SCADA, DCS, and air gaps
Wednesday, November 23rd, 2011
When most people talk about SCADA, they are generally including a whole lot of stuff that is not SCADA.
In general, true SCADA systems are and must be connected in some way. This is generally because they are located over a large geographical area. DCS systems are sometimes called SCADA, but they are not. DCS systems are what you find in small foot-print facilities, like a prison, a power plant, a bottling company.
These systems are generally similar in that they monitor and control a physical process. In the case of SCADA, these are dispersed over a large geographical area. In DCS, they are centrally located. In almost ALL cases, there is never a need to receive data from “outside” the SCADA or DCS system. The data is generated inside the system, and is often pumped out for analysis and monitoring. (It’s when we connected them that we screwed the poodle.)
This is important when it comes to securing these systems. When your digital assets are located over a large geographical area, you need some type of connectivity (4G, wired Internet, RF, whatever) that ties these together. This increases the attack surface.
However, if all your digital systems are in one small geographical area (e.g., a industrial plant), it’s easy to “snip the wire.”
Now, we can have a religious debate about air gaps - but that’s meaningless. When people say, “there’s no such thing as an air gap” they assume a whole bunch of conditions that may or may not be true. For the record, I will smack the next person that says, “there’s no such thing as an air gap.” The correct expression is “creating an air gap is hard.”
When securing industrial facilities that use digital equipment of various vintage and capability, creating an electronic air-gap is one step in implementing a robust “air gap”.
I try to think about the “air gap” as implementing controls to address “bad juju” that can get into or out of your digital equipment along 5 key vectors:
- Direct network access (all types)
- Wireless network access (all types)
- Portable media and equipment (used to maintain digital assets, or to move data to-or-from digital assets)
- Direct physical access (if you can touch it, you can pwn it…)
- Supply chain (including vendor patching processes, and procurement-related issues)
Certainly, these can be collapsed into two vectors - logical and physical access - however, adding some granularity helps with discussion!
To illustrate - if the digital asset has no wired or wireless networking, physical access is controlled to authorized people with appropriate training, portable media and equipment that is connected to the system for maintenance and patching is rigorously protected, and we ensure any software or hardware coming in through the supply chain has reasonable degrees of security - then we have a well protected system. (Note, this gives you a good start on the prevention piece, but does not solve the monitoring/detection or incident response piece).
To establish an “air gap” we must address threats that can materialize along any of the 5 key vectors. If we do this successfully, then I will say, “you have a pretty good air gap.”
These vectors are very hard to address in a corporate environment, where the critical asset is DATA, and not hardware. The data is too easy to move, so it is nearly impossible to address all vectors to the data. Securing SCADA systems is also hard for similar reasons. But in terms of complexity, to get equivalent levels of protection for Data, SCADA, or DCS, I think the distribution of work would look as follows:
DATA - 85 %
SCADA - 10 %
DCS - 5 %
IE, if you spent 5% of your security budget on your DCS system security, you’d get equivalent protection as the 85% you spent to protect DATA.
The challenge is - we’ve spent decades working on data security (centuries if you consider crypto a part of data security), but only short years talking about SCADA and DCS security. So, as all humans do, we have to screw this up 1,000 times before we spend 10 minutes trying to figure out how to do it right once…