The traditional and best practice approach to SCADA security is to separate your operator stations, or HMI, from your real time and database servers both logically and phsyically in a control center. The servers are in a separate, locked room or cabinet accessable only by administrators. What do we do now when all the SCADA functions reside on one Windows PC, which is potentially in a less physically secure area?

First, let’s recognize this trend is not going away. The pressures to reduce costs and the desire to have smaller, limited control at more remote sites is real. Wonderware was one of the originators of this strategy and most of the competition either now has a solution or plan to provide this single PC SCADA system.

The answer to the challenge may be found in another industry, banking. Some of our first clients were banks and over the past few years we have dealt with the challenge of securing banking kiosks in bank branches. Here you have a system that is in an unprotected area. Strangers are not only expected to be in the area, but they are expected to use the system. Here is the recipe for success in that environment:

1) The successful kiosks allow physical access to only the keyboard, monitor, and mouse by placing the PC in a locked cabinet and running network cables through conduits.

2) The successful kiosks have severely limit what programs and services a user can run. In fact the best practice is to remove virtually everything from the kiosk including command prompt, notepad, etc. This is harder than you may think because a small mistake can be leveraged by a skilled adversary.

3) Network access to and from the successful kiosks are controlled by firewalls or router access control lists (ACLs). For example, a kiosk cannot FTP hacking programs from a site on the Internet.

Now the SCADA problem is not an exact match to the bank kiosk problem because SCADA systems have ‘back-end’ software such as database and control applications. However, I believe the bank kiosk approach is a key part of the solution. E-mail me with any ideas you may have.