Topic: Intrinsic Safety
Safety Shutdown: How to Avoid the Cost of Separate Valves
Is It Allowable to Use the Control Valve as a Safety Shutdown System?
ISA100 Gives Up on Convergence
No Deal Between ISA 100 and Wireless HART Standards. Back to the Drawing Board
Set New Standards in Productivity and Efficiency
The Right Instrumentation Can Help Both Processes and People Realize Their Full Potential
Risk Assessment Skills Needed for SIS Success
Instrument Engineers Must Lead the Way in Safety System Best Practices
White Papers: In Depth Research
Bound to Fail: Why Cybersecurity Risk Cannot Simply Be Managed Away
Author: Ralph Langner, Perry Pederson, Brookings Instution
Rather than a much-needed initiative to break the legislative deadlock on the subject in Congress, President Obama's new executive order for improving critical infrastructure cybersecurity is a recipe for continued failure. In essence, the executive order puts the emphasis on establishing a framework for risk management and relies on voluntary participation of the private sector that owns and operates the majority of U.S. critical infrastructure. Both approaches have been attempted for more than a decade without measurable success. A fundamental reason for this failure is the reliance on the concept of risk management, which frames the whole problem in business logic. Business logic ultimately gives the private sector every reason to argue the always hypothetical risk away, rather than solving the factual problem of insanely vulnerable cyber systems that control the nation's most critical installations.
The authors in this document suggest a policy-based approach that instead sets clear guidelines for asset owners, starting with regulations for new critical infrastructure facilities, and thereby avoids perpetuating the problem in systems and architectures that will be around for decades to come. In contrast to the IT sector, the industrial control systems (ICS) that keep the nation's most critical systems running are much simpler and much less dynamic than contemporary IT systems, which makes eliminating cyber vulnerabilities, most of which are designed into products and system architectures, actually possible. Finally, they argue that a distinction between critical and non-critical systems is a bad idea that contradicts pervasiveness and sustainability of any effort to arrive at robust and well-protected systems.
Register to download this document and learn more. We'd love to have your reaction to what you've read (either positive or negative). After reading the document come back and tell us what you think.
Read what our community experts have to say:
- Can We Use Risk Analysis to Determine the Economics of Cybersecurity?
By Walt Boyes, editor in chief
- Cybersecurity Responsibility White Paper
By Joe Weiss, cybersecurity expert and blogger
- Is Field-Based Control More Secure?
By John Rezabek, proces control specialist
Post-Stuxnet Industrial Security: How to Detect Industrial Malware on Day Zero
Author: Phoenix Contact
Preventing the next Stuxnet-like attack on the control world might be impossible, but operators can mitigate the effects and contain worms and viruses through early detection.
- Although the Stuxnet worm has received a great deal of media attention, the greater threat to most control systems is that copycats could use Stuxnet as a blueprint for future attacks.
- An ideal network security appliance with both preventive and diagnostic functions can boost security against Stuxnet-like attacks and reduce their associated risks.
- While such a device will not completely prevent malware infections, fast and reliable discovery of such infections is a key aspect of protection.
Following its discovery in June 2010, the Stuxnet worm caused a worldwide sensation. It is the first publicly known rootkit attack targeted at industrial plants. It has infected tens of thousands of PCs, and abused and manipulated automation software running on Windows operating systems. Its ultimate purpose: to infiltrate malicious code into the controllers of specific real-world industrial installations.
Experts have long warned that malware and insufficient IT security pose a threat to automation networks, but Stuxnet offers concrete proof that these threats can no longer be ignored. The actual hazard, however, no longer originates from Stuxnet itself, but rather comes from mutations that copycats can now create with the same basic techniques. And while Stuxnet focused on products from the Siemens SIMATIC family and on STEP 7 PLC projects with very specific properties, such mutations could affect components from other vendors as well, ultimately turning out malware a lot less selective in its damaging impact.
Apart from the fact that industrial PCs are often not (and cannot be) equipped with antivirus software, Stuxnet has also made clear that conventional virus scanners do not provide protection against this caliber of attacks. The analysis of Stuxnet has shown that the worm had been around in the wild unnoticed for at least 12 months before its discovery. Because Stuxnet did not use any of the known malware signatures, existing antivirus programs did not detect it during that time.
Hacking the Industrial Network
Author: Phoenix Contact
Industrial control networks are highly vulnerable to intelligent remote attacks, as well as non-intelligent viruses. With threats to these networks increasing in complexity and scope, decision makers need to take action before it's too late.
Malicious code, a Trojan program deliberately inserted into SCADA system software, manipulated valve positions and compressor outputs to cause a massive natural gas explosion along the Trans-Siberian pipeline, according to 2005 testimony before a U.S. House of Representatives subcommittee by a Director from Sandia National Laboratories. According to the Washington Post, the resulting fireball yielded "the most monumental non-nuclear explosion and fire ever seen from space." The explosion was subsequently estimated at the equivalent of 3 kilotons. (In comparison, the 9/11 explosions at the World Trade Center were roughly 0.1 kiloton.)
According to Internet blogs and reports, hackers have begun to discover that SCADA (Supervisory Control and Data Acquisition) and DCS (Distributed Control Systems) are "cool" to hack. The interest of hackers has increased since reports of successful attacks began to emerge after 2001. A security consultant interviewed by the in-depth news program, PBS Frontline, told them "Penetrating a SCADA system that is running a Microsoft operating system takes less than two minutes." DCS, SCADA, PLCs (Programmable Logic Controllers) and other legacy control systems have been used for decades in power plants and grids, oil and gas refineries, air traffic and railroad management, pipeline pumping stations, pharmaceutical plants, chemical plants, automated food and beverage lines, industrial processes, automotive assembly lines, and water treatment plants.
Analysis of 3S CoDeSys Security Vulnerabilities for Industrial Control System Professionals
This White Paper explains:
- What the 3S CoDeSys vulnerabilities are and what an attacker can do with them
- How to find out what control/SCADA devices are affected
- The risks and potential consequences to SCADA and control systems
- The compensating controls that will help block known attack vectors
A number of security vulnerabilities in the CoDeSys Control Runtime System were disclosed in January 2012. In October 2012, fully functional attack tools were also released to the general public.
While CoDeSys is not widely known in the SCADA and ICS field, its product is embedded in many popular PLCs and industrial controllers. Many vendors are potentially vulnerable, and include devices used in all sectors of manufacturing and infrastructure. As a result, there is a risk that criminals or political groups may attempt to exploit them for either financial or ideological gain.
This White Paper summarizes the currently known facts about these vulnerabilities and associated attack tools. It also provides guidance regarding a number of mitigations and compensating controls that operators of SCADA and ICS systems can take to protect critical operations.
- First UL Listed Industrial GFCI from Littelfuse Protects Workers
- Master Distributors carries TL3240 Series and TL3210 Series illuminated tact switches from E-Switch. Both series are surface mount (SMT) switches that offer LED illumination in a variety of colors.
- Constructed of polyester, the sensor and actuator can be mounted unobtrusively in channels or behind doors
- Flexible, safe I/O distribution without a safety controller
Access the entire print issue on-line and be notified each month via e-mail when your new issue is ready for you. Subscribe today.
- Featured White Papers