Before all the big games, hyperventilating commentators often say, "It all comes down to this!" The backdrop for today's contest is the ongoing organizational earthquakes triggered as microprocessor-based data processing forced its way onto the plant floor. This upheaval has fueled years of wrenching technical and corporate changes as many controls and automation engineers learned to use PLCs, DCSs, PCs and more software-based monitoring, automation and controls.
Many mechanical, electrical, controls and other engineers were crowded together, of course, and they in turn were shoved together with system integrators, corporate managers and even IT technicians. This has sparked years of rivalries and turf battles. Fortunately, as the years passed, many former opponents learned to get along—at least on the surface.
However, different people and organizations are still at different stages of understanding, and many silos and their barriers remain. So, it seems like whenever a new technical challenge shows up, all the old bile and barbs come out again. One of the latest bones to be fought over is process and network security. When a destructive computer worm such as Stuxnet shows up, controls and IT staffs start to square off again like sumo wrestlers, this time about network segmentation, firewalls and patching policies. I can just hear the thighs being slapped, the feet stamping, flab colliding and the buildings shaking.
Unfortunately, there's evidence this infighting makes process applications and networks even more vulnerable to outside attacks.
"There are many acknowledged cases where IT network scanning tools shut down controls and production systems. This is because many legacy devices don't have full IP stacks, and so network scans can trigger an infinite loop in a PLC and disable it," says Joe Weiss, PE, CISM of Applied Control Solutions (www.realtimeacs.com) and author of Control's Unfettered blog (community.controlglobal.com/unfettered). "IT covers general network security, but we still haven't dealt with what's unique and different about control systems, and how to address them to improve security. For example, IT wants everyone to change their default passwords periodically. However, when you change the hard-coded default passwords on a PLC, it may not be able to access its applications. Stuxnet used this to its advantage.
"Likewise, the U.S. Department of Homeland Security's (DHS) U.S. Computer Emergency Readiness Team (US-CERT) issued recommendations in September on how to deal with the Stuxnet worm. They covered how Stuxnet is using vulnerabilities in Windows as its delivery vehicle, but didn't give enough guidance on controls. There's been no additional guidance from DHS or even discussions about the PLC attack since late September. Since it is the PLCs and other field devices that can cause equipment failures and injuries and deaths, why have there been so few efforts by DHS and the U.S. Department of Energy to address securing field devices?"
Weiss adds there is only one investor-owned utility whose board of directors wants to do more than meet the North American Electric Reliability Corp.'s NERC CIP rules, and actually secure their facilities. As a result, Weiss is developing control system cyber security policies for all of the utility's mission-critical equipment. In almost every audit he's conducted, Weiss reports that he's found modems and wireless access points for control systems that the utility didn't know it had.
"Control and IT people must cooperate to look at the design and implementation of their networks, including control systems, because some of these viruses or worms can't be stopped," adds Weiss. "And, if an intruder can get in and manipulate controls, then users must have some physical safety system that's separate from their regular controls, in addition to segmenting their network with firewalls around vulnerable areas." That way, everyone wins.
