Cyber vulnerabilities in control systems

There have been cases where employing IT security strategies have impacted control system performance. Two examples follow: 

1. Corporate IT directed a security scan at utility power plant control IP segments without previous communication or permission from the plant controls group. All of the control system engineering workstations were impacted to some degree depending on the version of software and loading of the workstation when the scan was performed. Some of the workstations were able to continue operating, but with reduced throughput. Other workstations required shutdown and reboot.  It should be noted that Corporate IT wanted to continue performing scans of the plant IT segments even after this incident. 
2. A manufacturing company had a security consultant map the control system network.  Associated buffer overflows resulted in a complete lock-up of the variable-speed drives requiring a shutdown and replacement of the configuration modules before the system could be restarted.

There is a growing concern that with the requirements of the Final Report of the Northeast Blackout and the proposed NERC 1300 that there will be more unintentional (and unreported) impacts on control systems by personnel untrained in nuances and sensitivities of control systems.

There are on-going discussions within the NERC Control System Security Working Group concerning connectivity from control systems to and from corporate networks. In order for operations to maintain configuration control of control systems, the configuration management process needs to be managed by Operations. Having a control system IT function to oversee security and other changes to the control system network would increase control system reliability by reducing the probability of inadvertently creating control system disturbances. It would also respond to the intent of NERC 1200 and 1300 for establishing a responsible organization for maintaining the cyber security of control systems. 

Operations and Maintenance
For operational and maintenance considerations, control systems will continue to require remote access. Consequently, the current and next generation of monitoring and diagnostic devices used in substations and power plants (and other industrial applications) are being developed with remote access capability either by dial-up or directly to the Internet. The technology is being implemented to improve grid reliability (e.g., replacement of electromechanical relays and switches with intelligent electronic devices - IEDS) will also introduce cyber vulnerabilities. These control system devices utilize serial communication protocols such as DNP3 or Modbus. Installing current firewall technology between these devices and the control network can slowdown critical control system communications.

Sarbanes-Oxley and Control Systems
Another area that falls between IT and operations is the issue of Sarbanes-Oxley (SOX) compliance. SOX was originally intended to prevent financial problems and requires all computer systems critical to the financial well-being of the company to be addressed. Traditionally, this has focused on critical IT business systems. However, SCADA and power plant control systems are obviously critical to the bottom-line of all electric utilities. Arguably, the Energy Management System (EMS) handles more financial transactions than any other utility system. Therefore, these critical operational systems should also be included in SOX compliance. Because these systems are not well understood by IT and these systems cannot be fully secured, it is important that operations be involved in validating SOX compliance of control systems.

Future
Control systems are different than traditional IT systems. Securing and maintaining secure control systems will require Operations and IT experience.  There is a need to develop accreditation for control system security that will combine both IT and control systems bodies of knowledge. The Department of Homeland Security (DHS) has initiated discussions to address this need.Securing and maintaining the security of these systems will require appropriate expertise from both IT and Operations. Attempting to secure these systems without appropriate knowledge and care is a dangerous undertaking.

 

jweiss@kemaconsulting.com.

 

---

Joe Weiss is an executive consultant with Burlington, Massachusetts-based KEMA, Inc. He is the task force lead for the IEEE Power Engineering Society’s task force reviewing equipment standards for cyber security. He is also a member of ISA’s Process Control Systems Security Committee -- SP99 -- and CIGRE’s Task Force on cyber security. He can be reached via e-mail at