Securing Your HMI/SCADA System

Jack Wilkins

Supervisory control and data acquisition (SCADA) systems monitor and control remote or local industrial equipment and processes in real time. Many of these systems have been in place for years, with little attention paid to who has access to them and how vulnerable they may be to deliberate or inadvertent compromise.

However it occurs, failure of an HMI/SCADA system is a serious matter. Pipelines crisscross the U.S. delivering all kinds of materials, some hazardous, some explosive. If an HMI/SCADA system controlling such a network is compromised and harmful material is released, the result can be loss of lives, a threat to the environment, and a multimillion-dollar cleanup.

Getting Secure
The first step to securing your HMI/SCADA system is understanding what you have and what is available. The larger issue of ongoing protection, however, requires a macro-level understanding of security issues, as well as an integrated effort by multiple systems and suppliers.

Today, resources and information supporting the security effort abound, and features available in the HMI/SCADA system components can help create secure environments. But in the end, the skill and knowledge of the systems integrator installing the HMI/SCADA system determines the security solution's effectiveness. In other words, the tools are there, but to be effective, they must be properly applied and implemented.

At the local level, you can ensure maximum security by creating operator constraints that reduce vulnerability through variability. Protect the desktop by preventing the operator from using HMI/SCADA screens improperly, and don't allow operators to use the operating system at all. Lock out the CTL-ALT-DEL and Alt-Tab commands that typically bring up operating system features. Control or restrict certain computer practices and functions an operator may need, such as email. When email access is granted on an operator's workstation, it creates one of the greatest potential vulnerabilities. Instead, consider providing email to the operator by placing it on a different computer and providing only a view of that function on the operator's station. Creating a secure system is not easy and takes time and effort.

Security Resources
The U.S. government embraces the need for security in a variety of ways and offers help through its Department of Homeland Security, Department of Energy, Sandia Labs, and National Institute of Standards and Technology, among other resources. These organizations have produced abundant material to assist manufacturers and system integrators in moving toward a more secure environment. One excellent resource is the Department of Energy's "21 Steps to Improve Cybersecurity of SCADA Networks," which runs the gamut from identifying all SCADA network connections to establishing policies and conducting training to prevent the inadvertent disclosure of sensitive information.