Protecting Today's SCADA-Based Mass Transit Systems Should Begin with a Defense-in-Depth Strategy
- Signature-based detection — this strategy involves searching for known patterns of data within executable code. These patterns are regularly updated by the anti-virus company's research team. It is critical that all endpoints with anti-virus software receive updated signature files regularly.
- Heuristic detection — this strategy is used to identify new malware for which no signature is known. The anti-virus software identifies new viruses or variants of existing viruses by looking for patterns that are similar to those of known malicious code, or slight variations of such code.
- Sandbox detection and analysis — this strategy executes unknown files in a protected environment and analyzes the results of that execution to see if the files trigger any malicious actions in the host environment. Sandbox solutions can identify new and undiscovered malicious code that may pass through signature-based and heuristic detection methods undetected
All anti-virus solutions will provide some level of protection for the network endpoints, but the best anti-virus solutions use a combination of all three techniques to protect endpoints from infection. Security personnel should periodically evaluate their anti-virus solutions to ensure that they are leveraging a solution with multiple layers of defense.
Anti-Virus Endpoint Protection is Not Enough
Anti-virus software is a critical component of endpoint security, and security personnel must ensure that the software is installed on every server and workstation on their networks. Endpoints with outdated virus definition files are a security risk, so procedures should be put in place to ensure that all endpoints are regularly updated with new virus definition files. Once a comprehensive anti-virus plan has been deployed, a more comprehensive strategy of endpoint security should be considered — one that ensures all endpoints are kept secure through application of regular vulnerability patches.
- Patch and Remediation Software — More than 90 percent of cyber-attacks exploit known security flaws for which remediation is available. For network endpoints to be completely secure, IT teams must also know what software is installed and operating on each endpoint. They must further ensure that the software and operating systems of every endpoint are regularly patched to eliminate attack vectors which could be utilized by cyber criminals to compromise the resource.
- Application and Device Control Software — one aspect of endpoint security that is often ignored is application usage. By implementing a "whitelist" approach to managing application usage, IT teams can define which devices and applications are permitted on the network through user and/or machine-specific policy rules. Execution of unknown or malicious code is prevented because only authorized applications are allowed to run on laptops, PCs and mission critical servers.
A comprehensive application control solution should automatically determine what applications are in use throughout the network endpoints, enforce application usage policies across the entire network, and automatically log network events related to endpoint security policy for compliance reporting. Such a solution should implement endpoint agents that are tamper-proof and protected against unauthorized removal.
Device control solutions protect networks from internal threats like data theft by enforcing which removable media (such as USB drives) are allowed in the organization's network and controlling the data that is copied to and from the internal network through policy-enforced encryption. These solutions should also log all data transfers for security and compliance reporting purposes.
Conclusion
Secure and well-protected SCADA systems are critical to both the efficient operation of a mass transit system, as well as to safeguard the thousands of riders who utilize these systems daily. Without this protection, cyber-attacks have the potential to wreak terrible accidents and destruction to infrastructure, riders and system personnel.
A defense-in-depth approach to network security will provide the most comprehensive protection against malware threats and other forms of cybercrime. Security architectures with multiple layers of protection from multiple vendors provide the best protection, especially when deployed at multiple levels in the network. Likewise, a multi-layer endpoint management strategy with anti-virus, patch, remediation, and application and device controls will provide the most comprehensive protection at network endpoints.
IT teams at mass transit organizations should continuously review their system's security architecture to identify areas of vulnerability and implement 'defense-in-depth' network strategies where appropriate to ensure that the system's network resources are adequately protected.
