Industrial control systems are the heart of manufacturing worldwide. Every sort of manufacturing process from semiconductors to oil and gas and in between uses an industrial control system. Some are relatively simple, such as a PLC controlling a work cell on a factory floor. Some are more complex, such as a DCS in a refinery. Others are extremely complex, such as a SCADA system at a mine with more than 100,000 I/O points.
Like enterprise computing, industrial control systems have traveled a path from standalone systems to the modern, highly interconnected world of Ethernet, the Internet and cloud-based computing.
But while enterprise computing and even home computing started confronting cyber attacks a decade ago, the industrial control systems lagged far behind. One of the main reasons is that there is a significant difference between the asset lifecycles in the enterprise computing and the industrial control system spaces. Enterprises see nothing unusual about replacing all their systems every two to three years, but industrial control systems are designed and operated to be replaced every 20 to 30 years, and some are kept going to the end of the useful life of the plant itself.
So, while enterprise IT has managed to keep up with cybersecurity, anti-virus and network defense by continually upgrading its systems, most industrial control systems have relied on what has been called by many cybersecurity researchers, "security by obscurity."
All of these industrial control systems share a common flaw. "They are all highly reliable, purpose-built and very efficient," says Patrick Miller, president and CEO of EnergySec in Portland, Ore., a not-for-profit educational institution devoted to improving security in the energy sector. "However, most platforms are not secure. They were never designed with security in mind."
Beginning in the early 1990s, enterprise computing systems and networks were quickly connected to other networks and the Internet. Industrial control systems didn't begin to be connected to even their own enterprise networks until a decade later, and in many cases, the connections were done inadvertently.
The media, both popular and technical, have been discussing severe vulnerabilities like the Stuxnet virus, supposedly built as a cyberweapon by the United States and Israel to attack process plants in Iran. Another severely problematic vulnerability is Aurora, which destroyed a piece of electric grid infrastructure.
Marco Ivaldi, senior security advisor from @mediaservice.net, an Italian security researcher and "hacker," says, "I think there is still a long way to go to reach a proper level of security in either the process industries or the electric utility space." Ivaldi went on to discuss several extremely dangerous vulnerabilities in commonly used industrial control system components from a variety of vendors.
In addition, in July, Siemens self-reported three vulnerabilities in WinCC and Simatic Step 7.
And so it continues.
Almost every government has taken steps to try to do something, anything, to improve the security posture of industrial control systems because they are part of the critical infrastructure of a modern economy. It remains to be seen if any of those steps have actually done so.
Are We Any More Secure This Year Than Last?
"This," says Eric Byres, CTO of the Tofino Security division of Belden Inc., "is a tough question, because what we have happening is an arms race between the good guys and the bad guys. Both the vendors and the end users are slowly becoming security aware and are starting to provide and deploy good security technologies and practices. Unfortunately, the bad guys are also becoming more aware of the opportunities to attack industrial systems—we can thank Stuxnet for that—and at the same time, the tools available for security attacks on ICS and SCADA systems are rapidly improving."
After interviewing more than a dozen industrial control system security professionals, including end users, security researchers, suppliers and experts in just about every industrial vertical, it is clear that the very best answer to the are-we-more-secure question is a resounding, "maybe, maybe not."
"So the answer to the question," Byres says, "is that many ICS and SCADA systems are more secure than they were last year, but the bad guys are better equipped."
John Cusimano, director of security solutions for exida and director of the Repository of Industrial Security Incidents (RISI), says, "Overall the security posture of most control systems is still fairly weak. It varies significantly by industry, though. Major oil and gas and chemical companies are actually doing fairly well."
What does "fairly well" mean? "These companies started working on this topic pre-Stuxnet and have bolstered their programs since," Cusimano continues. "They generally have, or are working on, written policies and procedures specifically for ICS security; have firewalled their ICS networks from their business networks; and have conducted internal security assessments of their critical facilities."