SCADA Security Checklist

How to Use This Checklist

This checklist provides a comprehensive framework for assessing SCADA system security. Items are organized by security domain and prioritized by criticality. Use this checklist to:

Conduct security assessments and gap analysis
Prioritize remediation efforts based on risk
Track compliance with security standards and best practices
Prepare for security audits and assessments

Priority Levels:

CRITICAL Immediate action required
HIGH Address within 30 days
MEDIUM Address within 90 days
LOW Address as resources permit

1. Network Architecture & Segmentation

Proper network segmentation is the foundation of SCADA security, limiting attack propagation and isolating critical systems.

SCADA network is segmented from corporate IT networkCRITICAL

Deploy industrial firewalls or unidirectional gateways between IT and OT zones

Safety systems (SIS, fire & gas) are on isolated networksCRITICAL

Safety instrumented systems must be physically or logically isolated from process control networks

Network zones are defined based on IEC 62443 zones and conduits modelHIGH

Document security zones by criticality level and trust boundaries

Firewalls are deployed at all zone boundaries with allowlist rulesHIGH

Default-deny firewall policies with explicit allow rules for required protocols

VLANs are used to separate different criticality levelsHIGH

Minimum segmentation using VLAN isolation for different system types

Wireless networks are isolated from wired SCADA networksMEDIUM

Separate wireless infrastructure with additional access controls

No direct internet connectivity to SCADA systemsCRITICAL

Remove all direct internet exposure; use secure remote access architecture instead

2. Access Control & Authentication

Strong access controls prevent unauthorized access to critical SCADA systems and limit insider threat risks.

All default vendor credentials have been changedCRITICAL

Audit and change default passwords on HMIs, PLCs, RTUs, switches, and all SCADA components

Strong password policies are enforced (12+ chars, complexity)HIGH

Minimum password length and complexity requirements aligned with NIST guidelines

Multi-factor authentication (MFA) is required for remote accessHIGH

Implement MFA for VPN, jump servers, and remote desktop access

Role-based access control (RBAC) is implementedHIGH

Granular permissions aligned to job functions (operator, engineer, administrator)

Least privilege principle is applied to all accountsHIGH

Users have only the minimum permissions required for their role

Privileged accounts are managed through PAM solutionMEDIUM

Privileged access management for administrator credentials with check-out/check-in

Quarterly access reviews are conductedMEDIUM

Regular review and recertification of user access rights

Terminated user accounts are disabled immediatelyHIGH

Account lifecycle management integrated with HR processes

3. Patch Management & Vulnerability Management

Timely patching and vulnerability remediation reduce exposure to known exploits.

Asset inventory includes OS versions and patch levelsHIGH

Maintain current inventory of all SCADA systems with software versions

Critical security patches are applied within 30 daysHIGH

Risk-based patching schedule prioritizing critical vulnerabilities

Patches are tested in non-production environment firstMEDIUM

Test patches on representative systems before production deployment

Compensating controls exist for systems that cannot be patchedMEDIUM

Network isolation, IPS virtual patching, or application whitelisting for legacy systems

Vulnerability scanning is conducted quarterlyHIGH

Authenticated scanning using OT-aware tools during maintenance windows

Vendor security advisories are monitoredMEDIUM

Subscribe to ICS-CERT advisories and vendor security notifications

4. Logging, Monitoring & Incident Detection

Comprehensive logging and monitoring enable early detection of security incidents and support forensic analysis.

Logging is enabled on all SCADA servers and critical devicesHIGH

Enable Windows Event Logs, syslog, and application logs

Logs are forwarded to centralized SIEM or log management systemHIGH

Real-time log aggregation for correlation and long-term retention

Security alerts are configured for suspicious activitiesMEDIUM

Alerting on failed logins, privilege escalation, configuration changes

Industrial network monitoring is deployedMEDIUM

OT-specific network monitoring for protocol anomalies and baseline deviations

Logs are retained for minimum 90 daysMEDIUM

Adequate retention period for incident investigation and compliance

Regular log review is performedLOW

Periodic manual review of logs for anomalies not caught by automated alerts

5. Remote Access Security

Secure remote access architecture protects against unauthorized external connections.

Remote access requires VPN with strong encryptionCRITICAL

IPsec or SSL VPN with AES-256 encryption as minimum

Multi-factor authentication is required for VPN accessHIGH

MFA using tokens, smart cards, or authenticator apps

Jump servers/bastion hosts are used for remote accessHIGH

Dedicated hardened systems for remote access with session recording

Vendor remote access is managed through dedicated DMZMEDIUM

Isolated vendor access zone with time-limited credentials

Remote sessions are logged and recordedMEDIUM

Session recording for audit trail and forensic analysis

IP whitelisting is used for remote accessLOW

Restrict VPN access to known IP ranges where feasible

6. Endpoint Protection

Protecting SCADA workstations and servers from malware and unauthorized software.

Antivirus/anti-malware is deployed on all workstations and serversHIGH

OT-tested antivirus with controlled update mechanisms

Application whitelisting is enabled on critical systemsHIGH

Only approved applications can execute, blocking malware and unauthorized software

USB ports are disabled or restricted on HMI workstationsMEDIUM

Device control policies to prevent removable media attacks

Auto-run/auto-play is disabled on all systemsMEDIUM

Prevent automatic execution of malware from removable media

Screensaver locks are configured (15 min timeout)LOW

Automatic workstation locking after inactivity period

7. Backup & Disaster Recovery

Reliable backups enable rapid recovery from cyber incidents or system failures.

Automated backups of all critical SCADA configurationsCRITICAL

PLC logic, HMI projects, database configs, network device configs

Backups are stored offline or on immutable storageHIGH

Protect backups from ransomware encryption

Backup restoration procedures are documented and testedHIGH

Quarterly recovery testing to verify backup integrity

Offline copies of software, firmware, and licenses are maintainedMEDIUM

Emergency restore capability without internet/vendor access

Disaster recovery plan includes SCADA systemsMEDIUM

DR procedures with RTO/RPO objectives for critical SCADA systems

8. Physical Security

Physical access controls protect SCADA infrastructure from tampering and unauthorized access.

Control rooms have restricted physical accessHIGH

Badge access, visitor logs, and surveillance cameras

Server rooms have environmental monitoringMEDIUM

Temperature, humidity, water detection, and power monitoring

Field devices and network equipment are in locked enclosuresLOW

Physical tamper protection for field-located equipment

9. Security Governance & Training

Organizational policies and awareness programs create a culture of security.

SCADA security policies and procedures are documentedHIGH

Formal security policies covering access control, change management, incident response

Annual cybersecurity awareness training for SCADA personnelHIGH

OT-specific training covering phishing, removable media, physical security

Incident response plan includes SCADA systemsMEDIUM

OT-specific IR procedures with safety considerations

Change management process for SCADA modificationsMEDIUM

Formal approval and testing before production changes

Tabletop exercises conducted annuallyLOW

Simulated cyber incident exercises with IT and OT teams

10. Vendor & Third-Party Management

Managing security risks from vendors and third-party service providers.

Vendor contracts include security requirementsHIGH

Contractual obligations for security controls and incident notification

Vendor access is time-limited and approval-basedHIGH

Temporary credentials requiring manager approval

Inventory of all vendor access points maintainedMEDIUM

Document all remote access mechanisms and connection details

Vendor security assessments conducted periodicallyLOW

Annual review of critical vendor security practices