There's no "set it and forget it" with process security. Much like taking out the trash and brushing your teeth, process security measures must be continually monitored and updated to stop an ever-multiplying number and variety of viruses and threats, according to Leigh Weber, CISSP, senior security engineer at exida Consulting in Sellersville, Pa.
Weber spoke at the 2012 Yokogawa User Group meeting today in New Orleans on how to "Evaluate the Security of Automation Products and Systems." Weber reported that current events in cybersecurity include, the Shamoon virus that disabled 30,000 computers at Saudi Aramco; U.S. Defense Secretary Leon Panetta's recent warning of cyber attacks on critical U.S. infrastructure; and the U.S. Dept. of Homeland Security's (DHS) alerts about coordinated attacks on gas pipeline operators.
"Control systems are more vulnerable today than ever before because they use commercial technologies. They're highly connected, offer remote access. Lots of technical information is publicly available on them, and hackers are now targeting control systems," said Weber.
For example, Weber reported that the S4 Security Conference in January 2012 included a "Project Basecamp" that involved six researchers looking for vulnerabilities in six different embedded industrial process control devices, such as PLCs, RTUs and substation controllers. And in all of them they found vulnerabilities ranging from backdoors and weak credential storage to buffer overflows.
"Nessus plug-ins and Metasploit modules have been publicly released, enabling anyone to find and exploit these vulnerabilities," explained Weber. "Much of the code needed to crash PLCs is free, and some companies are selling SCADA-based attack kits, though they're intended for IT departments test their systems. Likewise, accessible Facebook and LinkedIn accounts can be used to write convincing emails for phishing attempts, and the most dangerous environment of all is the open Wi-Fi network in an airport and hotel."
Weber added that there are many more pathways into most control systems than their users and managers often realize. These include unauthorized, unchecked USB devices, infected laptops, incorrectly configured firewalls, old modems, external PLC networks and unprotected fieldbuses, RS-232 links and other devices. "Do you still have any modems in your system? Are you sure?" asked Weber.
"A lot of networking hardware isn't removed when updates are done, and most organizations have many more paths into their systems then they realize.
"The threats are realistic, sophisticated and readily available," Weber said. "Many existing systems are designed and installed with insufficient security controls, such as layers of protection. Working with their suppliers, industrial facilities must focus on securing them."
Besides learning about and applying cybersecurity standards like IEC 62443, ISA 99 and others, Weber said there are seven basic steps for security process control systems:
- Assess existing control systems;
- Document security policies and procedures;
- Train personnel and contractors;
- Segment the control system network;
- Control access to the system;
- Harden the components of the system; and
- Monitor and maintain system security.
"If you have a control system, you must protect it," added Weber. "However, you must also have procurement specifications for cybersecurity for everything you buy. DHS has procurement guidelines for control system components."
Besides the ISA99 standard, Weber reported on the efforts of the ISA's Security Compliance Institute (ISCI) and its new ISASecure Certification program. "ISCI is a consortium of asset owners, suppliers and industry organizations formed in 2007 under the ISA Automation Standards Compliance Institute (ASCI)," said Weber. "Its mission is to establish a set of well-engineered specifications and processes for testing and certifying critical control systems products, as well as to decrease the time, cost and risk of developing, acquiring and deploying control systems by establishing a collaborative industry-based program among asset owners, suppliers and other stakeholders."
Similar to well-known safety integrity level (SIL) certifications, ISASecure is a recognizable designation that suppliers can achieve for their products by allowing them to be thoroughly tested. (For more information, visit www.ansi.org/isasecure.)
"These devices get every kind of malformed bit stream thrown at them, and then the lab sees if they're still standing when it's over," said Weber. "Then the lab issues a final assessment report and certification upon successful test and audit. The next step is for ISASecure is System Security Assurance to look at security across whole systems, and it's being developed now."