Cyber security for the Process Industries
“I am very passionate about this subject,” said Rob Hoffman from Idaho National Labs, “because when Idaho National Labs got hacked, I was doing IT work, and I got tabbed to ‘make sure this never happens again.’” Hoffman went on to become the leader of the Control System Security Program at Idaho National Labs, one of the government national laboratory foundations working with the Department of Homeland Security to protect the national infrastructure.
“There’s a new book out,” Hoffman said. “It is called Hacking SCADA: Industrial Network Security from the Mind of the Attacker. You can buy it at Barnes and Noble. It has become fashionable in hacker circles to talk about control systems and how to use commonly available tools to enter and control the systems you all work with and maintain.”
Hoffman went on to describe the differences between IT security on enterprise systems and control system cyber security. IT systems tend to last three to five years, while control systems last at least twenty. Application of patches is slow and vendor specific in control systems, and because control systems need to be running 24/7, “you can’t send out a memo that says the servers will be going down for maintenance for four hours on Thursday night.”
Hoffman asserted that control system cyber security is immature from a policy and standards development standpoint, and most control system engineers aren’t accustomed to thinking in security terms. “Control systems are usually one generation old, as far as processors are concerned,” he said.
His objective for CSSP is to strengthen the control system security posture by coordinating across government, private sector and international organizations to reduce the risk. “We need to build a culture of reliability, security, and resilience,” he said, “and we have to demonstrate value.”
There are interdependencies in the security sectors, as well. Many government agencies, and many private companies and organizations are stakeholders in cyber security, and CSSP intends to help coordinate these interdependencies, and provide thought leadership for cyber issues. This is extremely important, Hoffman said, “because of our critical infrastructure, something like 85% is privately owned and unregulated. I don’t necessarily think additional regulation is the correct path, either. So we educate.”
CSSP has produced some significant risk reduction products, including a cyber security self-assessment tool, a detailed cyber security procurement language for control systems, a pocket guide to securing scada and control systems, and a set of recommended practices. CSSP has also set up a group with in US-CERT to produce control systems related vulnerability notices, and CSSP teaches control systems security awareness and mitigation training classes. All of this information is available at http://www.US-CERT.gov/control_systems.
One of the most important initiatives CSSP has undertaken, Hoffman revealed, is the technology assessments they do under contract, and with nondisclosure agreements, with control systems vendors. “Basically, we get the hardware and the control systems engineers from the vendor, and we build a system and get it ready. Then our “Red Team”—that’s the attackers, get six weeks to invade and take control of the system. In four years of doing this,” Hoffman said, “we have never been stopped from gaining full operational control over the control systems.”
Then they tell the vendors how they did it, and the vendor goes off and fixes the problems, and tells their end users what to look for, and how to fix it.
CSSP is responsible for the scenario development that led to the
Cyber vulnerabilities of control systems are real, Hoffman said, citing the CIA’s Tom Donahue’s revelations at the recent SANS conference that CIA had documented evidence of organized crime holding municipalities to ransom with threats on their control systems. “Give us what we want, or your lights won’t work, your water system won’t work, and your wastewater system won’t work.”
“Cyber Security is a shared responsibility,” Hoffman said. He closed by encouraging the audience to report cyber incidents and vulnerabilities, sign up for cyber alerts, and learn more about CSSP and cyber security.