Energy and Utilities


Energy and Utilities

Cybersecurity for Energy and Utilities

USA Cybersecurity is a veteran owned small business located in Washington, D.C. certified to deliver cybersecurity and digital forensic services to government agencies, government contractors and commercial businesses.    

Supervisory Control and Data Acquisition (SCADA) is a centralized control system network architecture containing computers and applications that perform key functions in providing essential services and commodities such as electricity, natural gas, water, waste treatment, and transportation throughout the United States. USA Cybersecurity is a veteran owned small business located in Washington, DC. certified to deliver cybersecurity and digital forensic services to government agencies, government contractors and commercial businesses. By allowing the collection and analysis of data and the control of equipment, such as pumps and valves, from remote locations, SCADA networks provide great efficiency and are widely used. They are also a security risk. SCADA is an integral part of the Nation’s critical infrastructure and requires protection from a variety of threats that exist in today’s cyber space.

Our managed services and regulatory compliance offerings include using the brightest security-cleared minds and the most sophisticated equipment available. Our primary focus is to secure the infrastructure of the Continental United States (CONUS). Our secondary focus is to secure the infrastructure of our allies and friends Outside Continental United States (OCONUS). All services are provided remotely or in-person.

SCADA networks were initially designed to maximize functionality, with little attention paid to security. As a result, performance, reliability, flexibility and safety of distributed control/SCADA systems are robust, while the security of these systems themselves is often lacking. This resulting lack of security makes some SCADA networks potentially vulnerable to the disruption of services, process redirection, or manipulation of operational data resulting in public safety concerns and/or serious disruptions to the Nation’s critical infrastructure. Action is required by all organizations, Government and commercial, to secure SCADA networks as part of the effort to adequately protect the Nation’s critical infrastructure.

The President’s Critical Infrastructure Protection Board, along with the Department of Energy, has developed the steps outlined below to assist the organizations improve the security of their SCADA networks . These steps are not meant to be prescriptive or all-inclusive; however, they do address the essential actions that need to be taken to improve the protection of SCADA networks. The steps are divided into two categories: specific actions to improve implementation, and, actions to establish essential underlying management processes and policies.

OT and IoT
Cyber Security Platform For Critical Infrastructure & Enterprises
The Internet of Things (IoT) has changed the landscape of the energy industry. IP-enabled networks connect the operational technology (OT) side at the utility and the information technology (IT) side. This means a convergence between SCADA, AMI, DA and consumer engagement systems. USA Cybersecurity SCADA protection secures industrial networks as they increase automation, digitization and connectivity.

Continuous Network Monitoring
OT network connectivity & security has become a mandatory business requirement.
It requires a shift in the security mindset from “How can I air gap or isolate?” to “How can I stay secure while connected?”
Our platform is a non-intrusive continuous network monitoring solution that was purposely built to provide the required visibility and security for organizations adopting advanced Industrial IoT technologies.

Visibility, Risk Profiling and Threat Detection
USA Cybersecurity SCADA automatically discovers the assets and their roles in the network, providing visibility into their behavior. With a wide range of algorithms and mechanisms, it detect anomalies that can compromise security, safety and reliability.

Designed for Large-Scale Complex Networks
Our services are designed for real time, wire-speed deep packet inspection, allowing it to analyze and protect 100% of network traffic in any architecture including large-scale manufacturing networks. 

Complimentary to IT Security Firewalls and Gateways
Our service is a complementary solution to IT security solutions such as firewalls and gateways. The firewalls provides perimeter control and enforcement, while our SCADA service provides internal visibility, monitoring and alerting.

Non-Intrusive OT Network Monitoring
Our platform is a software-based, non intrusive monitoring solution that seamlessly integrates on mirroring port or as tap device into customers’ environment, without interfering with operational continuity.


How it works



1- Non-Intrusive Seamless Deployment
Our service is deployed as a non-intrusive component in the OT network. By integrating with a mirroring port in network switches, there is no impact on day-to-day operational processes. The installation process requires zero downtime, and the platform algorithms are automatically configured without any input from the user. The solution is software-based and is available either as a virtual appliance or as a network appliance.

2- OT Network Discovery
Once introduced into the OT network, USA Cybersecurity SCADA starts to monitor the OT network activities. With passive DPI analysis and optional active polling, USACS discovers all the assets in the network and their relevant industrial characteristics. The platform completely digitalizes the asset inventory and network communications mapping. In addition, an adaptive baseline is created to capture the current operational behavior of the environment.

3- Continious Monitoring
USA Cybersecurity SCADA algorithms offer real-time detection of malicious activities and anomalous behavior. This is based on deviations from normal behavioral profiles, rule-based capabilities, signature-based alerts and proprietary threat intelligence, the system detects abnormal activities that threaten the network. This includes cyber-attacks and non-malicious threats.

4- Integration with Existing Management Systems
Our platform seamlessly integrates with existing firewalls, SOCs, SIEM products, with log aggregation devices or incident handling systems and processes. It does so by interfacing with industry standard mechanisms, and by being part of the security management processes, with internal alert handling management and advanced reporting.

Our Services

USA Cybersecurity provides extended services to help asset owners deal with the digitalization of their OT networks and the shortage of in-house OT security experts

OT Security Assessments
If you’re still unsure about your OT network exposure or hesitant about launching a new project in OT security, our OT security assessments are designed for you. Our security assessments include a risk analysis of your OT network and a security posture of your infrastructure. As part of the assessment process, we map out your network’s inventory, detect valuable communication patterns and uncover security issues-then provide you with a detailed findings report, with recommendations to mitigate the issues found.

OT Security Workshops
While the awareness of the risks and concerns regarding OT security has been growing rapidly in recent years, more education about the topic only helps. Whether you are looking to educate your senior management about security in your OT networks or train your team about recent security events and common best practices, our workshops will provide industry-leading expert information on OT security strategies to help you make better decisions.

  • Trends in OT attack and past attacks analysis
    Understand the latest trends in the OT threat landscape and analyze the recent attack scenarios in OT, including Havex, Industroyer, Black Energy, Trisis , WannaCry, and LockerGoga Highlight the differences between IT generic attacks and OT specific attacks.
  • Network topologies and security weakness
    Review common network topologies and their security weaknesses through the eyes of an adversary.
  • Best practices and steps to achieve them

    Step by step guide for best practices of OT security and what actions should be taken to achieve them.

Incident Response and Forensics
Incident response in OT or an ICS environment is substantially different from that of IT. There are different considerations and priorities in an OT environment and so, while many organizations try to leverage their existing IT incident response capabilities in an OT environment, this may lead to additional damage or an ineffective response. Our response teams have the right mixture of OT experience and security understanding. This makes them ideal in times of crisis. Our teams are distributed globally and ready to support you at any given moment, 24/7.

IT/IOT Alignment

IT SecOPs practices are in most cases more mature than at their OT counterparts and the characteristics of the two environments are worlds apart. For example, while isolation of a specific endpoint in IT would be deemed as common practice in an event of a breach, isolating an asset in OT disrupts critical production and may cause substantial damage. To help align the worlds of IT and OT, we offer the following services:

  • Creating OT Playbooks and Response Procedures
    Our team of experts will work with your existing SOC team to align their existing playbooks and create new ones to ensure readiness to future incidents in the OT infrastructure.
  • Gap analysis

    Reviewing the current process and frameworks of both the IT and OT security practices to eliminate any gaps in the response capabilities of your security operations, suggesting best practice for complex OT infrastructure.

  • Constructing an Adaptive Framework
    Our team will plan security controls, spanning the adaptive security model, in order to support OT-based use cases and the specific needs of your OT environment.

  • Tooling
    Recommendations for the toolsets needed to support the daily activities of your security operations. One example of this is the integration of tools such as our Platform and Demisto’s orchestration and automation tool.

OT Network Monitoring and Response as a Managed Service
In some cases, you may need additional help in monitoring and responding to OT incidents. This is why we’ve put together our managed service for the SCADAfence platform. We’ve handpicked expert partners and joined forces to provide a unique service. Coupling our technology’s vast capabilities along with the industry-leading expertise needed to respond, in real-time, to cybersecurity incidents in your OT environment.

USA Cybersecurity SCADA Benefits

Visibility and Asset Management
Digitalize your asset inventory with automatic asset discovery and network mapping. This allows users to replace outdated and manually obtained spreadsheets with updated real-time information about their environment.

Risk Profiling and Proactive Mitigations
Identify where the OT network is exposed to potential risks and what attack scenarios threaten operations. Understand what proactive mitigation steps can be applied to reduce the attack surface and increase the network resiliency.

Continuous Monitoring
Continuously monitor the network architecture for an accurate view of your security posture and insight into real-time events. Enable complete and continuous control over your most critical business assets.

Detection of Malicious Threats
Uncover malware and ransomware that threaten operational continuity. Early detection of threats enables effective response before damage occurs, preventing unplanned operational downtime and improving overall OT Security

Detection of Non-Malicious Threats
Gain insight into non-malicious issues that occur on a daily basis and can cause significant damage to the operational environment. Detection of incidents such as human error, misconfiguration and device malfunction that can disrupt operations.

Forensics and Reporting
For every incident created, receive all the relevant information to understand the root cause of the event. Benefit from advanced forensics tools that clarify the context of the alert. Manage incident response using our remediation recommendations.

Integration with Enterprise Management Systems
We support integration to existing management systems such as SOC and SIEM. This enables effective management of incidents in OT and integrates OT security into the IT security workflow-whether if it’s managed internally or by a MSSP.

Security and Policy Enforcement
Advanced event management and reporting tools, integrated with 3rd party incident management products and firewalls, enable an effective and well documented incident handling process, improving IT/OT security management overall.

The Heart of our Technology
USA Cybersecurity offers a wide range of cutting-edge capabilities built from the ground up to monitor large-scale complex OT networks

INDUSTRIES

Automotive, Pharmaceutical, Food and Beverage, Electronics, Aerospace and Defense, Chemical

Comprehensive Cybersecurity for Discrete & Process Manufacturing Technologies
USA Cybersecurity helps manufacturers gain full visibility and risk management over their OT networks while adopting Industrial IoT technologies.

Manufacturing Industry Security Challenges
The Industrial IoT digital transformation is revolutionizing manufacturing networks, but the adoption of the advanced technologies is creating new challenges for IT/OT security teams:

  • Likelihood of malware infection increases dramatically.
  • With increased connectivity, air-gapping becomes obsolete, patching is more difficult and expensive.
  • Shadow OT – undocumented devices running in the shadows.
  • OT and IT teams speak “different languages”.

Manufacturing industries are increasingly migrating to smart manufacturing technologies as part of the ongoing fourth industrial revolution. With increased connectivity and advanced automation systems such as manufacturing execution systems (MES) that integrate plant floor production (ICS/SCADA networks) and enterprise resource planning (ERP) systems, manufacturing objectives revolve around maximizing productivity, but at the same time, they create new vulnerabilities and risks such as production manipulation, operational downtime, and sensitive data-theft threats.

In the last 5 years, manufacturing industries have been the victims of an increased number of cyberattacks, such as the Havex/Dragonfly campaign that targeted industrial control systems across the USA and Europe or the most well-known WannaCry and NotPetya that caused havoc in the automotive, food, pharmaceutical, and other manufacturing plants. Events like these result in significant revenue loss valued in the hundreds of millions of dollars, reputation damage, loss of competitive edge, and sometimes public and employee safety issues.

Power, Water, Transportation, Oil & Gas

Critical Infrastructure Protection
USA Cybersecurity enables critical infrastructure providers to stay secure against growing modern cyber threats by providing a critical infrastructure cybersecurity platform.

Critical Infrastructure Cybersecurity Challenges
Critical infrastructure and utilities are heavily depended on their critical assets in operational environments to run reliably. Thus the cyber security infrastructure needs to be at the highest level.

  • Loss of availability can lead to safety hazards and endanger human life.
  • The ability to separate between critical operations and IT is no longer practical.
  • OT environments are adopting advanced technologies, therefore they are more interconnected and complex
  • Malware is increasingly accessing OT environments leveraging the end of the “air gap” era.

Critical infrastructure foundation is built on industrial control systems such as SCADA systems and other OT systems. Modern operational networks are constantly evolving due to developments, such as; Industrial Internet of Things (IIoT), Industry 4.0, smart grid and others. With the increase in complexity, comes increased risk. Cyber-attacks against OT networks in critical infrastructure can lead to devastating outcomes, with critical operational downtime being the prime target. New cyber-threats against operational networks in critical infrastructure are forcing operators to change their approach and strategy regarding OT security. Since connectivity and adoption of IIoT devices is inevitable due to business requirements, operators must start planning how they can remain secure while increasing connectivity instead of depending on outdated approaches such as air-gapping between IT and OT. This will allow them to protect themselves from attacks trying to disrupt their operations.

Airports, Hospitals, Hotels and Data Centers

Securing Building Management Systems (BMS)
USA Cybersecurity provides building operators the peace of mind to optimize their BMS systems while keeping them safe and secure

Smart Buildings Cybersecurity Challenges
Smart buildings are adopting a wide range of IoT technologies to optimize critical systems such as physical security, energy management, and HVAC, and are therefore more exposed to risks:

  • Connections between previously isolated systems creates new attack paths
  • Critical systems exposed to attacks can endanger human lives and safety
  • Lack of documentation within OT networks creates Shadow OT areas
  • Ransomware campaigns attempt to gain control over physical infrastructure

As the trend toward smart buildings accelerates, the sophistication of these buildings is on the rise. More and more aspects of building management are being digitized and centrally managed. The benefits of making buildings smarter include: optimized energy consumption, reduced operational costs, and improved personal safety and security. In order to achieve these benefits, Building Management Systems (BMS) require increased connectivity: within each BMS, among separate buildings or even within entire smart city systems and the internet more widely. All these advancements in connectivity incur security risks. The devices that control physical environments, are now much more susceptible to malicious attacks. The criticality of these systems makes them an inviting target for deliberate attacks. Coordinated attacks or failures in tandem with other emergency events can further increase the potential for significant damage. For example, simultaneous failures in fire safety systems, door controls, HVACs and other systems, at the time of a fire, can cause disastrous results.


USA Cybersecurity Secures Building Management Systems
USA Cybersecurity provides building operators with the required tools to gain visibility within their building management systems (BMS) and to continuously ensure that risks and threats are contained:

  • Complete network visibility with automatic asset discovery and digitalized inventory
  • Continuous network traffic monitoring and detection of anomalies and unauthorized actions
  • Non-intrusive and seamless deployment to avoid unnecessary risks
  • Detection of human error, misconfigurations and devices malfunction

Our platform keeps Building Management Systems (BMS) running securely with full network assets detection and mapping, continuous network traffic monitoring, and identification of anomalies and unauthorized actions. It helps map the smart building network, secure it, and improve its operational availability.

Upon deployment, the USA Cybersecurity Platform begins by automatically discovering each smart building’s network assets and its roles in the network, and then provides visibility into its behavior. USA Cybersecurity platform enables system administrators to monitor the assets’ behavior and traffic patterns and to detect any network traffic anomalous behavior. USA Cybersecurity platform identifies changes in network architecture and alerts on the addition or removal of devices. This helps preserve the security and availability of OT systems in smart buildings.

Monitor Tens of Thousands of Assets
USA Cybersecurity platform has no limit to the number of assets supported by our detection and the user interface can display information on tens of thousands of assets and sessions. Our network map has been designed to easily display a very large amount of assets, with several levels of drill-down into each asset's relevant and detailed information. USA Cybersecurity automatic asset discover provides a rich set of details, including, model number, firmware version and potential risks.

High Performance Packet Processing Engine
USA Cybersecurity platform never misses a packet. Its optimized core and best-of-class packet processing speed provides outstanding security coverage for your network. Unlike other industry solutions, no traffic filtering and no traffic sampling are applied. Therefore everything is continuously inspected down to the last bit. Our platform was designed to scale so there is no limit to the number of communication sessions monitored in parallel.

Holistic Operational Alerts and Network Health
A holistic view, includes cyber security and operational status. The system tracks many metrics including service malfunctions, traffic latency, asset malfunctions that are often due to human error, PLC errors and their exceptions.

Deep Packet Inspection

Our platform performs full deep packet inspection for both IT and OT protocols. The Cybersecurity research team is dedicated to maintaining up-to-date knowledge of industrial protocols in their various versions, as well as vendor-specific customizations. We maintain a world-class industrial lab, built by the a team that specializes in the construction of state of the art plants and operational networks. The lab runs equipment that includes many types of PLC's, HMI's, vendor-specific engineering software, protocol converters and I/O modules.

Designed to Scale
Our platform is the only solution purposely built to support the size and diversity in large-scale, complex industrial networks.

Size Matters
USA Cybersecurity platform was designed with the unique capability of real time, wire-speed deep packet inspection, allowing it to analyze 100% of network traffic and provide protection in any architecture – including large-scale industrial networks. Traditional OT networks were typically characterized with small networks and deterministic communication patterns. In contrast, modern large-scale OT networks include thousands of assets with a high traffic rate, “noisy” activities, and diverse and complex communication patterns. In some cases, the same production line is used to produce several different products in a short period of time. This requires frequent changes to the production process logic and creates a dynamic OT environment.

Securing Complex OT Networks
Full Coverage and Protection for best-in-class packet processing performance, we can support 10Ks of assets with high bandwidth communications without applying traffic filtering or sampling, and so without a negative effect on operations. Large Scale Security and Usability with algorithms that leverage advanced machine learning capabilities, our platform is able to learn network groups and reduce false positives, while providing a simple, friendly user interface. Cost Effective integration platform require fewer integration points, decreasing the number of sensors required and significantly reducing hardware requirements and maintenance costs.

21 Steps to Improve Cyber Security of SCADA Networks

The following steps focus on specific actions to be taken to increase the security of SCADA networks

1. Identify all connections to SCADA networks

Conduct a thorough risk analysis to assess the risk and necessity of each connection to the SCADA network. Develop a comprehensive understanding of all connections to the SCADA network and how well these connections are protected. Identify and evaluate the following types of connections:

  • Internal local area networks and wide area networks (LAN WAN), including business networks
  • The Internet
  • Wireless network devices, including satellite uplink
  • Modem or dial-up connections
  • Connections to business partners, vendors and/or regulatory agencies


2. Disconnect unnecessary connections to the SCADA network

To ensure the highest degree of security of SCADA systems, isolate SCADA networks from all other network connections as much as possible. Any additional connections introduce security risks, particularly if connections create a pathway to or from the Internet. Although direct SCADA connections with other networks may allow important information to be passed efficiently and conveniently, insecure connections are simply not worth the risk. ;Isolation of the SCADA network must be a primary goal to provide needed security. Strategies such as utilization of “demilitarized zones” (DMZs) and data warehousing can facilitate the secure transfer of data from the SCADA network to business networks. However, they must be designed and implemented properly to avoid introduction of additional risk through improper configuration.


3. Evaluate and strengthen the security of any remaining connections to the SCADA network

Conduct penetration and vulnerability testing analyses of any remaining connections to the SCADA network to evaluate the protection posture associated with these pathways. Use this information in conjunction with risk management processes to develop a robust protection strategy for any pathways to the SCADA network. Since the SCADA network is only as secure as its weakest connecting point, it is essential to implement firewalls, intrusion detection systems (IDSs), and other appropriate security measures at each point of entry. Configure firewall rules to prohibit access to and from the SCADA network; be as specific as possible when permitting approved connections. For example, an Independent System Operator (ISO) should not be granted “blanket” network access simply because there is a need for a connection to certain components of the SCADA system. Strategically place IDSs at each entry point to alert security personnel of potential network security breaches. Organization management must understand and accept responsibility for risks associated with any connection to the SCADA network.


4. Secure SCADA networks by removing or disabling unnecessary services

SCADA control servers built on commercial or open-source operating systems can be exposed to attacks through default network services. As much as possible, remove or disable unused services and network daemons to reduce the risk of direct attack. This is vital when SCADA networks are interconnected with other networks. Do not permit a service or feature to access a SCADA network unless a thorough risk assessment and benefit analysis shows the benefits of the service/feature far outweigh the potential for vulnerability exploitation. Examples of what services to remove from SCADA networks include: automated meter reading/remote billing systems, email services, and Internet access. An example of a feature to disable is remote maintenance. Secure configuration guidelines, such as the National Security Agency’s series of security guides, for both commercial and open source operating systems, are readily available and easily accessible. Additionally, SCADA vendors are able to help identify secure configurations and coordinate any and all changes to operational systems to ensure removing or disabling services does not cause downtime, interruption of service, or loss of support.


5. Do not rely on proprietary protocols to protect your system

Some SCADA systems use unique, proprietary protocols to communication between field devices and servers. Often the security of SCADA systems is based solely on the secrecy of these protocols. Unfortunately, obscure protocols provide very little “real” security. Do not rely on proprietary protocols or factory default configuration settings to protect your system. Additionally, require vendors to disclose any backdoors or vendor interfaces to your SCADA systems and expect them to provide systems capable of being secured.


6. Implement the security features provided by device and system vendors

Most older SCADA systems (most of the systems currently in use) have no security features whatsoever. SCADA system owners must insist that their system vendors implement adequate security features in the form of product patches or upgrades. Many newer SCADA devices are shipped with basic security features, but these are usually disabled to ensure ease of installation. Analyze each SCADA device to determine whether security features are present. Additionally, factory default security settings (such as in computer network firewalls) are often set to provide maximum usability, but minimal security. Reset all security features to provide the maximum level of security. Only allow settings below maximum security after a thorough risk assessment of the consequences of reducing the security level.


7. Establish strong controls over any medium that is used as a backdoor into the SCADA network

Where backdoors or vendor connections do exist in SCADA systems, strong authentication must be implemented to ensure secure communications. Modems, wireless, and wired networks used for communications and maintenance represent a significant vulnerability to the SCADA network and remote sites. Successful “war dialing” or “war driving” attacks could allow an attacker to bypass all other controls and have direct access to the SCADA network or resources. To minimize the risk of such attacks, disable inbound access to the network and replace it with a callback system.


8. Implement internal and external intrusion detection systems and establish 24-hour incident monitoring

To effectively respond to cyber attacks, establish an intrusion detection strategy that includes alerting network administrators of malicious network activity originating from internal or external sources. Establishing 24-hour intrusion detection system monitoring is essential;; this capability can be easily set up through a pager. Additionally, incident response procedures must be in place to effectively respond to any attack. To complement network monitoring, enable key logging on all systems and audit the system logs daily to detect suspicious activity as soon as possible.


9. Perform technical audits of SCADA devices, networks and any other connected networks to identify security concerns

Technical audits of SCADA devices and networks are critical to ongoing security effectiveness. Many commercial and open-source security tools are available that allow system administrators to conduct audits of their systems/networks to identify active services, patch level, and common vulnerabilities. The use of these tools will not solve systemic problems, but will eliminate the “paths of least resistance” that an attacker could potentially exploit. Analyze identified vulnerabilities to determine their significance; , take corrective actions as appropriate. Track corrective actions and analyze this information to identify trends. Retest systems after corrective actions have been taken to ensure all vulnerabilities were successfully eliminated. Actively scan non-production environments to identify and address potential problems.


10. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate security

Any location with a connection to the SCADA network,, especially unmanned or unguarded remote sites, is a target. Conduct a physical security survey and inventory all access points at each facility with a connection to the SCADA system. Identify and assess all sources of information including remote telephone/computer network/fiber optic cables that could be tapped; radio and microwave links that are exploitable; computer terminals that could be accessed; and wireless local area network access points. Identify and eliminate single points of failure. Site security must be adequate to detect or prevent unauthorized access. Do not allow “live” network access points at remote, unguarded sites simply for convenience.


11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios

Establish a “Red Team” to identify potential attack scenarios and evaluate potential system vulnerabilities. Consult a variety of experts who can provide insight into potential weaknesses of the overall network, SCADA systems, physical systems, and security controls. Employees who work on the system every day have great insight into vulnerabilities of your SCADA network and should be consulted when identifying potential attack scenarios and possible consequences. Ensure that insider threats risk are fully evaluated, given that insider sabotage represents one of the greatest threats to an organization. Incorporate “Red Team” evaluation information with risk management processes to assess the information and establish appropriate protection strategies. The following steps focus on management actions to establish an effective cyber security program:


12. Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users system administrators, and users

Organizational personnel need to understand specific expectations associated with protecting information technology resources through the definition of clear and logical roles and responsibilities. In addition, key personnel need to be given sufficient authority to carry out their assigned responsibilities. Too often, good cyber security is left up to the initiative of the individual, leading to inconsistent implementations and ineffective security. Establish a cyber security organizational structure that defines roles and responsibilities and clearly identifies how cyber security issues are escalated and who is notified in an emergency


13. Document network architecture and identify systems that serve critical functions or contain sensitive information that requires additional levels of protection

Develop and document a robust information security architecture as part of a process to establish an effective protection strategy. It is essential that organizations design their networks with security in mind and continue to have a strong understanding of their network architecture throughout its lifecycle. Of particular importance, an in-depth understanding of the functions that the systems perform and the sensitivity of the stored information is required. Without this understanding, risks cannot be properly assessed and protection strategies may not be sufficient. Documenting the information security architecture and its components is critical to understanding the overall protection strategy, and identifying single points of failure.


14. Establish a rigorous, ongoing risk management process

A thorough understanding of the risks to network computing resources from denial-of-service attacks and the vulnerability of sensitive information is essential to an effective cyber security program. Risk assessments form the technical basis of this understanding and are critical to formulating effective strategies to mitigate vulnerabilities and preserve the integrity of computing resources. Initially, perform a baseline risk analysis based on a current threat assessment to use while developing a network protection strategy. Due to rapidly changing technology and the emergence of new threats on a daily basis, an ongoing risk assessment process is also needed so that routine changes can be made to the protection strategy to ensure it remains effective. Fundamental to risk management is the identification of residual risk with a resulting network protection strategy in place and management acceptance of that risk.

15. Establish a network protection strategy based on the principle of defense-in-depth.

A fundamental principle that must be part of any network protection strategy is defense-in-depth. Defense-in-depth must be considered early in the design phase of the development process and must be an integral consideration in all technical decision-making associated with the network. Utilize technical and administrative controls to mitigate threats from identified risks to as much as possible at all levels of the network. Single points of failure must be avoided, and cyber security defense must be layered to limit and contain the impact of any security incidents. Additionally, each layer must be protected against other systems at the same layer. For example, to protect against insider threats, restrict users to access only those resources necessary to perform their job functions.


16. Clearly identify cyber security requirements.

Organizations and companies need structured security programs with mandated requirements to establish expectations and allow personnel to be held accountable. Formalized policies and procedures are typically used to establish and institutionalize a cyber security program. A formal program is essential for establishing a consistent, standards-based approach to cyber security throughout an organization and eliminates sole dependence on individual initiative. Policies and procedures also inform employees and the consequences of failing to meet those responsibilities. They also provide guidance regarding actions to be taken during a cyber security incident and promote efficient and effective actions during a time of crisis. As part of identifying cyber security requirements, include user agreements and notification and warning banners. Establish requirements to minimize the threat from malicious insiders, including the need for conducting background checks and limiting network privileges to those absolutely necessary.


17. Establish effective configuration management processes

Configuration Management is a fundamental management process needed to maintain a secure network. Configuration management needs to cover both hardware configurations and software configurations. Changes to hardware or software can easily introduce vulnerabilities that undermine network security. Processes are required to evaluate and control any change to ensure that the network remains secure. Configuration management begins with well-tested and documented security baselines for your various systems.


18. Conduct routine self-assessments

Robust performance evaluation processes are needed to provide organizations with feedback on the effectiveness of cyber security policy and technical implementation. A sign of a mature organization is one that is able to self identify issues, conduct root cause analyses, and implement effective corrective actions that address individual and systemic problems. Self-assessment processes that are normally part of an effective cyber security program include routine scanning for vulnerabilities, automated auditing of the network, and self-assessments of organizational and individual performance.


19. Establish system backups and disaster recovery plans.

Establish a disaster recovery plan that allows for rapid recovery from any emergency (including a cyber attack). System backups are an essential part of any plan and allow for rapid reconstruction of the network. Routinely practice disaster recovery plans to ensure that they are up to date and work and that personnel are familiar with them. Make appropriate changes to disaster recovery plans based on lessons learned.


20. Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable for their performance

Effective cyber security performance requires commitment and leadership from senior managers in the organization. It is essential that senior management establish an expectation for strong cyber security and communicate this to their subordinate managers throughout the organization. It is also essential that senior organizational leadership establish a structure for implementation of a cyber security program. This structure will promote consistent implementation and the ability to sustain a strong cyber security program. It is important for individuals to be held accountable for their performance as it relates to cyber security. This includes managers, system administrators, technicians, and users/operators.


21. Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls

Release proprietary data related to the SCADA network only on a strict, need-to-know basis, and only to persons explicitly authorized to receive such information. Never divulge data related to a SCADA network, including the names and contact information about the system operators, administrators, computer operating systems, and/or physical and logical locations of computers and network systems over telephones or to personnel unless they are explicitly authorized to receive such information. Any requests for information by unknown persons need to be sent to a central network security location for verification and fulfillment. People can be a weak link in an otherwise secure network. “Social engineering,” the gathering of information about a computer or computer network via questions to naive users, is often the first step in a malicious attack on computer networks. The more information revealed about a computer or computer network, the more vulnerable the computer/network is. Conduct training and information awareness campaigns to ensure that personnel remain diligent in guarding sensitive network information, particularly their passwords.