Can we talk?

Feb. 9, 2005
How do you stay current with problems and threats in process automation if nobody will talk about their experiences and solutions? Editor in Chief Walt Boyes comments in this "special to the web" editorial.
 By Walt Boyes, Editor in Chief

L

ast summer, I was disinvited from a conference on process and SCADA security. What I mean is that the sponsor of the conference called me up and asked me not to attend. “The attendees won’t talk if a member of the press is in attendance,” he told me. For several years, I’ve been trying to collect a set of Best Practices in process control network security, with some little success. However, as with the SCADA conference, most people are highly unwilling to talk about their situations.

This is, to some extent, understandable. Many process control issues are highly proprietary, and talking about the wrong things could impart valuable competitive information. Also, the value of preventative steps goes down inversely proportionally to the publicity those steps receive. People who want to penetrate a system generally benefit from knowing “what not to do.”

Despite this, it is critical for people in process automation to start thinking about the security and integrity of their systems.

NIST has a good starting point on its website. "System Protection Profile - Industrial Control Systems" provides a generic protection plan for industrial process systems. This document starts from the basic, what is a control system and what is it made of, and moves through the STOE. That’s NISTspeak for System Target of Evaluation. “The STOE consists of the security services and procedures, both automated and manual, which are designed to meet the security objectives defined to counter threats to the ICS.” 

The report continues, “The scope of the STOE …is: user authentication services (including user access control), physical access control, boundary protection, and data / device authentication.  User authentication services control access to process control related computer systems including the human machine interface (HMI) and remote diagnostics and maintenance.  In addition, user authentication is used by the physical access control system to authenticate personnel for physical access.  Data / device authentication is shown as a separate function to emphasize the need for data and command signal authentication.  Note that the corporate intranet is in the external environment of the STOE.” 

If you haven’t read (or better, make that studied) this document, your control system isn’t safe. If you have read this document, and not implemented the protocols described, your systems are not safe. You better plan on getting that dreaded phone call in the middle of the night.

The key question, though, is what is the probability of your control system being attacked? Answering this question may be easier than you think. 
1.  Is the product you make of strategic importance? 
2.  Is your company “high profile” in the news media?
3.  Have you had labor, environmental, or political unrest aimed at your company in the past?
4.  Has your company undergone recent restructuring events?
5.  Is your system unprotected or poorly protected?

If you answer “yes” to one or more of these questions, you are vulnerable. The probability of potential attack goes up the more questions you answer in the affirmative. So, if you are a multinational making a product of strategic importance, with restructuring and layoffs in the immediate past, you are a likely target. If you know that your system is poorly protected, so will the potential attackers. Attackers probe Internet enabled systems all the time to find the ones with poor security. If you have lousy protection, you can be sure they will find you.

Note that the NIST SPP document states that the enterprise system (the intranet) is external to the STOE. Remember that if you interconnect the intranet with the plant control system, that interconnection is a vulnerability that must be protected. The plant level control system can be penetrated from “above” as easily as it can be penetrated from without or from within. Worms and virii that enter the enterprise IT zone can be transmitted to the control system with dismal results if the control system is not also protected from the intranet.

Maybe it’s time we started talking openly about all this. It is the threat you don’t know about that will get you.