SCADA (Supervisory Control and Data Acquisition) systems control critical infrastructure from water treatment plants to natural gas pipelines. Their increasing connectivity to enterprise networks and the internet has made them high-value targets for nation-state actors, ransomware groups, and hacktivists.
Top Attack Vectors & Mitigations
| Threat Vector | Risk Level | Primary Mitigation |
|---|---|---|
| Remote access / VPN | HIGH | MFA + jump server |
| USB / removable media | HIGH | Policy + device control |
| Vendor remote support | MEDIUM | Monitored session proxy |
| Unpatched HMI/SCADA OS | HIGH | Patch management + whitelisting |
| Insider threat | MEDIUM | RBAC + audit logging |
| Supply chain compromise | HIGH | Vendor risk assessment |
Why SCADA Security Is Different
Traditional IT security prioritises Confidentiality, Integrity, then Availability (CIA). In SCADA, the priority is reversed: Availability is paramount. A water treatment plant cannot simply take its control system offline to apply a patch. Every security control must be evaluated against its impact on operational availability.
Top SCADA Threats
- Ransomware: Colonial Pipeline (2021) demonstrated that even indirect IT compromise can halt critical OT operations. Modern ransomware specifically targets industrial environments.
- Living-off-the-Land (LOTL) attacks: Attackers use legitimate tools (PsExec, WMI, PowerShell) already present in the environment to move laterally without deploying malware.
- Supply chain compromise: Malicious updates delivered through legitimate vendor channels (SolarWinds 2020, Kaseya 2021 as precedents).
- Engineering workstation compromise: Attacking the engineering workstation gives direct access to controller configuration and safety logic.
- Historian as pivot point: Historians with dual-homed connections to both OT and IT networks are a common lateral movement vector.
Mitigation Framework
- Network segmentation: Implement IEC 62443 zones and conduits. No direct IT-to-OT connections. DMZ for data exchange.
- Remote access control: All remote access via jump server with MFA. Log all sessions. No persistent VPN tunnels to Level 1-2.
- Asset inventory: You cannot protect what you cannot see. Maintain a live OT asset register.
- Patch management: Test patches in a lab environment. Apply critical security patches within 35 days of vendor release (NERC CIP benchmark).
- Vendor access management: Third-party vendors should use managed vendor access solutions, not shared accounts.
- Incident detection: Deploy OT-specific network monitoring (Claroty, Dragos, Nozomi Networks) for passive traffic analysis without disrupting real-time communications.
Incident Response for OT
OT incident response differs from IT: you cannot simply isolate a PLC mid-process. Develop playbooks that define safe operational modes for each incident type, and practice them before an actual incident forces the decision under pressure.
