security
security
security
security
security

Cyber vulnerabilities in control systems

Jan. 10, 2005
As steps are being taken to ensure the cybersecurity of control systems in the automation industries, securing and maintaining these systems will require employees to have more operations and IT experience.

By Joe Weiss, PE, CISM

The question as to whether the traditional corporate Information Technology (IT) organization or Operations is responsible for control systems is frequently asked without a consensus answer. Many professionals take strong positions on either side of the issue. Traditionally, the corporate IT organization has been responsible for the cyber security of computing systems. Generally, the computing systems IT are knowledgeable about, and accountable for, are the business systems, desktops, laptops and corporate web sites.

The control systems used to produce, transmit and distribute electricity (as well as in other industrial applications) were originally designed to be isolated from the corporate networks managed by IT. They have been traditionally operated and maintained by Operations. These systems include power plant distributed control systems (DCS), programmable logic controllers (PLC), supervisory control and data acquisition (SCADA) systems, remote terminal units (RTU) and intelligent electronic devices (IED).

However, these critical systems are now being linked to corporate and other external networks, including the Internet. Additionally, SCADA, DCS and PLC operator consoles are becoming more Microsoft Windows-based---thus being implemented on industry standard workstations such as HPUX or Sun Solaris, which makes the question of responsibility even more complex.

Consequently, last year, the EMS User Group performed a survey in which 16 utilities responded as to whether SCADA was “owned” by operations or IT and which provided computer and network support. The results were mixed, but a majority stated that they were not part of corporate IT, nor did they get support from IT on any EMS tasks. These mixed results are consistent with the informal responses received from many different utilities and other industrial organizations.

Making matters more complicated, there is often a sharing of IT infrastructure such as LANs, firewalls and routers by Operations. Many of the SCADA and power plant operator/engineer workstations and the substation and power plant laptop computers appear to be the same as traditional IT business systems despite the fact they have very different applications and remote connections. Therefore, IT often lacks knowledge of the different operational and administrative control system needs. Even the System Administrator function is different for Operations than it is for the Corporate IT applications.

Changing IT Functions
There is a need--and not just in the utility industry--for an IT control system function. In fact, this function has already been implemented in some utilities and other industrial organizations. The existing IT function would continue to service the traditional IT business network and associated infrastructure including routers, switches, firewalls and intrusion detection. The control system IT function would be under the purview of operations with corporate IT support, as required. The control system IT function would then be responsible for the SCADA or DCS and all associated subsystems such as RTUs, IEDs and PLCs. This function would also have responsibility for the network infrastructure directly supporting these systems.

Control System Needs
Steps are being taken to ensure the cyber security of control systems in several industries including electric power. In order to protect the electric power infrastructure, the North American Electric Reliability Council (NERC) Critical Infrastructure Protection Committee (CIPC) issued Urgent Action Standard 1200 (Cyber Security) to help secure utility control centers. NERC CIPC is currently working on the final standard NERC 1300 (now called CIP-002-1) to secure other critical facilities, including transmission substations and power plants. An important aspect of control system reliability and security is cyber security policies that specifically address control systems. Generally, IT security policies were not developed to address control system-unique issues. Having control system-unique security policies would meet the intent of NERC 1200 and what is expected in NERC 1300.

Control systems generally have the following characteristics:

  1. Stringent reliability and availability considerations
  2. Configuration/change management requirements (though not always implemented)
  3. Constrained computing resources, generally with older micro-processors
  4. Determinism (strict timing and prioritization requirements)
  5. Use of insecure proprietary real time operating systems
  6. Need for remote access, and 
  7. Physical impacts (e.g., human safety, electric system outages, regulatory impacts, etc.) of compromised systems.

Potential Corporate IT Impacts on Control Systems
The IT security policies and technologies used to secure traditional IT systems can potentially impact control systems if applied without understanding and adapting them inappropriately to the control system environment. Specific examples include:

  1. Using block encryption, which can slow control systems to the point of creating a denial of service
  2. Automatically implementing security patches on control system workstations that can (and have) shut down control systems
  3. Implementing anti-virus on control system workstations that are not configured to accommodate these tools have slowed down or shut down control system workstations
  4. Performing system-wide diagnostics, maintenance, and/or scans that can (and have) shutdown control systems
  5. Implementing firewalls with rules that restrict or delay control system communications that can result in control system shutdown, or
  6. Performing penetration testing of control systems that can (and have) shut down control systems.

There have been cases where employing IT security strategies have impacted control system performance. Two examples follow: 

  1. Corporate IT directed a security scan at utility power plant control IP segments without previous communication or permission from the plant controls group. All of the control system engineering workstations were impacted to some degree depending on the version of software and loading of the workstation when the scan was performed. Some of the workstations were able to continue operating, but with reduced throughput. Other workstations required shutdown and reboot.  It should be noted that Corporate IT wanted to continue performing scans of the plant IT segments even after this incident. 
  2. A manufacturing company had a security consultant map the control system network.  Associated buffer overflows resulted in a complete lock-up of the variable-speed drives requiring a shutdown and replacement of the configuration modules before the system could be restarted.

There is a growing concern that with the requirements of the Final Report of the Northeast Blackout and the proposed NERC 1300 that there will be more unintentional (and unreported) impacts on control systems by personnel untrained in nuances and sensitivities of control systems.

There are on-going discussions within the NERC Control System Security Working Group concerning connectivity from control systems to and from corporate networks. In order for operations to maintain configuration control of control systems, the configuration management process needs to be managed by Operations. Having a control system IT function to oversee security and other changes to the control system network would increase control system reliability by reducing the probability of inadvertently creating control system disturbances. It would also respond to the intent of NERC 1200 and 1300 for establishing a responsible organization for maintaining the cyber security of control systems. 

Operations and Maintenance
For operational and maintenance considerations, control systems will continue to require remote access. Consequently, the current and next generation of monitoring and diagnostic devices used in substations and power plants (and other industrial applications) are being developed with remote access capability either by dial-up or directly to the Internet. The technology is being implemented to improve grid reliability (e.g., replacement of electromechanical relays and switches with intelligent electronic devices - IEDS) will also introduce cyber vulnerabilities. These control system devices utilize serial communication protocols such as DNP3 or Modbus. Installing current firewall technology between these devices and the control network can slowdown critical control system communications.

Sarbanes-Oxley and Control Systems
Another area that falls between IT and operations is the issue of Sarbanes-Oxley (SOX) compliance. SOX was originally intended to prevent financial problems and requires all computer systems critical to the financial well-being of the company to be addressed. Traditionally, this has focused on critical IT business systems. However, SCADA and power plant control systems are obviously critical to the bottom-line of all electric utilities. Arguably, the Energy Management System (EMS) handles more financial transactions than any other utility system. Therefore, these critical operational systems should also be included in SOX compliance. Because these systems are not well understood by IT and these systems cannot be fully secured, it is important that operations be involved in validating SOX compliance of control systems.

Future
Control systems are different than traditional IT systems. Securing and maintaining secure control systems will require Operations and IT experience.  There is a need to develop accreditation for control system security that will combine both IT and control systems bodies of knowledge. The Department of Homeland Security (DHS) has initiated discussions to address this need.Securing and maintaining the security of these systems will require appropriate expertise from both IT and Operations. Attempting to secure these systems without appropriate knowledge and care is a dangerous undertaking.

[email protected].

Joe Weiss is an executive consultant with Burlington, Massachusetts-based KEMA, Inc. He is the task force lead for the IEEE Power Engineering Society’s task force reviewing equipment standards for cyber security. He is also a member of ISA’s Process Control Systems Security Committee -- SP99 -- and CIGRE’s Task Force on cyber security. He can be reached via e-mail at