AndrewBond
AndrewBond
AndrewBond
AndrewBond
AndrewBond

Security could put process control under IT

April 12, 2005
With new technology and strategies being developed to protect industrial systems from current and future threats, process control needs to figure out where it's going, according to IA Insider's Andrew Bond.
 By Andrew Bond

S

CADA and process control people are very immature in the technology they’re introducing," commented Graeme Pinkney, head of threat intelligence for Europe, Middle East and Africa (EMEA) with cyber security specialists Symantec at the press conference following the one day Industrial Cyber Security Conference organized in London by Symantec and PA Consulting Group in mid March.

“SCADA systems are bearing the lowest hanging fruit,” in terms of vulnerability to cyber attack, he added. Pinkney contended that industrial automation vendors and users have been happy to accept the benefits of adopting IT technologies, specifically in the form of Windows and Ethernet, but have been “naïve” in their failure to adopt IT standards of security and best practice. Process control people need to ask themselves “Do you know where you’re going?” in terms both of the technology that is being adopted and the strategies that are being developed to protect industrial systems from current and future threats, said Pinkney.

“You have to do a risk assessment of what you’re doing.”

In Pinkney’s view responsibility for cyber security in manufacturing organizations will increasingly devolve on IT and it may in many cases be necessary for “process control people to report into IT,” a view which may not meet with immediate enthusiasm in process control circles.

           
“SCADA systems are bearing the lowest hanging fruit,” comments Graeme Pinkney, head of threat intelligence for EMEA.



The conference itself, to which the press had not, unfortunately, been invited, attracted a total of some 80 delegates, drawn from both vendors and users and from utilities and manufacturing. Star turns were Gary Sevounts, director of Power, Energy and Utilities with Symantec in the US; Justin Lowe, principal consultant with PA Consulting Group; and Eric Byres of the British Columbia Institute of Technology. Lowe and Byres, it will be recalled, are the joint authors of ‘The Myths and Facts behind Cyber Security Risks for Industrial Control Systems,’ the report published earlier this year which highlighted how the principal focus of cyber security measures needed to switch from internal to external threats, since the latter now accounted for 70% of cyber attacks.

Different Problems
Principal message of Sevounts’ presentation was that industrial systems do indeed have different security requirements and pose different problems from conventional IT systems, notably in terms of the need for high availability, and therefore require a different approach. Underlying the whole problem appears to be a basic lack of understanding and communication.

“SCADA is run by operators who aren’t security specialists and IT doesn’t understand SCADA,” said Sevounts who cited a recent report in The Washington Post which quoted a representative of a major US utility as saying that “We don’t know if we’re susceptible to attack or not.”

Lowe’s presentation, already familiar in part to attendees at such events as Emerson’s Manufacturing Excellence, included new data on both risks and actual attacks. Although much of the current concern about security stems from the increasing tendency to link manufacturing and corporate systems, it’s worth noting that, according to Lowe, only 43% of infections with worms and viruses currently gain access via the corporate network, the remaining majority come through various back doors into the manufacturing system itself. Particularly worrying trends, he believed are the growing reliance on outsourcing which results in key parts of the PC network being outsourced, although they remain physically connected, and the increasing use of wireless without adequate security precautions.

Interesting Consequences
Lowe repeated the warning that the hacker community is taking an increasing interest in industrial systems, recent hacker conferences in the UK having included presentations on industrial protocols such as Modbus. Hackers are taking an increasing interest in industrial systems because of the challenges they present and, perhaps most worryingly, because “the consequences are so much more interesting.”

Perhaps the most serious threat currently arises from the time which elapses between security patches being issued by Microsoft and those patches being validated and implemented on industrial systems.

According to Lowe, those wishing to exploit security loopholes are able to reverse engineer a patch and hence identify the vulnerability it is designed to address within a matter of days, while the time to implement the patch on a typical industrial system is of the order of months, during which time all such systems are open to attack. Lowe seemed to be reluctant to put the blame onto Microsoft itself, pointing out that it has never claimed that Windows is anything other than a generic computing platform, but it is clear that automation software vendors, regulatory authorities and end users need to address more effective solutions as a matter of urgency. At least one delegate to the conference from the pharmaceutical industry planned to go straight back and break the links between his organization’s manufacturing and corporate systems immediately, said Lowe.

On-going Process
Stressing that cyber security is an ongoing process rather than something which can be implemented and forgotten, Lowe detailed a series of measures which should form the basis of a cyber security strategy for industrial users, beginning with a business risk assessment and the implementation of short and longer term improvements.

Organizations then need to assess their ability to respond to specific threats, to improve their awareness and skills and to identify and manage third party risks. Arguably most important is the need to establish an on-going governance framework for the management of future risk.

Andrew Bond is Editor of Industrial Automation INSIDER(UK) and can be reached at Tel +44(0)1622 858251, or by e-mail at [email protected].