Sunday, November 20, 2011

SCADA, SCADA, Shedoobie

Borepatch puts up some good points about IT security in general, and SCADA systems in particular, when he discusses the damage done by vandals using the controller for a water pump to disrupt operations at a water plant in Illinois.

I sort of tongue-in-cheek talked about IT security a few months ago with my 4 Rules of IT Security, and Borepatch added a 5th:  Boot it and they will come.

He couldn't be more right.

Any system, be it a gaming console, a laptop, a smartphone, or the controllers for a nuclear power plant, can be compromised given access and time.  The ideal is to make it hard enough for someone to get in that they can't do it before you notice and shut them down.  The least you can do is to know they were there so that you know what was damaged or stolen after they're gone and you notice it.

So what do you do?

If you're in IT, you bake security into the cake when you're designing new software, systems, or products.  You balance user requirements against security best practices, with the scales always tipped towards protecting the information and business that your system services.  You patch early, and patch often, and double-check to make sure that your systems aren't vulnerable to new vectors of attack.  You retrofit security into existing business processes and systems as much as you can, and you always watch your systems for early signs that someone is doing something nefarious.  And for Cthulhu's sake, if you're taking care of SCADA systems, start jumping up and down on your vendor's desk to get them to do something about the abysmal state of their systems.  Do that about 3 minutes after making sure it's hard as heck to get to your SCADA from the Internet, of course.

At work, if you're not in IT, pay attention to the excruciatingly boring security briefings and policies that you're regularly asked to attend and read.*  You think about what you're using your computer for, and try to not do anything that will compromise it.  You keep yourself educated enough that you recognize someone trying to trick you into giving up the keys to your particular kingdom.

At home, you are probably your own IT guy, so act like it.  Educate yourself about the technology you have in your home the same as you do about the technology under the hood of your car.  Keep your systems patched the same as you would change the oil in your car.*  A quick pro-tip here:  If the company that produced your operating system announces that there won't be any more patches to your system, replace it.  They're not announcing that there isn't anything left to fix, they're announcing that they're giving up for financial reasons. Also, use firewalls, both at the point where the Internet comes into your home, and on your systems.  I'm a Unix and Mac guy, and it pains me to say it, but Microsoft has come a long way in the security realm, so if you're using Windows, use the built in and bolt-on security software to your advantage.

What else can you do?  If you use USB keys, be wary of putting information that can harm you on something so easily stolen or lost.  If you have to keep your financial or personal information on a USB key, then encrypt it.  Stay out of the seedier areas of the Internet, and always be on the look out for Nigerian princes who want to give you money.  Watch your credit cards, bank accounts, and other business dealings so that you know if someone has compromised your information.  Regularly check your credit report to make sure someone hasn't gotten hold of your identity and opened a bunch of new accounts in your name.

Basically, take care of your information security the same way you would take care of your physical security. Lock your computer the same way you would lock your doors.  Use the most high-powered technology you can handle to protect your information the same way you would carry the most powerful handgun you can handle to protect your body.

*We enjoy writing and presenting them almost as much as you do going through them, trust me.

**If you don't know much about the engine in your car or change your own oil, you should probably pay to have someone to regularly service your computer the same way you do your car.

No comments:

Creative Commons License
DaddyBear's Den by DaddyBear is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 United States License.
Based on a work at