Securing your control system

hile the widespread deployment of Internet technologies has brought about efficiencies and new opportunities for productivity, it also carries significant risks, such as those posed by common software vulnerabilities and the consequent susceptibility of networked systems to Internet attacks. How to isolate and protect Supervisory Control and Data Acquisition (SCADA) systems from vulnerabilities inherent to the Internet while meeting common business requirements is a critical issue for control engineers and managers. Control systems utilized in industry include SCADA systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLCs), all of which we will call SCADA systems.

The most troublesome vulnerability of SCADA systems arises with its increasing connectivity between automated control systems and Internet-based IT business systems. Particularly vulnerable are SCADA systems whose original engineering design never envisioned a connection to the Internet. Why? SCADA systems are evolving from proprietary products into standardized commercial-off-the-shelf (COTS) components, using open, Internet-based technologies with operating characteristics and vulnerabilities that are widely known. To achieve further economies of scale, vendors are now using the same product families of control system components across multiple critical infrastructures.

The Threat is Real
Richard Clarke, the former Cyber Security Czar for the White House, stated in an October 20, 2003 Computer World interview, “We do know that Norway and Israel at least are saying there were cyber-hacking attempts to bring down the power grids in their countries.”

The vulnerabilities of SCADA systems have resulted in many verified cases where control systems in oil/gas, electric power, water, paper, and manufacturing have been impacted. Most of these cases remain confidential, but some that have been disclosed include:
* The loss of a 1,000-MW hydro station in Asia,
* Hacking of a sewage treatment plant discharge valve in Australia (46 times before the hacker was discovered and caught) resulting in a release of millions of liters of sewage, and
* The recent Slammer and Blaster worms that impacted many electric and water utility control systems including Ohio's Davis Besse Nuclear Power Plant, as well as other industrial and manufacturing control systems.

The vulnerabilities are real, the threats are real, and now is a good time to review the basics of SCADA security.

In order to function securely, the SCADA system must be isolated from outside negative influences. A negative influence can be anything from an engineer requesting a massive amount of data to the high-volume of e-mail traffic generated by a hacker’s worm or virus. 

To accomplish this isolation, all of the machines associated with the primary function of the SCADA must be grouped together on a common network (the “Plant Control Network”), and be protected from other networks using an internal firewall.

Firewalls are built to regulate connections between machines inside the firewall and machines outside the firewall. Firewall rules can be written to allow any traffic, or to restrict traffic to only specific devices and applications. In order to be secure, the firewall should be configured to reject all connection requests either inbound or outbound. Then, as functionality is added to SCADA systems, new rules can be amended to specifically allow the connections required by new functionality.

The types of systems required to send data to the SCADA system will vary depending on the application. A good example is the Laboratory Information System (LIS), found in contemporary refining operations which periodically exchanges data associated with product quality and yield with the refinery's SCADA system. In our hypothetical situation, we will refer to the network that is home to the LIS as the Plant Information Network.

In order for the transfer of data to take place software agents on the SCADA system will need to talk, or establish a connection, with the LIS software. The new firewall rule should specifically identify the LIS system so that only it can use the rule.