SCADA General Audit Questions

by Derek on Nov.05, 2009, under SCADA ---- Leave comment

General Questions

How can users gain access to the SCADA application?
Objective to consolidate access to all information sources â€“ i.e. to make access available to all users via a single interface
Are any RAS modems utilised within the SCADA environment?
Is the RAS call back feature utilised?
Is the mandatory RAS encryption feature used?
Are users allowed multiple attempts at authentication on the RAS?
Has the RAS auditing feature been enabled?
How is access between the business / corporate network and SCADA network controlled?
How is the administrator password controlled?
How is vendor access to the SCADA network controlled â€“ i.e. password changes after contract has been completed?
Are SLAâ€™s for outsourced support agreements reviewed on a periodic basis?
Are critical components of the SCADA Network supported by a UPS and are these batteries tested on a regular basis to ensure that they are reliable?
What capacity management and monitoring of critical SCADA network systems is performed (i.e. CPU utilisation and hard disk drive space)?
Are legal captions utilised during the login process to the SCADA application and associated infrastructure / devices?
Has an intrusion detection system (IDS) been deployed within the SCADA environment?
Has security been a focus within the development and deployment of the SCADA network?
Is there additional staff screenings performed when staff are hired to work within the SCADA environment (inclusive of vendors etc)?

Policies & Procedures

Is there a defined security strategy for the SCADA environment?
Who is responsible / accountable for security management within SCADA environment? Has the ownership of this responsibility been clearly defined and/or stated in any documentation?
Are there any periodic security reviews of the SCADA network performed?
What procedures are in place to handle the disposal of SCADA network media and devices? Additionally, is there a process in place for the disposal of confidential information / documentation?
Are there any policies or procedures covering the introduction of new devices to the SCADA environment?
What formal change control procedures exist for the SCADA environment?
Does a formal disaster recovery plan exist for the SCADA environment?
Does a formal business continuity plan exist for the SCADA environment?
Do physical and logical security standards differ significantly between SCADA sites?
Has a standard operating environment (SOE) minimum baseline standard been developed for systems being introduced into the SCADA environment?
What security logs are maintained for critical computer equipment and how often are the logs reviewed?
Who is responsible for the reviewing of security logs?
Has access to event logs been restricted?
Upon commencement of employment, are users provided with IT security information as part of the induction process? Additionally, are users provided with further information on security issues on a periodic basis?
What procedures exist to monitor dial-in access?
Is there a formally defined backup and recovery procedure?
Are encryption techniques and/or passwords applied to backup tapes?

Physical Access

How is physical access to SCADA terminals controlled?
Are SCADA control rooms segregated from other rooms?
What building security exists at remote sites to prevent unauthorised access?
What authentication methods are used at remote sites to allow access â€“ i.e. swipe cards?
Are external windows at remotes sites barred?
What alarm systems have been employed at remote sites?

Network Security

Have all deployed routers been configured to ensure the filtering of communications that are unauthorised or not required?
What traffic control and monitoring capabilities have been deployed â€“ i.e. all communication travels to a central point before traversing further on the network.
How are dial-in facilities to the SCADA environment secured?
How is suspicious or unusual activity on the SCADA WAN detected?
What firewall configurations have been set up to segregate the SCADA WAN from the United Water corporate network?
Are all key filtering devices on the network (such as routers and firewalls) configured to log all attempts to access the network? If so are they reviewed on a regular basis?
Have the auditing features of all routers and firewalls been enabled?
Has access to event logs been restricted?
How is the management of patches / hot fixes controlled in regards to firewalls and routers?
What backup and recovery measures are in place for network resources â€“ firewalls and routers?
Has SNMP been implemented on core infrastructure?
Has any wireless equipment been deployed within the SCADA environment â€“ has this been configured to a secure state?
Are all default passwords removed from SCADA devices after implementation?
Does a development environment exist to test changes prior to deployment into the SCADA network production environment?

Workstation Security

What operating systems (version) are installed on SCADA terminals?
Have operating system level passwords been activated on all SCADA terminals?
Do passwords have an indefinite expiry date?
What file and directory permission controls have been implemented on SCADA terminals to restrict unauthorised access by general users?
What logs are generated at the operating system level?
Has access to event logs been restricted?
What tools and services at the operating system level have been restricted for general users?
Who is responsible for patch management of SCADA terminals?
Has an audit feature been enabled for all SCADA terminals?
Are default services available with the operating system restricted?
Is virus protection implemented? Is this software manually or automatically updated?
Are shares enabled on SCADA terminals / workstations?
Are SCADA terminals backed up on a regular basis?
Is registry auditing of SCADA terminals performed?
Are user reviews and associated access rights performed on a regular basis?