SCADA Vendor Support

I just finished reading an interesting article on ControlGlobal.com. It describes ABB’s (a SCADA equipment vendor) ability to provide “advanced diagnostics and data collection tools to provide levels of access and maintainability for ABB equipment or monitoring of PCs in any environment” via remote access. Reading the article it struck me that ABB, and many other SCADA vendors offering similar services, may provide security managers at high-risk facilities with an overlooked security problem. Unescorted Access The CFATS regulations require that facilities conduct a variety of background checks on “for unescorted visitors with access to restricted areas or critical assets [emphasis added]” {6 CFR 27.230(a)(12)}. It would seem to me that even the most restrictive definition of ‘critical assets’ would include SCADA and industrial control systems at CFATS covered facilities. A vendor technician working on such systems on site would certainly fall under the ‘unescorted visitors’ definition unless accompanied by some one qualified to understand what the tech was doing with the cyber system. What would make that same technician exempt from the background check requirement if they were accessing the system from off-site? Any such off-site access must be considered ‘unescorted’ access to a critical asset. Two Options Now as I see it, there are at least two options. First CFATS covered facilities could shut down the off-sit access capabilities of these vendors. There is certainly a security argument to be made for that option. Unfortunately, most facilities do not have anyone on the payroll that can conduct the appropriate diagnosis, much less make the repair and adjustments that these vendor offer. Without these on-line services, facilities would have to be shut down until a technician could physically arrive on site; very costly. The second, and more useful, option would be to have these vendors conduct the appropriate background checks for each of their employees that have the access to these systems and to certify that they have met some minimum background check requirements. Of course, this would have to include the check of the terrorist screening database (TSDB) that DHS is requiring all others with access to the CFATS facilities to undergo. The current way that DHS is considering how to implement the TSDB check would require that each facility being served by these vendors would be required to submit data on each of the vendor employees with potential access. Not only would that be time consuming for the facility, but it would raise some privacy issues as well. Additionally that would drastically inflate the number of records that would have to be processed by the DHS folks. Alternatively, DHS could set up their TSDB tool to allow the SCADA vendors to have their own accounts where they would submit the information on their employees. CFATS covered facilities would then identify the vendors that their facility uses that would be authorized off-site access to their control systems. This would allow DHS to identify who had access to the facility equipment and yet protect the privacy of the vendor’s employees. A similar technique could be employed for other companies that have employees with routine access to multiple high-risk facilities. A Not So Minor Problem One small problem with this idea; the CFATS regulations only apply to high-risk chemical companies. DHS does not have the authority to regulate the vendors and contractors that support the covered facilities. Just one more thing that needs to be added to the re-authorization of CFATS.