EVEN THE most casual computer user is aware of the many security vulnerabilities being found regularly in commercial operating systems and office software. If you don’t patch your personal computer on an almost daily basis, these flaws will soon let it fall prey to the hackers, viruses, and worms that run rampant in the IT world.
What most of us don’t realize is these vulnerabilities can be just as prevalent in hardware and software in programmable logic controllers (PLC) and distributed control systems (DCS), remote terminal units (RTU), or human machine interfaces (HMI). Just as in commercial software, human beings design and implement control and automation systems, and the mistakes they make allow unscrupulous attackers to take advantage of them, too.
Most of the vulnerabilities discovered in control systems aren’t widely publicized. However, in the course of research over the past five years, we’ve seen many major brands of controllers that are so flawed they could be easily exploited by the most unskilled attacker. For example, one PLC faulted while being scanned with a standard security tool, indicating a serious Transport Control Protocol (TCP) implementation issue. Further investigation showed this device’s behaviour violated the TCP specifications so badly that it was a security hazard, not just to itself, but to every device on its control network. In another case, an installation of OPC client software forced an otherwise secure Windows HMI to become so poorly configured that hacking it took a matter of minutes.
Security Afterthought and Ad Hoc
The problem is that today’s automation systems weren’t originally designed with security in mind, but were intended to perform control simply and efficiently. The thought that someone might deliberately attack a PLC or DCS system was never part of many manufacturers’ design specifications or in the system development plan. To make matters worse, most control system vendors have had limited capacity to rigorously test new products for possible security flaws. As a result, the owners and operators of critical control systems have had little knowledge of their systems’ robustness in the face of a cyber attack—until disaster strikes.
Many control system owner/operators, equipment vendors and government agencies are well aware of need for security and are attempting to address it through a number of operations-focused standards such as ISA SP-99 and NERC CIP-2-9. While these efforts certainly help the end-users ensure that their control systems are managed in a secure manner, currently there are no efforts under way to establish procedures for the security testing and certification of the actual products used for control. This lack of a foundation for secure products could put these other efforts in jeopardy.
If this seems a bit harsh, think of the engineering involved in building a brick wall. Certainly a good structural design is critical, but implicit in that design is the understanding that the bricks will have certain material properties and will act in a predicable manner. Build a wall out of bricks that crumble in the first rainstorm and the best design in the world won’t save the wall.
In the absence of any formal product security standards, some end users have started developing their own specifications, often with little technical understanding of how to properly evaluate a product’s security. Those companies that do have the knowledge for proper evaluation are expending significant resources to do so, and are creating conflicting requirements that make compliance difficult for the vendors. Even the government and university labs that are currently testing the security of control system products have been unable to show consistency in these efforts, making product comparisons extremely difficult.
To sort out this current chaos, industry leaders from a number of major control system operators and manufacturers, including BP, Exxon-Mobil, Shell Oil, Honeywell, and Emerson Process Management have proposed that an organization be formed that would create a set of well-engineered specifications and processes for the testing and certification of critical control systems products. Similar in concept to the internationally accepted TÜV certification for Safety Instrumented Systems (SISs), control system vendors would be able to offer products that are proven to meet a standard set of security requirements. In addition, the organization would work closely with existing standards groups, supplying them with draft documents that can be formulated as standards.
For end users, this certification process will result in significantly reduced costs and time commitment in product selection and acceptance. It will also help ensure that products are more secure out of the box. For vendors, the organization will provide a single testing framework and an industry stamp of approval, resulting a faster time to market and lower development and integration costs. Finally, for the largely volunteer-based standards organizations, this new organization would help them draft documents and supporting research, so they make informed decisions on security standards.
However, before an effective control system security testing and certification program can be created, it’s essential that a members-based organization be founded to manage and fund the process. This organization needs to be global in scope, include vendors, system integrators and end-users and be open and inclusive to all, except those that clearly pose a threat to security.
Of course there are many logistical and organizational questions that need to be answered before the organization can be setup. For example, would it most effective as a non-profit foundation or a member-controlled, for-profit company? How would membership benefits and fees be structured? What is the start-up model versus the long-term, sustainable model? How would legal issues like intellectual property rights, liability and warranty be addressed? These are not difficult questions, but they need to be carefully investigated and a plan of action needs to be developed.
To help answer these and other questions, security researchers at Wurldtech Analytics (formerly the BCIT Security Research team) are partnering with ISA to conduct a feasibility study, and develop an operations model for this security-certification organization. Companies interested in becoming charter members of the organization are being asked to supply $2,500 to help fund this portion of the study. Companies wishing to be involved should contact Joann Byres at firstname.lastname@example.org.