SCADA Network Security & USB Port Control
USB Port Control to Secure ICS DCS/SCADA
Securing USB Ports is an important aspect of SCADA Endpoint Protection, because removable storage and other portable devices could contain malware exploits that can infect the operating system and affect the HMI, shared-database or communication infrastructure and ultimately make the Supervisory System lose Control of the machinery being managed causing process upsets and put personnel and/or environment in danger.
Protecting Industrial Supervisory & Control Computers:
Distributed Control Systems (DCS) and Supervisory Control and Data Acquisition (SCADA) Servers, Workstations and Laptops typically use Windows Operating Systems. They can be found across ICS infrastructure fulfilling different roles such as Engineering Workstations, Operating Stations (HMI), OPC Servers, Historian Servers, SCADA Servers, Maintenance/Service laptops and more.
While IT Device Control software mainly focus on the data-loss prevention aspect of network security and Antivirus Software code-analysis, sandboxing, data-mining, and signature updates continue to increase the load on computer system resources. Protecting ICS DCS/SCADA Networks from unauthorized Portable Devices requires the use of tools that are light on system resources, and that function decisively to ensure the Integrity and availability of the Process Control Systems.
USB-Lock-RP™© SCADA Network Security Software provides Centralized (On-Prem) Management over portable devices access to a broad range of windows operating-systems (from Windows NT5.1 to NT10), Securing DCS or SCADA Network Systems Servers and Workstations found at Levels 2/3/4 of the ICS. Its Data loss prevention effectiveness is the result of its decisive design to prevent Systems Infection incoming from Removable storage USB, and other Portable devices, including eSATA and Firewire drives, mobile phones, Smart Cards, Compact discs, and Wireless transceivers.
"USB-Lock-RP SCADA Security Software is licensed by top-notch organizations to secure Supervisory/Control Computers as a straightforward tool to complement their ICS cyber defense arsenal"
USB-Lock-RP Port blocking and device authorization functions take into account machines and devices hardware identifiers, Not user-account privileges. This allows for effective protection even if computers are running under elevated credentials or administrator user-accounts.
Since Stuxnet it has been clear that antivirus software remains ineffective in stopping Zero-day USB-based exploits, and that USB storage such as flash drives, and other portable devices are a probable entry point for new or known exploits.
Signature-based detection fails in preventing USB-Based Zero-day exploit attacks and more so if the network is air-gapped as updating virus and malware signatures could be further delayed.
Antivirus software attempt to prevent such attacks by code-analysis have limitations, as code-analysis detection puts heavy demand on operating system and hardware resources. Its effectiveness will vary depending on the amount of resources the system has to offer and how much of this resources are realistically available at intrusion attempt time.
More so, code-analysis detection requires accessing the device which even under sandboxing could be dangerous. By complementing antivirus software with this software, blocked devices don't need to be accessed by antivirus as they won't be present. (Only authorized devices would).
USB-Lock-RP approach when dealing with unauthorized removable storage connections is to deny access to USB Port by redundant means. Even specifically authorized flash drives or mobile phones need to be re-plugged after being identified to function. This approach is effective in preventing both systems infection and data loss.
Regarding HID interface: Since version 10.1 USB-Lock-RP detects changes in usb keyboard and mouse enumeration to neutralize maliciously modified firmware BadUSB such as USB Rubber Ducky that impersonate HID keyboards to inflict keystroke injection attacks by sudden release of embedded malicious payloads.
Any change in keyboard/mouse enumeration will trigger an automatic assessment to neutralize the threat if present. This events as any other insertion attempt events at endpoint clients are reported to the Central Control in near real-time.
The Central Control application and Client Service are light on system resources consumption, and have minimum dependencies and component requirements and are even capable of running on embedded OS.
USB-Lock-RP Port security software is used extensively to secure DCS/SCADA Windows based Servers and Workstations in: offshore & onshore Oil drilling, pipelines, and production operations, electric grids, chemical plants, water treatment plants and facility-based critical ICS infrastructure networks in general.
Commitment to ICS DCS/SCADA Network Protection:
Since 2004 when USB-Lock-RP development started, the Advanced Systems International team is dedicated to licensing and upgrading this software solution and today in 2018 our commitment is stronger than ever to never drop compatibility to legacy (older Windows OS) as many Industrial Networks supervisory computers, are still running on those OS, and to always protect the latest windows operating systems from unauthorized use of ordinary and emerging technology portable devices. USB Lock RP provides straightforward Portable Devices Access Control, to both Operational Technology (OT) ICS DCS/SCADA networks but also IT networks, nevertheless it is also our commitment to remain a machine-level protection tool and not to compromise ICS systems security by favoring user-based protection on future upgrades, as the software primary objective is to Systems integrity and availability being the confidentiality aspect and data loss prevention (DLP) a valuable consequence of its function.
Choosing Security Software to secure computer USB ports against the risks associated with Removable Storage:
If you are looking for Active directory, or GPO based, or internet dependent, user dependent or cloud-based network security, you may find other software that will probably better suit your requirements. But if you are looking to secure a SCADA Network or Critical infrastructure sytems from a Centralized on-premises administrative console to effectivelly protect supervisory computers from unauthorized use of removable-storage, portable devices, cd/dvd, & wireless transmissions (Wi-Fi, Bluetooth, IrDA) you should download and put USB-Lock-RP to the test as we strongly believe you have found what you are looking for. USB-Lock RP Control (administrative console interface) is straightforward, and easy to use, there is virtually no learning curve involved. Download and you will be: protecting, authorizing, and receiving reports of blocked or allowed devices in minutes.