breach, the question is not if it will happen but when. Backup and recovery tools that help organizations restore their data and systems after an attack are essential. So are business continuity and disaster recovery playbooks that outline the exact steps specific stakeholders within an organization will take in the event of a successful attack on their systems.

It is true that compliance with regulatory requirements does not ensure security. However, regulatory compliance is necessary for its own purposes, and it can also be a decent starting point for conversations about how to best secure an environment.

Security standards are a part of state licensing requirements for many energy providers, water companies and other utilities. By proactively adopting solutions and implementing processes to address these standards as they change, organizations can avoid sanctions and keep their focus on what matters most: protecting their assets from harm.