Voices: Security Focus

Cyber Warfare and the Control Systems Community

What Must the Control Systems Community Do to Adapt to the Threat of Cyber Warfare?

Robert LeeBy Robert M. Lee, Cyberspace Officer, USAF

In control systems, the communication and work between vendors, asset owners and engineers that take place on a daily basis can be vast, and security may not be the first item on everyone's mind; the mission is to keep the systems running, secure or not. But the very real possibility of cyber warfare has changed that. The question is what must the control systems community do to adapt to the threat of cyber warfare?

Simply stated, the community must get back to the basics of security, take part in creating better regulations, and band together to face the threat as a community instead of as individuals.

With the media attention given to the Stuxnet worm since June 2010, the world has been forced to realize the possibilities and threats of cyber warfare. Cyber warfare took place long before the release of Stuxnet, but its release caused nation-states, corporations and other groups across the world to realize the benefits of using a domain of warfare with limited entry costs and the possibility of non-attribution, which is the ability to operate without positively being connected to an operation. The idea of using cyberspace to inflict physical damage, such as damaging nuclear centrifuges, was an unproven theory to most before Stuxnet. With the theory publicly proven true, most vendors and asset owners realized that control systems are valued and legitimate targets.

As the communities behind cybersecurity, hacking and control systems began to overlap, it became obvious that it was not only the large control systems, but also the smaller ones that were targets. To properly hack into a system one must understand it. Before attacking high-profile targets, it is wise for any hacker—nation-state-backed or not—to compromise smaller control systems, or related systems, for reconnaissance purposes. A hacker can not only understand control systems and network layouts better for future attacks, but may also gain important information, such as firewall and security configurations, trusted network access, operation manuals, design schematics or even password files. All of this information is important to carrying out an effective attack against larger control systems, such as the electrical power grid, water filtration plants, oil refineries and nuclear reactors. This style of reconnaissance is perfectly demonstrated with the Duqu malware.

In October, Duqu was discovered operating on a number of targets including those in Europe, Sudan and Iran. These targets have not been fully identified, but Symantec has stated that the targets include industrial manufacturers. Duqu is primarily an information-gathering platform with strong ties to Stuxnet. The kind of information gathered from Duqu is the type that would be required to create a cyber weapon that would target control systems. The Duqu malware seems to target industrial manufacturers, but this may only represent another vector of attack against control systems that rely on the parts these manufacturers create.

With an understanding that all control systems need to be protected, the focus becomes what smaller control system owners and operators can afford to do in terms of security. A limited number of people understand both control systems and cybersecurity well enough to properly defend the networks, which makes these personnel highly sought after and generally unattainable for many in the control systems community. Because of this and the fact that there is no checklist to supplying complete security, the task of securing networks can seem daunting and nearly impossible. What owners and controllers can do is adopt a security mindset and get back to the basics of cybersecurity.

The basics of cybersecurity begin with evaluating the systems. No one knows the network layout more in depth than the owners and controllers of those networks. Excluding the insider threat, no attacker has this level of knowledge, and this is one of the asset owner's greatest defenses. End users and the companies that employ them must take responsibility for their systems and recognize when hardware and software in their networks are missing or acting in a manner outside of their intended use. Furthermore, if pieces of hardware or software that are unaccounted for are attached to systems, there should be concern. This network accountability is not an easy task, but is much less cumbersome than surviving a network attack where business secrets are stolen or network operations are halted.

After accepting and properly implementing network accountability, security measures must be put into place. An air gap—the complete isolation of your network—is difficult, if not impossible to achieve. However, air gap best practices are a good step towards network security. Asset owners should ensure that their networks are not connected to outbound connections, and that there are methods of physical and electromagnetic security in place. Those in charge of network security must then assume this barrier of defense will be compromised. With this assumption, other steps for security must be taken. A defense-in-depth approach is as unique to each situation as is the network it protects, but some security steps are universal.

On a control system network there should be a demilitarized zone (DMZ) that separates internal parts of the network from other less operationally important sections. Firewalls with properly defined rule sets should limit traffic to only what is necessary to continue operations. Networks should use intrusion detection systems (IDS) or intrusion prevention systems (IPS) to look for malicious network activity. Vulnerability assessments using trusted software and reputable red teams should look for vulnerabilities in the network. Identifying vulnerabilities allows for patching and mediation to occur in areas that hackers would use to compromise a network. User agreements must be established with employees, so that proper use of the network is clearly defined. No number of security steps will prevent a network compromise if users are allowed to use the network improperly by, for example, connecting personal external hard drives to it. Asset owners must also implement access controls to limit who can gain physical or network access to resources.

One of the most important parts of network security is detection. As Capt. Jeremy Sparks, instructor at the Air Force's Undergraduate Cyberspace Training school teaches the future Air Force's network defenders: Prevention is key, but detection is a must. Detection not only mitigates the damage and duration of an attack, but it can also deter and prevent an attacker altogether. One of the most appealing aspects of cyber warfare is limited attribution. Without this aspect, the motivation of nation-states and hackers to conduct operations in cyberspace greatly decreases.

All of what is mentioned above is a broad look at network security for control systems; it is not an all-inclusive list. The security mindset must be used to think about each level of the network and what would be available to prevent or mitigate a compromise there. It is an ongoing process that must be given proper attention and resources even when both are limited.

Control system and software vendors must take responsibility as well and provide better software and hardware that has a focus on security instead of just availability. Better code and hardware testing, as well as longer durations for patching support are all a great start. Asset owners must participate in this process too, and work with vendors to identify issues. Both vendors and asset owners must then work with the government and regulation committees to identify regulations and standards that must be enforced. The minimum standard is not something that can foster true security, especially with systems that affect national security. However, this is not an issue of pointing blame at any party involved. Instead, this is an issue of getting the community to come together, and bringing different experiences to find solutions.

This community is where the battle over control systems will be won. Both the cyber community and the control systems community have very talented and passionate individuals working together to bring about positive change. The best advice for those involved in control systems is not based in varying and ever-evolving security practices. Instead, the single greatest piece of advice is to reach out to the community, and share information, practices and lessons learned. There is a real fight going on in cyberspace involving control systems, but it is not a fight one has to wage alone. With a security mindset, networking and a touch of optimism the community as a whole can enable itself to truly secure control systems.


Author's note: I want to thank the individuals I spoke with at the 11th ACS Control System Cyber Security Conference. The information and inspiration gained from the community involved was invaluable. I would also like to thank the Air Force's Undergraduate Cyberspace Training school at Keesler AFB, Mississippi, especially my mentors, Jeremy Sparks and Paul Brandau, for their continued work and acceptance that cyber security is not solely a military issue, but one that affects us all.

Duqu is primarily an information-gathering platform with strong ties to Stuxnet. It seems to target industrial manufacturers.

More from this voice

Title

Cyber Warfare and the Control Systems Community

What Must the Control Systems Community Do to Adapt to the Threat of Cyber Warfare?

12/02/2011

Protecting ICSs from Electronic Threats, II

ICS Security Is a Lifecycle Process that Begins With Conceptual Design of a System and Continues Through to Its Retirement

08/01/2011

Protecting ICSs from Electronic Threats, Part 1

It Takes a Team of Experts in IT Security, Telecom, Networking, ICS and More to Understand Cyber Security

06/06/2011

Do Firms Expect Too Much Cyber Threat Data?

A Key Expectation from Industry Is for Actionable Cyber-Threat Information from the Federal Government

04/04/2011

Wolves at the Security House Door(s), Part 2

If the Single Firewall is not Secure Enough for Control Systems, What Security Model Is?

01/04/2008

Edge protection a first layer of defense-in-depth security

Control system security expert Eric Byres presents defense-in-depth strategies for process control systems to some 150 attendees at the Honeywell Users' Group Americas 2007 Symposium in Phoenix.

06/13/2007

How Shell E&P assesses and addresses control system security risks

Dan McDougall of Shell Exploration and Production speaks about the company’s drive to ensure security of its global assets at the Honeywell User Group Americas 2007 Symposium in Phoenix.

06/13/2007

Invensys appointment signals shift of emphasis to services

Here are excerpts from the February 2007 issue of Andrew Bond’s Industrial Automation Insider, a monthly newsletter covering the important industrial automation news and issues as seen from the U.K.

03/14/2007

SCADA system makers pushed toward security

Idaho National Laboratory and the New York State Office of Cyber Security and Critical Infrastructure have teamed up with utilities and makers of distributed control system software to offer advice on how to make system security a major part of the critical infrastructure.

11/17/2006

Practical methods for protecting industrial networks

The Fall Issue of Industrial Networking magazine features a cover story that discusses ways process control engineers can protect against potentially destructive attacks on vulnerable networks.

09/05/2006

Raising the bar for control system security

Security researchers at Wurldtech Analytics are partnering with ISA to establish procedures and an operations model for the security testing and certification of products used for control.

08/07/2006

Are your security practices up to IT standards?

Joe Weiss and Jay Abshier, world class security consultants for process automation, write about the battle between the world of IT and Plant Operations. So, who’s right in the fight for control system security?

03/14/2006

Security: A Practical Approach to Plant Protection

Just thinking about the possible threats out there today can give you sleepless nights. Here’s a calm look at principles, approaches and practical tools you can use to increase security at your facility.

01/10/2006

A word about cyber security

A determined hacker can wreak havoc with your plant or steal your secrets without blinking an eye. But don't leave it to the folks in the IT Department to protect your control systems. Read why.

01/10/2006

Who's working at your plant?

The backgrounds of intruders may be a mystery, but the backgrounds of people regularly on your site shouldn't be. How carefully does your company check the references of people at your plant?

01/10/2006

A disaster safety checklist

There is no one-size-fits-all solution for business resumption following a negative event. However, ASSE offers this safety and security checklist to assist you before, during and after a disaster.

01/10/2006

What you should know about plant security

By being aware of the red flags, process plant personnel can enhance the potential for preventing security breaches in their industrial control systems.

01/10/2006

Safety is no accident

Plant safety and security has never been more important given the current political climate. Here are some web resources for a coordinated, plant-wide response to madness and mayhem.

01/10/2006

SecureSystems Insider: Top Five White Paper downloads

SecureSystems Insider probes the latest system advances designed to safely control and securely your critical SCADA control systems. The following are the Top Five White Paper downloads from the SSI monthly E-newsletters.

11/04/2005

SecureSystems Insider: Archived issues

SecureSystems Insider probes the latest system advances designed to safely control and secure your critical SCADA control systems.

11/01/2005