Some questions that you might ask your CIO regarding the security of your Electrical Power SCADA system:
• What processes are in place to identify security risks from cyber incidents in our SCADA system?
Considering the potential for security risks associated with SCADA systems, it is important that there is a framework in place to identify possible risks for existing and new SCADA systems. As SCADA systems are becoming increasingly interconnected with the Internet and corporate networks they are also becoming more exposed to Internet security threats and network vulnerabilities.
• What strategies have been put in place to manage these risks?
It is crucial for SCADA managers to put in place appropriate risk management strategies. Such strategies might include regular vulnerability assessments of SCADA systems, processes for patch management and configuration management, communication between engineering and IT departments, staff training, appropriate network architecture etc.
• How regularly are vulnerability assessments undertaken of our SCADA system?
While the identification of risks is important, equally important is the need for regular assessments of the vulnerabilities in your SCADA system. Many organizations fail to do this. In addition to assessing operational systems, assessments should also be undertaken of corporate networks, web servers, and customer management systems to reveal unintended gaps in security, including unknown links between public and private networks, and firewall configuration problems.
• How well do the IT and the Engineering departments communicate? SCADA systems are traditionally engineering systems which are now deploying new technologies. It has been found that vulnerabilities can arise from a lack of communication between the IT and engineering departments. In many organizations the engineering and IT departments do not communicate on SCADA security matters. Is this the case in your organization? These two areas need to work closely together to ensure that SCADA systems have appropriate security arrangements.