It is important to remember that ICS/SCADA are a sort of marriage between IT technologies and traditional, physical security; this makes physical security a bit more important for ICS/SCADA systems than traditional computer systems that rely mostly on cybersecurity and only minimally on physical security (beyond just keeping the server room locked, of course). This article will provide a rundown of physical security for ICS/SCADA environments, including the importance of physical security for these systems, sources of regulatory guidance, goals of physical security and the important elements of the defense-in-depth solution to physical security.
Importance of physical security
Deploying physical security for ICS/SCADA systems is broad and needs to be situation-specific based on the industry, type of system and other factors. Physical security measures for these systems are intended to reduce the risk of loss or damage to the plant, its assets and the surrounding environment. These assets can include physical assets (plant equipment, tools, computers), intellectual property and proprietary data.
Sources of regulatory guidance
Regulatory guidance for ICS/SCADA physical security can be found in NIST SP 800-53 Physical and Environmental Protection (PE), available here. This document provides information pertaining to designated entry/exit points, transmission media, monitoring physical access, handling visitors and maintaining logs. This document also provides guidance for emergency situations, backup for lighting and power and environmental controls, including temperature and humidity. Further guidance can be found in NIST SP 800-46 (telecommuting and broadband security) and NIST SP 800-100 (information security governance and planning), available here and here respectively.
Goals of physical security for ICS/SCADA
While physical security as a concept is indeed broad, there are some general goals of physical security for ICS/SCADA systems:
Prevention of unauthorized physical access Prevention of physical manipulation, destruction, theft or other removal of existing systems Prevention of observation of sensitive information and informational assets Prevention of the introduction of unauthorized new systems, communication interfaces, infrastructure and other hardware Prevention of the introduction of unauthorized devices designed to intentionally to cause hardware manipulation, communications intended to eavesdrop and other harmful impact
Defense-in-depth approach
The best solution to physical security for ICS and SCADA is a defense-in-depth approach. A defense-in-depth solution should include at least the attributes listed below.
Protection of physical locations
The standard approach to protecting physical locations is a layered, or ringed, approach. This layered approach uses a combination of different active and passive physical barriers around facilities, buildings, rooms, control rooms and other physical segmentations of the location. The first layers of this approach are typically gates, guard shacks, walls and locked doors. Securing the physical security perimeter of a facility using an ICS is normally the first action taken to secure the ICS. The “six-sided barrier” approach looks at all doors, gates, walls, ceilings, and floors to ensure no weaknesses such as holes, gaps, or weaknesses exist that would compromise ICS physical security. Think of it as sort of a last-ditch protective shell around your ICS/SCADA system.
Protection of sensitive information technology and information security assets
Special protection must be paid to the industrial facility’s information technology and information security assets. These assets include computers, servers, control room computers, PCs and other devices that store sensitive information. Physical protection methods include locks on USB ports and CD drives, selecting assets that do not have these drives or putting a physical barrier over these drives (such as tape or a cover). While not necessarily physical, these control methods can be achieved with a properly configured group policy.
Access control
Restricting access is an essential part of any physical security plan, especially facilities housing ICS/SCADA systems. The specific access granted to an employee can be based on many factors, including seniority, department, managerial status or any other way useful to the organization. These access control lists should be layered as much as possible — examples include access control at the front gate, locked doors and control rooms. This should also extend to the network resources themselves. Access control is a broad category of physical security that should be used as much as possible to keep a tight physical security policy.
People and asset tracking
This form of physical security sort of looks at things backwards: instead of focusing on what is being protected, this measure focuses on what is normally in close proximity to the ICS/SCADA system. Employees, technicians and individual components of the ICS/SCADA system, including computers, servers, sensors and other components, need to be tracked as another level of physical protection. This can be accomplished by using tags that assign an asset number to every physical information technology, information security and physical component of the ICS/SCADA system. Employees should use identification cards that grant them access through locked doors that they are authorized to open. One example of this in action: Imagine a disgruntled, fired employee attempting to take a computer out with him as he leaves, only to be stopped by a guard near the front door that spots theasset tag on the computer.
FERC, NERC and CIP
The Federal Energy Regulatory Commission, or FERC, is the federal body that has been granted authority over the power grid in the United States starting in 2005. FERC has certified the North American Electric Reliability Corporation, or NERC, as the nation’s electric reliability organization. Building on physical security guidelines established in October 2013, NERC released Critical Infrastructure Protection (CIP) 014 standard for physical security, found here. This standard is intended for bulk power providers/utilities and physical security professionals and serves as best practice guidance for physical security for critical infrastructure. The nexus between CIP 014 and physical security for ICS/SCADA systems lies in the recommendation made in CIP 014 for a defense-in-depth approach to physical security. CIP 014 sets out certain requirements that the utilities must carry out to meet physical security standards (beyond defense-in-depth). These requirements are: R1: Initial risk assessment — critical facility identification R2: Independent review of initial risk assessment of R1 R3: Coordination between operator and owner R4: Threat and vulnerability assessment R5: Development and implementation of physical security plan R6: Third-party assessment of plan of R4 and R5 CIP 014 recommends a “systems approach” to providing physical security within critical infrastructure. This approach uses six specific actions, which are:
Deter Detect Delay Assess Communicate Respond
Conclusion
ICS/SCADA systems represent a merging of the physical, industrial world and the world of information technology — where the latter is used to make the most out of the former for the betterment of all. With this said, these systems are at once both powerful and sensitive (in terms of information and configuration) necessitating the physical security of these systems. Sometimes these systems are used in critical infrastructure, which only furthers the need for physical security. Using a defense-in-depth solution is the best approach to take in implementing these measures and should be followed as closely as possible.
Sources
Guide to Industrial Control Systems (ICS) Security, NIST Understanding the Importance of Physical Security for Industrial Control Systems (ICS), Applied Risk What is SCADA?, Inductive Automation Utility Security: Understanding NERC CIP 014 Requirements and Their Impact, EE Online Inside the NERC-CIP-014 Standard, SecurityInfoWatch