Skip to content

SCADA Security And System Access Technical Requirements

Ensuring Secure Access to SCADA Systems

The use of Supervisory Control and Data Acquisition (SCADA) systems is becoming increasingly common in industrial processes. These systems are used to monitor and control complex processes, often in hazardous and sensitive environments. As such, it is essential that they are properly secured to ensure that only authorized personnel can access them. This article will discuss the various measures that must be taken to ensure the security and system access of SCADA systems.

SCADA System Isolation

The first step in ensuring the security of a SCADA system is to isolate it from the internet and corporate networks. This is done through the use of firewalls with Demilitarized Zones (DMZ) architecture. All traffic from the corporate network and SCADA system should terminate at the DMZ. The firewall should provide dedicated interfaces for the corporate network, separate from the dedicated interfaces to the SCADA LAN. Additionally, the data historian should be placed in the DMZ, where it will interface with a historian data collector installed on the SCADA LAN. Firewall configuration and rule setting should be implemented in accordance with SAER-6123.

Access Control

In order to maintain the security of a SCADA system, access to it should be restricted to only those with legitimate business requirements. The system should use user IDs and passwords or other suitable technologies for identifying and authenticating users.

User Roles

User roles should be created in order to facilitate the application of individual user access privileges based on the user role. The following user roles should be configured as a minimum, with additional roles created based on the particular needs of the facility:

• Process Operator: This user role should provide access privileges for process operators and control board operators. Access privileges should enable monitoring and control of equipment in associated process areas. View-only access to function block parameters such as alarm limits and tuning parameters should also be granted. This role should have a restricted user profile so that users cannot install programs, change software configuration, access floppy disk or CD drives, or any removable media.

• Process Area Supervisor: This user role should include all of the privileges assigned to the area process operator. In addition, any requirements for special authority commands required for control of the process area should be granted to the Process Area Supervisor role.

• Maintenance Engineer/Technician: This user role should provide access to system and instrument diagnostic and troubleshooting tools. Access to utilities required for backup and restore of system information should also be granted, as well as other privileges required to enable maintenance functions. View-only or monitoring-only access to process graphics and function block parameters should also be granted.

• Process Engineer: This user role should be used to grant access privileges for process engineers associated with a particular process area. Access privileges should enable monitoring and control of equipment associated with the particular process area. Access privileges should also be granted to modify function block parameters such as alarm limits and tuning constants. Read-write privileges for function block parameters should be limited to those function blocks associated with the particular plant area to which the role is associated.

• System Engineer: This user role should provide access privileges to persons responsible for the configuration and maintenance of the system. Access privileges should allow them to perform functions necessary for the configuration and support of the system. Permission to modify user role privileges, user accounts and passwords should not be granted.

• System Administrator: This user role should provide access to the entire system. Assignment of users to this role should be restricted to a limited number of highly trusted and competent employees. This role should contain privileges necessary for configuration of user role privileges and assignment of users to particular user roles. The role should also provide access to utilities required for monitoring and auditing of system access activities.

• View Only: This user role should be used to provide monitoring only access of all process areas within the plant. Access to graphics which are specifically required for control operations should be restricted, as should access to system diagnostics, maintenance and configuration utilities.

User Accounts

Each user should be assigned a unique User ID. All GUEST user accounts should be disabled on the system. User ID formats should conform to corporate guidelines as highlighted in Section 11.1.1.3.6 of IPSAG-007. Systems should be configured to display a warning banner upon logon, or a printed sticker may alternatively be used. Users should be granted access privileges by assigning them to a User Role applicable to their particular job function.

User Account Passwords

Every User ID should have an individual password. The system should be configured to require a minimum password length of eight characters. Passwords should be transmitted and stored in encrypted format, and the system should enforce password uniqueness. A minimum of three unique passwords must be entered before a password can be re-used. The system should enforce password complexity rules and easy guessable passwords should be avoided at all times. A password must contain at least two of the following four characteristics: lower case characters a-x, upper case characters A-Z, digits 0-9, and punctuation characters.

Management of passwords, User IDs and User Role privileges should be done via a central server. The system should require passwords to be reset for all User IDs every six months. Facilities should be provided to enable user account passwords to be changed at any workstation connected to the system. A password changed at one location should be automatically updated at all stations where the account is valid. The system should also issue a password expiration notification to the user at least 10 days prior to the password expiry date. Passwords should be masked on the screen while being entered and should not be stored electronically in unprotected files. In order to change user account passwords, users should always be required to provide both their old and new passwords, if supported by the system.

Securing Your SCADA System: Best Practices for Keeping Your System Safe

Supervisory Control and Data Acquisition (SCADA) systems are used in a variety of industries to monitor and control operations. As such, they are a vital component of any organization’s operations. However, like any other system, SCADA systems are vulnerable to attack if not properly secured. In order to keep your SCADA system secure and safe from malicious actors, here are some best practices to follow.

Account Management

One of the most important aspects of SCADA security is account management. All user accounts should have strong passwords and be changed on a regular basis. The passwords should also be stored in an encrypted format. System accounts should be managed by the system administrator, and default passwords should be changed prior to commissioning the system.

Anti-Virus Protection

Virus definition files should be updated on all SCADA servers and stations via a centralized server. Anti-virus software should also be installed and configured on all Windows-based SCADA workstations and servers. The software should be configured according to vendor procedures, including on-access scanning, full scanning, buffer overflow protection, and directories to be excluded from scanning.

Operating System Software and Vendor Software Patch Management

The vendor’s recommended procedures for the upgrade of OS software and patch installation should be followed. Access privileges for the upgrade of OS software and OS patch installation should be assigned to SCADA System Administrator only. New SCADA Systems should be deployed with the latest stable vendor supported operating system security and operational patches.

Audit Policies

If approved by the SCADA System application vendor, audit policies on SCADA Systems should be configured to capture system events, account management, logon events, and privileged activities. The SCADA System should also be configured to log actions performed by the SCADA System administrators and maintenance personnel. Event logs should include user names, time/date and event type.

Retention and Archival

Retention and archival of security audit logs should be developed in accordance with Corporate Data Protection and Retention INT-7 policy. The retention period for audit logs should be set for 3 months as a minimum, and the minimum storage capacity for logs should be 500 GB.

Security Management Practices

All workstations which are connected to the SCADA system should be configured to automatically lock the workstation or switch to a “view-only” user environment after it has been idle for 30 minutes or longer. Password re-authentication from either the last user or the system administrator should be required to unlock the station. All workstations, servers, remote terminal units, and networking equipment should be housed in lockable cabinets or consoles to prevent physical access to the equipment from unauthorized users. All unused ports on SCADA Process Control Network equipment should be deactivated.

System Recovery Planning

Procedures for incremental and complete backup and restore of SCADA system and data should be documented for each system at a particular location. The system should be configured to automatically backup control database, system configuration, and other vital information to hard drive at a minimum of once per week. A complete system backup should be performed on all new installations of SCADA equipment, including operating system and configuration files. The backup should be tested and verified, and multiple copies should be stored in a secure onsite location and a secure off-site location.

Operating System Hardening

PAS equipment should be deployed with vendor supported security hardened operating system. The secure configuration baselines should be thoroughly tested by the vendor and provided to the system administrators to enable them to support and administer the SCADA System equipment after deployment. All unused physical ports/interfaces should be disabled prior to commissioning.

Delegation and Support

A risk assessment, with participation from P&CSD, IT and the Plant, should precede the official delegation of support responsibilities of SCADA System components to IT or other support entities. Any delegation of support and management responsibility must be approved by the plant Manager through a Service Level Agreement (SLA).

Disposal and Sanitization

Process control equipment that contains data storage should be sanitized in compliance with GI-0299.120, when disposed of.

By following these best practices, you can ensure that your SCADA system is secure and protected from malicious actors. If you have any questions or would like additional information on best practices for securing your SCADA system, please contact your system administrator or IT department.

Read More Related Articles:

  1. Introduction to SCADA (Supervisory Control and Data Acquisition) System | PDFBAG
  2. International Code & Standard References Used in SCADA Projects | PDFBAG
  3. SCADA System Terms and Definitions used for Engineers | PDFBAG
  4. SCADA System Design Technical Requirements | PDFBAG
  5. SCADA Data Acquisition and Processing | PDFBAG
  6. Ensuring Optimal System Performance for SCADA Systems | PDFBAG
  7. Best Practices for Telecommunications in SCADA Systems | PDFBAG
  8. Requirements for SCADA Network and Corporate Network Interface | PDFBAG
  9. SCADA Display Design Philosophy | PDFBAG
  10. Instrument Asset Management System (IAMS) for SCADA System | PDFBAG
  11. SCADA Inspection and Testing for ARAMCO Projects | PDFBAG
  12. Environmental Conditions Technical Requirements for SCADA | PDFBAG
  13. RTU Cabinet Requirements for SCADA System | PDFBAG
  14. Wiring and Power Supply Technical Requirement for SCADA | PDFBAG

Leave a Reply

Your email address will not be published. Required fields are marked *