Oct 04 2023

How Security Assessments and Gap Analyses Can Improve SCADA Defenses

The first step to shoring up security for networked operational technology assets is to assess and test for existing vulnerabilities.

Heavy-industry firms — including energy companies, utilities and manufacturers — face numerous security challenges as they seek to safeguard their supervisory control and data acquisition systems, and it can be difficult to know where to start.

Security services such as gap analyses, vulnerability assessments and penetration testing can help IT and business leaders to identify and mitigate vulnerabilities in their SCADA systems before they can be exploited by malicious actors.

“The first thing you need to do is to simply identify your systems,” says Pedro Serrano, a senior security architect at CDW. “Nine times out of 10, people will say that they know what they have, and then you do an inventory, and they say, ‘Oh, I didn’t know that this existed.’”

Click the banner below to secure your SCADA networks in an evolving threat landscape.

What Is a SCADA Security Gap Analysis?

During a gap analysis, an expert will assess an organization’s SCADA security practices against best practices such as those outlined by the National Institute of Standards and Technology in SP 800-82, “Guide to Operational Technology (OT) Security.

This sort of third-party assessment can help leaders attain a clearer understanding of their vulnerabilities, remove blind spots and improve their security posture. One gap that might be revealed is an ineffective patching process.

“Sometimes, the device as a whole has been updated to a certain level, but then the chip that’s inside that device is out of date,” says Carlos M. González, research manager of IoT ecosystem and trends for IDC. “So, in addition to inventorying their connected assets, organizations should conduct an inventory for their patching processes.”

SCADA sidebar

 

What Is a SCADA Security Vulnerability Assessment?

Similarly, in a vulnerability assessment, a security partner will help an organization assess its existing security measures and look for potential areas of weakness. This level of visibility is important, but it is also quite rare. According to Fortinet, only 13 percent of operational technology professionals have achieved centralized visibility into all of their organizations’ OT activities.

Because SCADA networks are often legacy solutions, many were designed without security in mind. As a result, they may not be protected by cybersecurity features that would be considered standard today, and a thorough vulnerability assessment can reveal systems that are exposed to an unacceptable level of risk.

READ ON: Learn more about the benefits of IT-OT convergence.

“Sometimes, the biggest threat is not actually the external threat,” Serrano notes. “It’s also important to assess for vulnerabilities related to the privileged access that insiders have.” IDC’s González echoes this concern. “People are the biggest question mark,” he says. “Secure access to systems is crucial, and sometimes in OT environments, too many people have access.”

How Is SCADA Security Penetration Testing Performed?

It’s not enough to merely assess an environment for vulnerabilities, or even to take steps to mitigate risk. Organizations must also subject their SCADA networks to rigorous testing that simulates real-world attacks.

During a penetration test, a security partner will attempt to hack into an organization’s SCADA network and access sensitive data and systems. The testers document the vulnerabilities they find, and they then provide the customer with a list of top priorities for mitigation.

“Having regular audits and regular tests of your system — making sure that your security response is optimal, so when something happens you know how to respond — is really important,” González says.

Pedro Serrano Headshot
When you scan your networks, conduct penetration testing or stay on top of your patching, those few dollars invested right now might eventually save you millions.”

Pedro Serrano Senior Security Architect, CDW

The most important thing, Serrano says, is to get started. Without assessments and analysis to document their existing environments and identify vulnerabilities, organizations won’t have the necessary information to make improvements and shore up gaps — meaning they will continue to be highly exposed to threats from ransomware, malware and other potentially devastating attacks.

“Downtime costs a lot of money, and these assessments are insurance,” Serrano says. “When you scan your networks, conduct penetration testing or stay on top of your patching, those few dollars invested right now might eventually save you millions.”

UP NEXT: Read about the biggest trends energy and utility leaders are prioritizing now.

IRYNA NASKOVA/Getty Images
Close

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.