14 DAY TRIAL // After publishing a guide on how to protect Industrial Control Systems against cyberattacks, the European Network and Information Security Agency has issued a report that focuses on the security of Supervisory Control and Data Acquisition (SCADA) systems.
ENISA believes that European Union member states should proactively deploy patch management solutions to make sure the SCADA systems used in sectors such as energy, transportation and water supply are properly protected against cyberattacks.
Currently, there are two main issues regarding patches for SCADA vulnerabilities: the lack of patches and their failure rate. The European security agency highlights the fact that, in 2012, less than half of the more than 360 known vulnerabilities recorded at ICS-CERT had patches available at that time.
So what should be done? The security posture of SCADA environments can be improved with the aid of patch management programs and service contracts.
For instance, SCADA operators should establish a patch management service contract that clearly stipulates the responsibilities of the vendor and the customer. In addition, owners should conduct their own testing, whether it's done virtually or on a separate test system.
After a patch is applied to a system, it should be re-certified, even if it has been certified before.
Another solution to improve SCADA security lies in what ENISA calls “compensating controls.” This includes removing unnecessary features, the use of Deep Packet Inspection and Application Whitelisting, and increasing security in depth defense.
“Although patch management is not a silver bullet to resolve the security issues of SCADA systems it is nevertheless important that organisations establish a patch management policy,” Executive Director of ENISA, Professor Udo Helmbrecht, noted.
“The European Union or the Member States could increase the awareness of patches through enforcing patch management when new requirements for devices are established.”
The complete report on SCADA security is available on ENISA’s website.