By Joe Weiss, PE, CISM Applied Control Solutions
The following is the first section of a three-part "Security Spotlight" series, which consists of portions of Joe Weiss' Protecting Industrial Control Systems from Electronic Threats, Momentum Press, 2010. Parts 2 and 3 will run in the August and October issues of Control.
The fundamental reason for securing industrial control systems (ICSs) is to maintain the mission of their overall production systems, whether they generate or deliver power, produce or distribute oil and gasoline, provide clean water or operate any other process application or facility.
I don't believe it's possible to fully electronically secure ICSs. However, we can make them more secure and also minimize the possibilities of unintentional incidents that have already cost hundreds of millions of dollars and a number of lives.
From a cybersecurity perspective, ICSs are very brittle and attacking them isn't rocket science. On the other hand, it can be rocket science to protect them and maintain their missions at the same time.
Unfortunately, while the first two legs of the three-legged security stool—physical and IT security—are well understood, the third leg, ICS security, is much less understood, has few experts and is often not considered critical. Those working in this area are generally from the IT security community and have little knowledge of ICSs, or are ICS experts who know operations, but not security. Operations alone can't secure ICSs. It takes a team of experts in IT security, telecom, networking, ICS and IT vendor support, and senior management, most of all.
Presently, many issues are coming together that are making ICS electronic security of paramount importance. These include growing smart grids for electricity distribution and generation, government stimulus money, cybersecurity funding, terrorism threats, chronically sick economies and emerging green ones and the need to reduce carbon footprints. All of these can be impacted by ICSs' electronic security or lack of it.
Definitions, Descriptions and Differences
From an ICS perspective, it's very important to understand what could compromise a control system. The National Institute of Standards and Technology (www.NIST.gov) defines a cyber incident is "an occurrence that actually or potentially can jeopardize the confidentiality, integrity or availability (CIA) of an information system or the data it processes, stores or transmits, or that constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies." What's important about this definition is that cyber incidents can be intentional or unintentional.
For the ICS community, there's a need for additional definitions of cybersecurity and cyber incidents. So, the following terms for compromised ICS modes are suggested:
- Loss of view (LOV), which consists of incidents that blind operators and put them at risk of taking harmful actions due to inaccurate knowledge of ICS status.
- Manipulation of view (MOV), which is intentionally manipulating HMIs by changing displayed states on intelligent electronic devices (IEDs), so an operator will unwittingly perform potentially dangerous actions.
- Denial of control (DOC), which prevents operators from interacting with process control points. These include operator accidents, hardware failures, network failures or improper network capacity.
- Loss of control (LOC) is a sustained event or the creation of unstable conditions in which operators can't take alternate action before a potentially catastrophic condition occurs.
Fortunately, while ICS networks and HMIs are similar to IT systems and may be subject to their usual vulnerabilities and threats, ICSs can benefit from using IT security technologies too.
Similarly, enhanced SCADA protocols, namely IEC 61850 and Distributed Network Protocol (DNP3), are being modified to run over TCP/IP, Ethernet and possibly other protocols. These improvements make them more vulnerable to security risks because they're running on utility networks and not on isolated, dedicated circuits, but they could be further enhanced to use security countermeasures developed for these networks.
In addition, there's been a blurring of the differences and similarities between ICSs and IT. For example, some of the functions of routers in IT and remote terminal units (RTUs) in ICSs have migrated toward a common area occupied by SCADA servers. This has big implications for security, as IT personnel may attempt to use inappropriate policies, technologies or testing of these systems that appear to be IT.
The use of mainstream operating system environments, such as Windows, UNIX and Linux for running ICS applications can leave them just as vulnerable as IT systems. At the same time, the application of mainstream IT security solutions and methods will help to secure more modern ICS host computers and operator consoles, also known as PCs. IT technologies use virtual private networks (VPNs) to secure communications to and from ICS networks. IT security focuses on the strength of the encryption algorithm, while IC security focuses on what goes into the VPN.
For example, one of the U.S. Dept. of Energy's National Laboratories showed how a hacker can manipulate widely used "middleware" software running on current mainstream computer systems without much difficulty. In this sobering demonstration, vulnerabilities in OPC code were used to make it appear that the system was functioning properly, even though it was not, because it displayed incorrect information or withheld correct information from system operator consoles.
General and Administrative Security Recommendations
Based on the experiences of myself and others, I provide the following general recommendations: