In a previous blog post we covered what ransomware is and how it’s being used to target industrial users like water and wastewater SCADA systems.
Ransomware is basically when a hacker obtains control of your data, or even your control network and automation systems, and won’t relinquish control back to you until a ransom is paid.
It's a major potential threat against IIoT applications.
In this followup post we'll explore some ideas and best practices to help secure your SCADA system against ransomware attacks.
(For tips on basic security features your automation systems should have, check out the blog post on 5 fundamental security features for industrial systems.)
Keep the hackers out
It’s been said that the best defense is a good offense. And the same holds true for network security.
Some basic steps to take to keep hackers from gaining access to your network, computers, and data include:
- Installing firewalls
- Performing regular network penetration tests/audits
- Installing an intrusion detection system
- Implementing a strong password and user authentication policy across the network
These are basic, commonsense steps for network security and should be implemented at a minimum.
The very idea of ransomware is to obtain control, more often than not, of a target's data files.
If you’ve already taken the steps above to keep the attackers at bay, you can go one step further and set up your own data insurance policy in the form of offsite data backups.
It’s important that the backups are stored off site in case of a physical security breach. Remember that even air gapping can’t save you from the most determined social engineering attacks.
For more information on developing a data backup strategy—and yes, you need to develop a strategy—check out this article from www.techsoup.com.
Email and spam countermeasures
Make sure you’ve configured your email servers or spam blocking software to automatically block or remove attachments with file types that could cause harm to your systems.
For example, at a minimum make sure executable files and script files are blocked or stripped from incoming emails. It may even be a good idea to err on the side of caution and block all email attachments entirely.
Again, it’s a question of risk assessment for the assets you’re trying to protect.
Your SCADA system undoubtedly uses some form of the Windows operating system to run your HMI application. If your system is still running Windows XP, we’ve got bigger problems to talk about, but in general it’s a very good idea to keep on top of regular system updates for your PCs and servers.
That same concept extends to your automation controllers and I/O systems. Any software or operating system on your network is prone to exploits through bugs in its software code. The way we patch those holes is through upgrading to the latest version of software or firmware with the latest bug fixes.
Tweak your Windows OS settings
A number features built into the Windows operating system make things more convenient for daily use but also open a whole host of potential security vulnerabilities.
Here are some things you might want to consider tweaking in your Windows environment.
- AutoPlay: Disable AutoPlay so that media from USB thumb drives, CDs, etc. will not automatically play when inserted into a PC.
- Popup Blocker: Popups aren’t just annoying. Block them so they can't be an entry point for trojan ransomware.
- Windows Firewall: If you have this feature turned off, I highly recommend turning it back on. It’s a nice safety net for a basic level of security. And remember, you can always go a step further and install third-party firewall and antivirus software that may give you a more up-to-date defense system than the built-in Windows firewall.
- File Sharing: Disable file sharing on a PC where security is important.
- Executable Code: Disable macros and ActiveX. Additionally, blocking external content is a dependable technique to keep malicious code from being executed on the PC.
- Windows PowerShell: Disable the Windows PowerShell. It's a task automation framework that can be used to exploit your systems.
- User Rights: Make sure you're not logged into your PC and running as administrator on a day-to-day basis. You want to keep your systems running at a user level that has just enough user rights to perform the functions needed. If an attacker does gain access, this will help limit what they can do while on the system.
A Secure Network Architecture
There are a number of things you can do with your network architecture and firewall configurations to add additional levels of security to your SCADA network.
Network segmentation is a great first step. Segment network devices based on risk associated with the nodes on the network.
You can also set up firewalls between network segments to make it harder for an attacker to move around your network and probe for vulnerabilities.
For example, if you know only your HMI software should be talking to your controllers, segment your controllers on one network and HMIs on another. Then deploy a firewall between the two segments that only allows packet traffic between your HMIs and your controllers.
This is a concept you can apply across your entire network. For example, at your Internet connection router/firewall, do packets from China or Russia ever need to enter your network? If not, set up a firewall to block inbound traffic from countries that are known cyber security offenders. Here’s a list of ten countries with the most hackers for your reference.
Those are some basic steps every SCADA system owner should be taking to protect their systems from ransomware. For more info on how to add additional levels of security to your automation systems, check out these additional reading materials.