This whitepaper analyzes what would be needed to implement zero trust for SCADA system.
SCADA systems are probably the most critical systems for most grid operators. A successful cyber-attack on a SCADA system could disrupt the electricity supply in grid operator’s entire region, and possibly even further.
Up to now, SCADA systems have been protected against cyber-attack at the perimeter. Through firewalls, demilitarized zones, jump servers, and physical security measures, the goal was to keep attackers out of the core SCADA networks.
If attackers would get into the core networks, most gird operators assume the SCADA system is fully compromised. The SCADA servers, workstations, and applications are not designed to resist attacks. Security updates are applied infrequently, weak passwords are used, and communication between servers is not protected.
SCADA systems would be more resilient against attacks if they would be designed with a zero trust philosophy. Instead of trusting on the perimeter for defense, it is assumed that any part of the system can be compromised. Endpoints and applications should therefore not trust each other. They should be designed to keep working as well as possible even when other parts are compromised.
This document analyzes what additional measures would be needed to implement zero trust on top of the measures in the ENCS Security architecture for SCADA systems.