By Jim Montague, Executive Editor
DON'T FREAK out. That’s the main thing. No one ever truly improved their security—let alone their industrial network security—by panicking and overreacting.
Unfortunately, after years of having to do little or nothing to address potential security issues, many network managers and engineers are being jolted into immediate action by visions of hackers and terrorists laying waste to their networks and control applications. Unfortunately again, many are reflexively jumping on quick-fix hardware and software solutions that promise iron-clad protection, but typically deliver inadequate or ineffective results. So, that’s where all the Y2K vendors went!
This brings us to the second main thing. Security requires adaptive intelligence—your intelligence. To engage it, users probably will have to do things they’d rather not do. Besides staying focused, they must thoroughly inventory their whole industrial network, and identify every way data gets in and goes out. And, even worse, they need to create an open, close, ongoing relationship with their IT colleagues.
Yes, there are no magic bullets or miracle cures here. Just the long, slow, unglamorous chipping away that common-sense vigilance always seems to demand, especially to stay ahead of ever-evolving threats. Sure, it’s boring, but it’s more effective than anything else.
More Connectvity = More Vulnerability
In past years, process control engineers often had to worry more about accidental security breaches typically resulting from non-malicious, well-meaning mistakes by internal users. This situation has changed, mostly because it’s much easier now for even inexperienced hackers to use widely disseminated software to launch many potentially destructive attacks on vulnerable networks (See Figure 1 below).
Software tools used by hackers are becoming more sophisticated and easier to use.
The few experts in the process control security field report that most large, corporate networks are probed and attacked—usually unsuccessfully—on an increasingly regular basis, sometimes three or four times per day. The experts add that virtually all network managers refuse to talk about their security experiences and resulting strategies because they fear it will increase their vulnerability.
The second force pushing process control networks into more vulnerable areas is the quickly multiplying link between process control systems and companies’ enterprise levels and the Internet—usually via Ethernet and wireless technologies. Many of these devices also are far more widely distributed on the plant floor and beyond, and so it’s harder to keep track of them.
“One of the biggest security issues we struggle with is the operating system changes that seem to happen weekly with Microsoft,” says Tony Tenison, control instrumentation manager at Sverdrup Technology, a system integration division of Jacobs Engineering in Tullahoma, Tenn. “The updates require us to be connected, but that makes us more vulnerable. However, if we don’t get the software patches we need, then we have lousy system performance. It’s a real Catch 22. We usually just live without the patch because most of them don’t apply to our operating system. We’ll only go out when we need a specific patch that will definitely improve our performance.”
Similarly, attacks against specific PLCs reportedly are becoming common because most now have Internet IP addresses and generate clear-text data, which can be monitored by outside entities. In response, several software solutions were developed in the past couple of years that can force a PLC into its administrative mode when an unauthorized device is detected. Unfortunately, this monitoring capability also can enable man-in-the-middle attacks, in which an external device inserts itself between a PLC and an HMI, poisons the HMI’s ARP table, and makes each think it’s seeing the other when they’re really interacting with the intruder.
“Process control system connections to the Internet and enterprise systems now account for 50% of all control system downtime,” says Rich Clark, information security analyst for Wonderware. “Research by Wurldtech Analytics indicates that, presently, 35% of all control system breaches are due to connectivity to the Internet, and a full 15% of those breaches or similar events can cause downtime. This scares everyone.”
While accidents and internal mischief still account for half of all control system downtime, the other half reportedly consists of external attacks. Of these, Clark reports that 50% are kiddie hackers and 50% are nation states or their agents probing for data gathering or industrial espionage purposes, including some genuinely malicious efforts to bring down applications and facilities.
Though software-based attacks have evolved in recent years, they usually still take the form of denial-of-service attacks or continual-buffer-overflow events. These attacks seek to overwhelm computing systems with numerous unnecessary requests for information or by delivering huge amounts of unneeded data.
So, the first logical question is, “Why allow any process control system to link to the Internet?” Clark adds there are almost as many reasons for connecting to the Internet as ways to do it. “This is a very slippery slope,” he says.