ressure from various government agencies and end user awareness of system vulnerabilities is causing many to rethink their approach to process control system security.
Hard data, with respect to security breaches of process control and other computing systems, is hard to come by. No company or user is interested in publicizing security incidents, so numbers are largely speculative and often provided by those with a vested interest such as providers of IT security products and services.
Despite a lack of data, awareness is high, and one major incident would compel process control firms to take action. Many firms are taking a proactive approach to security, and one of the leaders in process control security is the National Institute of Standards and Technology (NIST). NIST is working with process control end users, vendors, and system integrators to improve the IT security of networked process control systems.
According to the NIST, the widespread use of IT for remote monitoring and control of the electric power system and for controlling industrial processes in the oil and gas, water, chemical, pharmaceutical, food & beverage, pulp & paper, and other process industries has unintentionally introduced security vulnerabilities.
“Security has often not been a significant consideration because many of these systems were not connected to other networks and were based on proprietary hardware and protocols. This has resulted in security through obscurity.”
These process control systems were designed to maximize performance, reliability, and safety. Security has often not been a significant consideration because many of these systems were not connected to other networks and were based on proprietary hardware and protocols. This has resulted in security through obscurity. As process control systems become more connected to business networks, vulnerability increases because these networks use commercial, off-the-shelf products and open protocols.
To address the security requirements for industrial process control systems and components, NIST formed the Process Control Security Requirements Forum (PCSRF) in the spring of 2001. The NIST-led PCSRF is a working group of process industry users, utilities, vendors, national labs and security agencies, architect engineering companies and integrators in the process control industry addressing security requirements for process control systems and components including SCADA systems, DCS, PLCs, and intelligent electronic devices.
The main goal of the PCSRF is to increase the security of industrial process control systems through the definition and application of a common set of information security requirements. The intent is to reduce the likelihood of successful cyber-attack on the nation’s critical production, energy and utility infrastructures.
A specific initiative is protecting the operator interfaces for control systems. Data displayed on an operator interface often originates from remote sensors and devices. If this data became compromised, what the operator sees may not reflect reality, and may cause an operator to take an incorrect action, or cause an operator to think everything is fine and take no action when an action is required. The Common Criteria for Information Technology Security Evaluation, (ISO/IEC) 15408, is being used to document the results of this effort in the form of Protection Profile security specifications.
The PCSRF System Protection Profile for Industrial Control Systems (SPP-ICS) is designed to present a cohesive, cross-industry, baseline set of security requirements for new industrial control systems. These security requirements could be specified in procurement RFPs for new industrial control systems. The SPP-ICS considers an entire system and addresses requirements for the system lifecycle. The SPP-ICS also acts as a starting point for more specific system protection profiles (SCADA, DCS, PLC, etc.), for a specific instance of an industrial control system (water, oil/gas, etc.), and for component protection profiles (industrial controller authentication, sensor authentication, etc). Version 1.0 of the SPP-ICS was completed in April 2004.
NIST’s Industrial Control System Security Testbed is being used to develop test methods for validation and conformance testing of security implementations. The testbed is also being used to help identify system vulnerabilities as well as establish best practice guidelines.
Dan Hebert, PE, Senior Technical Editor