ICS/SCADA networks and devices were designed to provide manageability and control with maximum reliability. While their implementation is often proprietary, SCADA controllers are essentially small computers. As a result, the familiar challenges associated with vulnerabilities and exploits apply to ICS/SCADA systems, with the additional challenge of such systems operating in environments that can be physically difficult to reach or that can never be brought offline
However, the benefits provided by ICS/SCADA systems make them equally capable of damaging infrastructure operations and processes. By altering the commands sent to the controllers, changing the controller logical sequence or by changing sensors readings, attackers can create changes in the industrial processes.
It is recommended to maintain physical network separation between the real time components of the SCADA network (e.g. PLCs) and other networks, especially the Internet. Deploy a secure remote access solution into the network such as client-to-site VPN that supports strong multi-factor authentication. To prevent tampering with legacy ICS/SCADA data that is communicated in open text without encryption, create secure site-to-site VPN tunnels between boundaries interconnects.
Security gateways should be installed at all interconnects, ensuring that only relevant and allowed traffic is entering/leaving the network. This validation should be done on all communication, protocols, methods, queries and responses and payloads using firewall, application control, IPS and antivirus. Assign separate workstations for SCADA management software. Dual homed workstations that connect to both an internal critical network and to other less sensitive networks or even the Internet is a major risk. In cases where such configuration is mandatory, software and security configuration should limit the operations that can be performed on the workstation.