SCADA: Changing the Dynamic

by Daniel Lakier

How do we build a truly resilient security framework directly incorporating micro segmentation into the SCADA systems and our network in order to protect it, when we can’t add security controls for fear of the business consequences?

I think the solution is quite obvious on the surface: change the dynamic that has existed within our communication-centric IT world since the inception of ARPANET. What do I mean?

The internet and its predecessors have all been focused on one thing — creating ease of communication. TCP IP, the foundation for our internet technology addressing a delivery system, is a very promiscuous protocol. IP addresses, by design, like to advertise where they are. Yes, we have firewalls and Network Address Translation (NAT) etc., but NAT was built to solve a different problem and so only solves half of this problem. Once I am on the network and I do a port scan, I get IP addresses.

The second part of the problem is that in today’s world, every access port is generally connected (physically and logically) to every other data center port (or every asset port). In other words, a route exists between every port on the LAN to every other port in the LAN. You may be thinking “what about VLANS?” There was a time when this logically-connected problem was solved through the use of VLANS. That time is long gone. The advent of the laptop and wireless technology forced companies (in the interest of mobility and agility) to provision access VLANS everywhere to give every physical access port a logical route to every other access port to the data center. Then came VMware and the ability to v-motion. Driven again by the need for agility and mobility, we trunked all VLANS to all assets, as it seemed like a good idea at the time. The corollary is that anyone on the network (good, bad or indifferent) has a route to the key company jewels. It’s the same conundrum we keep finding ourselves in, which kills me because in the physical world we would never build a bank without doors or a vault just so it would be easier for the customers and the tellers. The good news is we don’t have to try to solve the problem the same way we have for the past 30 years. We can innovate, and instead of trying to bolt security on, we can try make security an integral part of the solution.

Read more: