Protecting Today's SCADA-Based Mass Transit Systems Should Begin with a Defense-in-Depth Strategy

Ensuring cyber security in the control infrastructure of mass transit systems may seem like a daunting task as it requires cooperation and commitment from the entire organization as well as support organizations, such as local police forces. Upper management must recognize the numerous benefits of a secure SCADA system. These advantages include ensuring system uptime, reliability, availability and safety to both the facility and surrounding area. A secure system protects the company, its vendors, systems integrators, customers and others who interact with the SCADA system. 

To provide maximum protection for critical SCADA data assets, IT teams at mass transit systems should deploy a "defense-in-depth" security approach that includes multiple layers of protection to recognize and thwart cyber-attacks. 

Defense in Depth in Today's Networks

The basic premise of defense in depth is to use a layered approach to network security — deploy one or more layers of protection at network boundaries (firewalls, anti-virus/malware appliances and intrusion prevention devices) and additional layers of protection at the individual computer workstations or endpoints. This defense strategy is most effective when using multiple unique defense mechanisms — such as multiple vendor solutions for anti-virus control. Any gaps in one vendor's security solution are addressed by the second vendor's solution.  

Network Level Security

The first level of security to consider when implementing a defense-in-depth strategy is at the network level. Proper attention to security at the network level will provide benefits to all downstream resources. For example, use of a network protection appliance at the network switch in conjunction with a traditional anti-virus solution at the network endpoints adds up to 38 percent additional anti-malware protection vs. utilizing anti-virus endpoint protection alone.

• Network Perimeter — the network perimeter or edge is where Internet traffic enters and exits an organization's network. IT teams can deploy various types of protection, including malware protection, spam filtering, content filtering, network firewalls, and intrusion detection and prevention. 
  
  The network perimeter is often protected by Unified Threat Management (UTM) technology. This solution is typically deployed as a network appliance, and it combines multiple security functions into a single solution with a unified management interface. These devices are especially valuable at the edge of the internal network where most external 'brute force' attacks are going to occur. 
  
  UTM solutions are a critical component of network level security, and they need to be implemented carefully. For example, network firewalls must be configured so that they do not allow unnecessary protocols to pass through to the internal network, or the perimeter of the agency's network will be open to attack through open firewall ports. 
  
  In some cases security officers may choose to deploy an anti-malware appliance from a different security vendor in-line with the UTM to provide a second analysis vector on incoming data packets — this is another element of a defense-in-depth security strategy.
   

• Segmented Networks — large internal networks are often organized into groups of smaller networks. This type of network topology reduces congestion and improves network performance by reducing the amount of traffic flowing through any one network segment. 
  
  Segmented networks also provide a high level of security — broadcast traffic is contained within each local network, and network segments can be quickly isolated in the event of a security breach. In a segmented network topology, each segment can be protected with a dedicated network -level security appliance to prevent viruses and malware from crossing network boundaries. 

Endpoint Level Security

An effective security infrastructure must protect all network endpoints (servers, workstations, et al.) from cyber-attack. The accepted way to protect these network resources is by installing anti-virus software and enabling a firewall at each endpoint.

Anti-virus software is used to prevent, detect and remove malware (including computer viruses, computer worms, Trojan horses, spyware and adware). There are a number of strategies that can be employed by an anti-virus solution: