Last week I attended the ISA Water/Wastewater and Automatic Controls Symposium in Bethesda, Maryland. The conference was attended by equipment manufacturers and municipalities, but system integrators composed the largest group. The technical sessions mainly discussed new opportunities for implementing the industrial internet of things (IoT) and cybersecurity concerns. Both topics are central for the future of IACS (industrial automation and control systems) and SCADA (supervisory control and data acquisition) systems, but they provide disparate advice regarding remote access, a critical component of SCADA systems.
Due to the remote nature of the control devices in SCADA systems, wireless networks are a necessity for the overall cost and feasibility of the design. Industrial IoT focuses on helping integrators design an implementable system at the lowest cost to serve. Cybersecurity addresses the risks of these connections, and may be seen as an unnecessary cost. The path forward for IACS and SCADA requires finding a way to take advantage of the operational benefits from remote access, without exposing system integrators to undue cyber risk.
There have already been many successful attacks on SCADA systems leveraging remote access. The Maroochy Shire Sewage Company was attacked back in 2001 by the former employee of the system integrator responsible for designing an upgrade to their SCADA system. After being let go from the integrator and denied a position at Maroochy Shire, he initiated multiple cyberattacks. Exploiting weak physical security, he stole a company laptop, logged in over remote access, and altered control settings, resulting in the spill of 264,000 gallons of raw sewage. The spill had severe environmental consequences and the incident cost the system integrator over $500,000 in fines .
This example is not just an isolated incident. The number of worldwide SCADA attacks increased 636% from 2012 to 2014, where there were 675,186 cyber incidents in January 2014 . As the number of cyberattacks grow, taking the necessary steps to protect remote access has never been more important.
The key to securing remote access is deploying a robust strategy for access, authentication, and auditing on a continuous basis. No authentication technique is foolproof, but the list below covers some best practices for securing remote access, most of which can be implemented without significant additional cost:
- Require and enforce user access control technology, the use of company-owned laptops for remote access that are maintained per the organization’s cybersecurity policies.
- Require ushered remote access for vendors and contractors.
- Require that vendors and contractors with remote access comply to the company’s cybersecurity policies.
- Configure VPN so split-tunneling is not allowed.
- Monitor and log user ID, time, and duration of all remote access sessions.
- Require multi-factor authentication for any remote access sessions.
- Encrypt all communications over untrusted networks.
- Configure any open source remote access application for maximum cybersecurity.
- Require strong passwords.
- Restrict remote connections to special machines in the IACS DMZ, which then accesses resources in the control system.
- Inspect all traffic entering and leaving the VPN tunnel with an Intrusion Detection System (IDS).
- Prevent unauthorized access to the PC and specify who can start remote control sessions on a particular host.
- Place restrictions on drive access and file transfer for remote sessions.
- Host connect acknowledgments to allow a PC user to confirm or deny access.
- Restrict access to specific remote devices.
Watch the upcoming webinar, Managing cybersecurity risks in wireless control networks, to learn more about this topic.
 Sayfayn, N., Madnick, S., Cybersecurity Analysis of the Maroochy Shire Sewage Spill, MIT, May 2017.
 McMillen, D., Security Attacks on Industrial Control Systems, IBM Security, 2015, https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03046USEN.