Procedures
- Corporate Information Protection
- Security Management
- Information Classification
- Physical (and Environmental) Security
- Personnel Security
- Security Awareness Training
- Security Incident Response
- Security Monitoring
- Network Security
- PC/Workstation Security
- Support and Operational Security Related
- Encryption and Information Confidentiality
- Authorization Controls
- Identification and Authentication Mechanisms
- Systems Life Cycle Security
- Business Continuity Planning
- Media Security
- Third Party Services
Typical concerns and points discussion:
- Inbound and out Bound FTP
- Suggest use of DMZ
- Suggest use of Secure FTP
- Suggest use of restricted secure IP addresses / tunnelling
- Suggest use of private feeds
Modem issues used with dial in services
- No dial back
- No Authentication
- No Secure ID
- Possibly automated scripts used, so hard coded usernames and passwords used.
- Internet sharing may be turned on, allowing routing via workstations.
Increased data security and integrity considerations
- Data backups
- System redundancy
- Site and content filtering
- Virus protection
- Standard system procurement (discounts and spares)
- Network and services redundancy
- Network monitoring
- Service availability monitoring
- Internal controls
- Vendor / external service supplier
- Capacity management
- Change management system
- Asset management system
- Telecommunication and telephony bulk cost discounting
- Etc.
Use and support for corporate application considerations
- Intranet
- Internet
- Corporate virus protection
- Asset management
- Change management
- Project management
- Performance / capacity management
- Reduction of Cost
- Use of corporate applications
- Reduction of manual processes
Other things to keep in mind:
- SCADA monitoring system must be isolated from network errors and systems events. This will prevent SCADA operational systems being effected by network or corporate system issues / outages.
- Review Network topology to ensure internal and external vulnerabilities are not currently being and cannot be abused.
- Review of router configurations
- Use of change management system
- Review remote dial in systems
- Firewall SCADA systems off from corporate applications
- Uncontrolled networks and systems within the SCADA environment will compromise the corporate environments integrity and security.
- Determine if systems used within SCADA are built to a standard operating environment.
There is some fantastic info here I will certainly take note