Madrock Advisory

SCADA General Audit Questions

Derek Avatar
Derek

General Questions

  • How can users gain access to the SCADA application?
  • Objective to consolidate access to all information sources – i.e. to make access available to all users via a single interface
  • Are any RAS modems utilised within the SCADA environment?
  • Is the RAS call back feature utilised?
  • Is the mandatory RAS encryption feature used?
  • Are users allowed multiple attempts at authentication on the RAS?
  • Has the RAS auditing feature been enabled?
  • How is access between the business / corporate network and SCADA network controlled?
  • How is the administrator password controlled?
  • How is vendor access to the SCADA network controlled – i.e. password changes after contract has been completed?
  • Are SLA’s for outsourced support agreements reviewed on a periodic basis?
  • Are critical components of the SCADA Network supported by a UPS and are these batteries tested on a regular basis to ensure that they are reliable?
  • What capacity management and monitoring of critical SCADA network systems is performed (i.e. CPU utilisation and hard disk drive space)?
  • Are legal captions utilised during the login process to the SCADA application and associated infrastructure / devices?
  • Has an intrusion detection system (IDS) been deployed within the SCADA environment?
  • Has security been a focus within the development and deployment of the SCADA network?
  • Is there additional staff screenings performed when staff are hired to work within the SCADA environment (inclusive of vendors etc)?

Policies & Procedures

  • Is there a defined security strategy for the SCADA environment?
  • Who is responsible / accountable for security management within SCADA environment? Has the ownership of this responsibility been clearly defined and/or stated in any documentation?
  • Are there any periodic security reviews of the SCADA network performed?
  • What procedures are in place to handle the disposal of SCADA network media and devices? Additionally, is there a process in place for the disposal of confidential information / documentation?
  • Are there any policies or procedures covering the introduction of new devices to the SCADA environment?
  • What formal change control procedures exist for the SCADA environment?
  • Does a formal disaster recovery plan exist for the SCADA environment?
  • Does a formal business continuity plan exist for the SCADA environment?
  • Do physical and logical security standards differ significantly between SCADA sites?
  • Has a standard operating environment (SOE) minimum baseline standard been developed for systems being introduced into the SCADA environment?
  • What security logs are maintained for critical computer equipment and how often are the logs reviewed?
  • Who is responsible for the reviewing of security logs?
  • Has access to event logs been restricted?
  • Upon commencement of employment, are users provided with IT security information as part of the induction process? Additionally, are users provided with further information on security issues on a periodic basis?
  • What procedures exist to monitor dial-in access?
  • Is there a formally defined backup and recovery procedure?
  • Are encryption techniques and/or passwords applied to backup tapes?

Physical Access

  • How is physical access to SCADA terminals controlled?
  • Are SCADA control rooms segregated from other rooms?
  • What building security exists at remote sites to prevent unauthorised access?
  • What authentication methods are used at remote sites to allow access – i.e. swipe cards?
  • Are external windows at remotes sites barred?
  • What alarm systems have been employed at remote sites?

Network Security

  • Have all deployed routers been configured to ensure the filtering of communications that are unauthorised or not required?
  • What traffic control and monitoring capabilities have been deployed – i.e. all communication travels to a central point before traversing further on the network.
  • How are dial-in facilities to the SCADA environment secured?
  • How is suspicious or unusual activity on the SCADA WAN detected?
  • What firewall configurations have been set up to segregate the SCADA WAN from the United Water corporate network?
  • Are all key filtering devices on the network (such as routers and firewalls) configured to log all attempts to access the network? If so are they reviewed on a regular basis?
  • Have the auditing features of all routers and firewalls been enabled?
  • Has access to event logs been restricted?
  • How is the management of patches / hot fixes controlled in regards to firewalls and routers?
  • What backup and recovery measures are in place for network resources – firewalls and routers?
  • Has SNMP been implemented on core infrastructure?
  • Has any wireless equipment been deployed within the SCADA environment – has this been configured to a secure state?
  • Are all default passwords removed from SCADA devices after implementation?
  • Does a development environment exist to test changes prior to deployment into the SCADA network production environment?

Workstation Security

  • What operating systems (version) are installed on SCADA terminals?
  • Have operating system level passwords been activated on all SCADA terminals?
  • Do passwords have an indefinite expiry date?
  • What file and directory permission controls have been implemented on SCADA terminals to restrict unauthorised access by general users?
  • What logs are generated at the operating system level?
  • Has access to event logs been restricted?
  • What tools and services at the operating system level have been restricted for general users?
  • Who is responsible for patch management of SCADA terminals?
  • Has an audit feature been enabled for all SCADA terminals?
  • Are default services available with the operating system restricted?
  • Is virus protection implemented? Is this software manually or automatically updated?
  • Are shares enabled on SCADA terminals / workstations?
  • Are SCADA terminals backed up on a regular basis?
  • Is registry auditing of SCADA terminals performed?
  • Are user reviews and associated access rights performed on a regular basis?

SCADA Application Security

  • What are the username and password requirements of SCADA application?
  • Are session time out features activated?
  • Are complex passwords enforced to access the SCADA application?
  • Are user reviews and associated access rights performed on a regular basis?

System Penetration Testing

  • Internal penetration testing
  • External penetration testing
  • Password strength tests

Changes to the SCADA network

  • Please provide / list all potential changes being considered to the SCADA network.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.