Oct 05 2023

How to Prioritize SCADA System Updates with Limited Resources

Organizations with connected operational technology assets need to implement an effective cybersecurity plan — but they can’t tackle everything at once.

The threat landscape facing companies in industries like energy, utilities and manufacturing is nearly limitless. Unfortunately, cybersecurity resources are not.

Leaders at organizations with connected supervisory control and data acquisition (SCADA) networks know that they need to secure their operational technology to guard against a wide range of attacks. Like virtually all organizations, these companies are vulnerable to ransomware and malware.

Additionally, they may be targeted by terrorists, hostile nation-states or even malicious insiders who want to take control of their OT and industrial assets to cause harm.

Still, when making a list of necessary upgrades to address these vulnerabilities, simply getting started can sometimes feel overwhelming. “The problem is, organizations have so many systems running today that it would be physically impossible to change them all at once,” says Pedro Serrano, a senior security architect at CDW.

“First of all, they don’t have the people. Organizations don’t want to spend millions of dollars on revamping systems that are still working for them, but at the same time, they have to provide security. They have to be able to stand in front of company leadership and say, ‘Our SCADA systems are secure.’”

Click the banner below to secure your SCADA networks in an evolving threat landscape.

To Secure SCADA Networks Start with a System Audit

For most organizations, the first step in developing a prioritized cybersecurity plan will be a series of assessments to better understand their existing systems and potential vulnerabilities. “That process is going to help you identify which gaps are most important,” Serrano says. “You’re going to find some gaping holes, and you have to fix those before you can focus on anything else.”

Carlos M. González, research manager for IoT ecosystems and trends at IDC, notes that the adoption and implementation of secure access policies for employees can often lead to quick wins at a relatively low cost. “Whether you’re looking at zero-trust encryption or something as simple as multifactor authentication, secure access to systems is crucial,” he says.

Where possible, Serrano says, organizations should embrace automated security solutions that reduce the burden on cybersecurity professionals. These might include real-time traffic monitoring tools that send automated alerts to IT leaders, for instance.

“The more you can automate any process or system, the fewer people who need to have their hands on keys at any given time,” he says. “Automation is king.”

Other important steps to securing OT environments include secure network segmentation, regular patching and updating of SCADA systems, and ongoing security awareness training for employees.

SCADA Sidebar


Make a Business Case for SCADA Tech Security

Deploying the resources required to update and secure OT networks requires a significant mindset shift for many organizations. While many SCADA systems were once seen as disconnected assets that would provide years of performance with little need for upgrades, they are now typically integrated with IT networks in ways that can open up organizations to significant cybersecurity vulnerabilities.

“I remember people purchasing SCADA equipment simply on the basis of the lowest bid,” Serrano says. “Today, by contrast, there’s been a huge push from industry to create systems with security inherently built in.”

Pedro Serrano Headshot
The more you can automate any process or system, the fewer people who need to have their hands on keys at any given time. Automation is king.”

Pedro Serrano Senior Security Architect, CDW

“Cost is definitely a big concern, and IT leaders need to prove the return on investment,” says González. “It’s about showing: This is how many times we’ve had to isolate a system because it got infected by malware, this is how many times we’ve had to take something offline because there was a security threat.”

“If you can connect cybersecurity to business outcomes like production downtime, that helps to build the business case,” he adds. “People don’t want to buy insurance, up until the day something happens. Then, all of a sudden, they wish they had coverage.”


Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.