By Walt Boyes, Editor in Chief
"You know, you really ought to add another 'S' to your 'Smart, Safe, Sustainable" slogan—you ought to add 'Secure.'"
Marty Edwards' dogged focus on security is perhaps to be forgiven, given that he's director of control system security programs for the U.S. Department of Homeland Security (DHS) and director of ICS-CERT (the Industrial Control System Computer Emergency Response Team).
Edwards addressed Rockwell Automation's annual Process Solutions User Group (PSUG) meeting this week in Chicago and described the increasing threat of cyber attack on the nation's critical infrastructure—much of which is controlled by process automation systems.
"Risk equals threat times vulnerability times consequences," he explained to the engineering-heavy audience. "In the beginning, when I first started as a controls engineer, we had systems that were isolated," Edwards said. "This made them reasonably safe."
Modern control systems, however, use commercial off-the-shelf (COTS) computing and networking technologies, wireless in the rack and remote configuration systems. Control system security is now "a huge challenge—and readily exploitable," he said.
Modern connectivity extends the perimeter of the system, and connectivity is now ubiquitous. Some companies think they can get away with airgaps, but as the space program has shown, even an airgap as large as from the Earth to space isn't enough to protect the International Space Station from being infected with viruses, not once, but multiple times.
"We don't have the security and alarm systems to detect intrusion into systems and report it automatically the way we have alarms for process variables," Edwards said. "And many plants have either no, or really poor, policies and procedures for safety. So people can just stick a USB stick into a process control computer, and suddenly you're infected."
"There is some really low-hanging fruit," he said. Make your password policies actually work. Develop permissions for people to access various parts of your system. Do the basic blocking and tackling, and you'll lower the level of risk you face."
"Remember the risk equation," he went on. "There is no way to eliminate risk completely. There is no way to completely eliminate threats. We can only build procedures to reduce our vulnerabilities."
The consequences of a successful industrial control system attack can be large, he noted. Attack sophistication is increasing significantly while the required knowledge an intruder must have to make an attack is decreasing. There are now cyber-attack "tool kits" readily available on the Internet that require little or no training or industry knowledge by a potential attacker.
So how can the government help you? There are, Edwards said, mitigation methods that DHS has developed. One of them is a self-help tool called CSET or Cyber Security Evaluation Tool, which includes guidelines for evaluating and suggestions for increasing security. Another tool is the "Security Procurement Language for Control Systems" document. "This document can help you and your procurement department insert the relevant requirements about security in your control system procurement documents and contracts," Edwards explained. "But you can't just staple it to a standard contract—no one can meet all the provisions." DHS also provides training, from web-based modules to an in-person "Cybersecurity Bootcamp" at Idaho National Laboratory.
In addition to training, Edwards runs the Industrial Control Security Joint Working Group (ICSJWG) which is a public/government partnership to improve best practices for industrial control security. The ICS-CERT, also directed by Edwards, provides situational awareness, online assistance and even "fly-away" team incident response.
"Your data is protected critical infrastructure information under the Homeland Security Act," Edwards said, "and it is exempt from Freedom of Information Act requests. So nobody will see your valuable intellectual property if you submit it to us."
"We also have subject-matter experts and one of the most sophisticated malware labs available to study malware in control systems," Edwards said. The cyber threat is real, he concluded, and you need to deal with it effectively. DHS, he said, is indeed here to help you.