Historically, SCADA systems have been supported by wired networks. However, in recent years, more organizations have begun to add wireless connectivity to their industrial control networks, either through Wi-Fi or cellular connections. 

When building out SCADA networks, it is important for organizations to solve for reliability and availability — two factors listed among Cisco Systems’ six SCADA system design principles. “Pipeline operations applications and services run in real or near real time, 24 hours a day, and the network must be available to users on a continuous basis, with little or no downtime” (PDF), Cisco notes in its solution overview guide for SCADA systems in the oil and gas industries. “Operational pipeline management systems offer efficiency and reliability when they are working properly, but to know whether or not they are, you need real-time access to network health information across the system.”

It is important for organizations to appropriately segment their SCADA networks. Rather than maintain a single network where every device can “talk” to everything else, network segmentation allows organizations to break their networks up into logical segments, based on function. This way, a single compromised element will be less likely to spark an attack capable of spreading throughout the network. Often, SCADA networks are divided into separate segments for host servers and switches, virtual servers, operator workstations and controllers.

In addition to sensors that gather data from equipment, many industrial control networks feature edge computing resources that bring processing capabilities out into the field. The “edge” in edge computing refers to physical proximity to the sites where data is being gathered. For instance, in oil and gas environments, the “edge” may mean a drilling rig that is grinding through rock, a storage tank far from central facilities or a well that produces hydrocarbons. Or it could refer to the locations of midstream assets such as pumps, generators or even trucks. Edge computing devices must be powerful enough to process the data collected onsite and transmit it through the industrial control network, but they also must be rugged enough to operate in areas where there might not be power, lighting or onsite monitoring. Because of these hurdles, some energy companies have been slow to incorporate edge computing into their industrial control networks.

One advantage to edge computing devices is that they can store and process data locally, and transmit information to a central hub only in instances where an anomaly is noted or action is needed. This can drastically reduce the amount of data being sent back and forth over a wired or wireless network, which in turn simplifies networking needs.

As IT systems have become more sprawling and complex in recent years, there is increased value in simplified management and control. For instance, organizations that have invested in resources from multiple public cloud vendors often seek out management tools to help create a unified view of their environments. The gold standard is a “single pane of glass” dashboard that gives system administrators ready visibility into all components of a system within a single command center.

While some SCADA systems are too complex to be represented on a single dashboard, vendors now offer centralized management consoles that enable a comprehensive (or near-comprehensive) view of their industrial networks. These management tools can help lower overall costs and free up human operators for more mission-critical tasks.

In its solution overview guide for SCADA systems in the oil and gas industries, Cisco also highlights both security and regulatory compliance among its six design principles. “Few industries require security more than those concerned with the protection of natural resources and the management of energy,” Cisco notes. “Although the use of remote monitoring and control in critical processes continues to evolve, so does the need for enhanced security. Whether it is a measured value at a field instrument or the data path to the host, informational integrity can be realized only through focus on end-to-end data security.”

Governance and asset management are critical components of SCADA security, as it is essential for system administrators to know exactly what devices are on the network. Also, it is fairly common for organizations to leave devices protected by default passwords; when operators do change them, they often choose an easily guessed word or phrase. Patching is also an important practice, but some older operating systems are no longer supported by the original equipment manufacturer. 

Traditionally, energy and utility companies used air-gapped systems that weren’t connected to other resources. However, these systems are increasingly being connected to networks that touch other resources, and therefore require process management, change management and asset management solutions.