The question as to whether the traditional corporate Information Technology (IT) organization or Operations is responsible for control systems is frequently asked without a consensus answer. Many professionals take strong positions on either side of the issue. Traditionally, the corporate IT organization has been responsible for the cyber security of computing systems. Generally, the computing systems IT are knowledgeable about, and accountable for, are the business systems, desktops, laptops and corporate web sites.
The control systems used to produce, transmit and distribute electricity (as well as in other industrial applications) were originally designed to be isolated from the corporate networks managed by IT. They have been traditionally operated and maintained by Operations. These systems include power plant distributed control systems (DCS), programmable logic controllers (PLC), supervisory control and data acquisition (SCADA) systems, remote terminal units (RTU) and intelligent electronic devices (IED).
However, these critical systems are now being linked to corporate and other external networks, including the Internet. Additionally, SCADA, DCS and PLC operator consoles are becoming more Microsoft Windows-based---thus being implemented on industry standard workstations such as HPUX or Sun Solaris, which makes the question of responsibility even more complex.
Consequently, last year, the EMS User Group performed a survey in which 16 utilities responded as to whether SCADA was “owned” by operations or IT and which provided computer and network support. The results were mixed, but a majority stated that they were not part of corporate IT, nor did they get support from IT on any EMS tasks. These mixed results are consistent with the informal responses received from many different utilities and other industrial organizations.
Making matters more complicated, there is often a sharing of IT infrastructure such as LANs, firewalls and routers by Operations. Many of the SCADA and power plant operator/engineer workstations and the substation and power plant laptop computers appear to be the same as traditional IT business systems despite the fact they have very different applications and remote connections. Therefore, IT often lacks knowledge of the different operational and administrative control system needs. Even the System Administrator function is different for Operations than it is for the Corporate IT applications.
Changing IT Functions
There is a need--and not just in the utility industry--for an IT control system function. In fact, this function has already been implemented in some utilities and other industrial organizations. The existing IT function would continue to service the traditional IT business network and associated infrastructure including routers, switches, firewalls and intrusion detection. The control system IT function would be under the purview of operations with corporate IT support, as required. The control system IT function would then be responsible for the SCADA or DCS and all associated subsystems such as RTUs, IEDs and PLCs. This function would also have responsibility for the network infrastructure directly supporting these systems.
Control System Needs
Steps are being taken to ensure the cyber security of control systems in several industries including electric power. In order to protect the electric power infrastructure, the North American Electric Reliability Council (NERC) Critical Infrastructure Protection Committee (CIPC) issued Urgent Action Standard 1200 (Cyber Security) to help secure utility control centers. NERC CIPC is currently working on the final standard NERC 1300 (now called CIP-002-1) to secure other critical facilities, including transmission substations and power plants. An important aspect of control system reliability and security is cyber security policies that specifically address control systems. Generally, IT security policies were not developed to address control system-unique issues. Having control system-unique security policies would meet the intent of NERC 1200 and what is expected in NERC 1300.
Control systems generally have the following characteristics:
- Stringent reliability and availability considerations
- Configuration/change management requirements (though not always implemented)
- Constrained computing resources, generally with older micro-processors
- Determinism (strict timing and prioritization requirements)
- Use of insecure proprietary real time operating systems
- Need for remote access, and
- Physical impacts (e.g., human safety, electric system outages, regulatory impacts, etc.) of compromised systems.
Potential Corporate IT Impacts on Control Systems
The IT security policies and technologies used to secure traditional IT systems can potentially impact control systems if applied without understanding and adapting them inappropriately to the control system environment. Specific examples include:
- Using block encryption, which can slow control systems to the point of creating a denial of service
- Automatically implementing security patches on control system workstations that can (and have) shut down control systems
- Implementing anti-virus on control system workstations that are not configured to accommodate these tools have slowed down or shut down control system workstations
- Performing system-wide diagnostics, maintenance, and/or scans that can (and have) shutdown control systems
- Implementing firewalls with rules that restrict or delay control system communications that can result in control system shutdown, or
- Performing penetration testing of control systems that can (and have) shut down control systems.
There have been cases where employing IT security strategies have impacted control system performance. Two examples follow: