Listed below are the verbatim answers from vendors to questions we posed about control system security. These have been only lightly edited for clarity and to correct errors. Be warned that some of these responses are quite commercial and go far beyond what CONTROL magazine would allow to appear in print. We felt that the pure technical information weaved among the product sales pitches is quite valuable, so we let the promotional material stand. Among the responding companies are process control vendors, software companies, security consultants, I/O manufacturers and Microsoft.
What do you advise your customers to do?
Make the integrity (security, availability, etc.) of your systems a business responsibility and a priority. This does not mean that it becomes THE priority. Unless someone is explicitly responsible for this faction (and empowered to act or establish procedure) it will not get done, except perhaps sporadically. This also allows you are able to budget for and track the team responsible.
Stay current. By far, the greatest number of non-trivial intrusions, interruptions and systems disasters happen in environments where components are forgotten, out-of-date, and unpatched. While zero-day worms and viruses may make the news, and are certainly a threat, control systems are even more susceptible to failing in the face of the much more preventable menace. The hopelessly out-of-date immune deficiency condition. Not to make light of a serious matter, immune deficiencies are deadly serious in the world, to man and beast alike. There is a very strong parallel to better immune disorders and unmaintained networked systems.
From a security perspective, a control system is just another host on the network and thus open to all associated network attacks. Depending on the type of control system, the exposure/risk associated with such attacks could certainly have a catastrophic impact. For this reason, Cryptek recommends customers in the control market look at security products that have successfully obtained government level certifications such as Common Criteria and FIPS. In this way, they can have a high level of assurance and trust that their critical control systems and devices will be protected from network level attacks.
Emerson has been active in participating in security conferences and the development of new security standards for the power generation industry. Along with the utilities in the Emerson Users Group, Emerson has attempted to promote interest in security issues and inform utility customers of the current state-of-the-art with regard to secure configurations and best practices. Also, for several years, Emerson has worked collaboratively with the Users Group Security Committee to help enhance system security.
We recommend a firewall, a NAT router, and anti-virus software.
For our Windows-based systems we provide security configuration guidance. For our TPS systems, weve provided this guidance as part of the TPS system Administration Guide. For the Experion Process Knowledge System (PKS), we provide a Network and Security Planning Guide.
In general, we advise our customers to use anti-virus software, high-security configurations of Windows, hotfix installation, specific network topology configurations, and firewalls between the enterprise network and process control network. We also provide network security services.
We advise customers to view cybersecurity as an essential part of doing business, not unlike the traditional building security. Industrial plant managers who would never leave their plant door wide open so that anyone could walk in may be doing just that with their networks. The challenge is to implement network security both effectively and economically. Accomplishing that requires as much attention to policy and planning as to technology.
One of the biggest reasons process firms are vulnerable, in fact, is that most have NOT established and implemented a formal security policy. As a result, systems are not configured consistently and weaknesses are common. The Carnegie Mellon Institute, in fact, found that 99% of all reported Intrusions resulted from exploitation of known vulnerabilities or of configuration errors for which countermeasures were available.
Figuring out which battles to fight is a big part of cybersecurity. No company can afford to fortify themselves against all possible attacks from all possible sources. You have to determine where you are most vulnerable and what is at stake before implementing any technology. We recommend an approach that covers the following areas:
Assess current security vulnerability from remote and internal threats
Assess your level of acceptable risk
Define security policies and procedures
Implement measures to reduce and/or eliminate risks
Conduct on-going evaluations and implement processes to account for changes and/or advances in technology
Typically there are two discrete, but related phases to the process: a review phase in which needs, policies and plans are established, and a hardening process in which the corrective means are implemented and monitored.