General Questions
- How can users gain access to the SCADA application?
- Objective to consolidate access to all information sources – i.e. to make access available to all users via a single interface
- Are any RAS modems utilised within the SCADA environment?
- Is the RAS call back feature utilised?
- Is the mandatory RAS encryption feature used?
- Are users allowed multiple attempts at authentication on the RAS?
- Has the RAS auditing feature been enabled?
- How is access between the business / corporate network and SCADA network controlled?
- How is the administrator password controlled?
- How is vendor access to the SCADA network controlled – i.e. password changes after contract has been completed?
- Are SLA’s for outsourced support agreements reviewed on a periodic basis?
- Are critical components of the SCADA Network supported by a UPS and are these batteries tested on a regular basis to ensure that they are reliable?
- What capacity management and monitoring of critical SCADA network systems is performed (i.e. CPU utilisation and hard disk drive space)?
- Are legal captions utilised during the login process to the SCADA application and associated infrastructure / devices?
- Has an intrusion detection system (IDS) been deployed within the SCADA environment?
- Has security been a focus within the development and deployment of the SCADA network?
- Is there additional staff screenings performed when staff are hired to work within the SCADA environment (inclusive of vendors etc)?
Policies & Procedures
- Is there a defined security strategy for the SCADA environment?
- Who is responsible / accountable for security management within SCADA environment? Has the ownership of this responsibility been clearly defined and/or stated in any documentation?
- Are there any periodic security reviews of the SCADA network performed?
- What procedures are in place to handle the disposal of SCADA network media and devices? Additionally, is there a process in place for the disposal of confidential information / documentation?
- Are there any policies or procedures covering the introduction of new devices to the SCADA environment?
- What formal change control procedures exist for the SCADA environment?
- Does a formal disaster recovery plan exist for the SCADA environment?
- Does a formal business continuity plan exist for the SCADA environment?
- Do physical and logical security standards differ significantly between SCADA sites?
- Has a standard operating environment (SOE) minimum baseline standard been developed for systems being introduced into the SCADA environment?
- What security logs are maintained for critical computer equipment and how often are the logs reviewed?
- Who is responsible for the reviewing of security logs?
- Has access to event logs been restricted?
- Upon commencement of employment, are users provided with IT security information as part of the induction process? Additionally, are users provided with further information on security issues on a periodic basis?
- What procedures exist to monitor dial-in access?
- Is there a formally defined backup and recovery procedure?
- Are encryption techniques and/or passwords applied to backup tapes?
Physical Access
- How is physical access to SCADA terminals controlled?
- Are SCADA control rooms segregated from other rooms?
- What building security exists at remote sites to prevent unauthorised access?
- What authentication methods are used at remote sites to allow access – i.e. swipe cards?
- Are external windows at remotes sites barred?
- What alarm systems have been employed at remote sites?
Network Security
- Have all deployed routers been configured to ensure the filtering of communications that are unauthorised or not required?
- What traffic control and monitoring capabilities have been deployed – i.e. all communication travels to a central point before traversing further on the network.
- How are dial-in facilities to the SCADA environment secured?
- How is suspicious or unusual activity on the SCADA WAN detected?
- What firewall configurations have been set up to segregate the SCADA WAN from the United Water corporate network?
- Are all key filtering devices on the network (such as routers and firewalls) configured to log all attempts to access the network? If so are they reviewed on a regular basis?
- Have the auditing features of all routers and firewalls been enabled?
- Has access to event logs been restricted?
- How is the management of patches / hot fixes controlled in regards to firewalls and routers?
- What backup and recovery measures are in place for network resources – firewalls and routers?
- Has SNMP been implemented on core infrastructure?
- Has any wireless equipment been deployed within the SCADA environment – has this been configured to a secure state?
- Are all default passwords removed from SCADA devices after implementation?
- Does a development environment exist to test changes prior to deployment into the SCADA network production environment?
Workstation Security
- What operating systems (version) are installed on SCADA terminals?
- Have operating system level passwords been activated on all SCADA terminals?
- Do passwords have an indefinite expiry date?
- What file and directory permission controls have been implemented on SCADA terminals to restrict unauthorised access by general users?
- What logs are generated at the operating system level?
- Has access to event logs been restricted?
- What tools and services at the operating system level have been restricted for general users?
- Who is responsible for patch management of SCADA terminals?
- Has an audit feature been enabled for all SCADA terminals?
- Are default services available with the operating system restricted?
- Is virus protection implemented? Is this software manually or automatically updated?
- Are shares enabled on SCADA terminals / workstations?
- Are SCADA terminals backed up on a regular basis?
- Is registry auditing of SCADA terminals performed?
- Are user reviews and associated access rights performed on a regular basis?
SCADA Application Security
- What are the username and password requirements of SCADA application?
- Are session time out features activated?
- Are complex passwords enforced to access the SCADA application?
- Are user reviews and associated access rights performed on a regular basis?
System Penetration Testing
- Internal penetration testing
- External penetration testing
- Password strength tests
Changes to the SCADA network
- Please provide / list all potential changes being considered to the SCADA network.