Print page

Home » Articles » Security Focus

Voices: Security Focus

Cyber Warfare and the Control Systems Community

What Must the Control Systems Community Do to Adapt to the Threat of Cyber Warfare?

About the Author

Robert M. Lee is an officer in the United States Air Force. However, this article and his views do not constitute an endorsement by or opinion of the Air Force or Department of Defense.

In control systems, the communication and work between vendors, asset owners and engineers that take place on a daily basis can be vast, and security may not be the first item on everyone's mind; the mission is to keep the systems running, secure or not. But the very real possibility of cyber warfare has changed that. The question is what must the control systems community do to adapt to the threat of cyber warfare?

Simply stated, the community must get back to the basics of security, take part in creating better regulations, and band together to face the threat as a community instead of as individuals.

With the media attention given to the Stuxnet worm since June 2010, the world has been forced to realize the possibilities and threats of cyber warfare. Cyber warfare took place long before the release of Stuxnet, but its release caused nation-states, corporations and other groups across the world to realize the benefits of using a domain of warfare with limited entry costs and the possibility of non-attribution, which is the ability to operate without positively being connected to an operation. The idea of using cyberspace to inflict physical damage, such as damaging nuclear centrifuges, was an unproven theory to most before Stuxnet. With the theory publicly proven true, most vendors and asset owners realized that control systems are valued and legitimate targets.

As the communities behind cybersecurity, hacking and control systems began to overlap, it became obvious that it was not only the large control systems, but also the smaller ones that were targets. To properly hack into a system one must understand it. Before attacking high-profile targets, it is wise for any hacker—nation-state-backed or not—to compromise smaller control systems, or related systems, for reconnaissance purposes. A hacker can not only understand control systems and network layouts better for future attacks, but may also gain important information, such as firewall and security configurations, trusted network access, operation manuals, design schematics or even password files. All of this information is important to carrying out an effective attack against larger control systems, such as the electrical power grid, water filtration plants, oil refineries and nuclear reactors. This style of reconnaissance is perfectly demonstrated with the Duqu malware.

In October, Duqu was discovered operating on a number of targets including those in Europe, Sudan and Iran. These targets have not been fully identified, but Symantec has stated that the targets include industrial manufacturers. Duqu is primarily an information-gathering platform with strong ties to Stuxnet. The kind of information gathered from Duqu is the type that would be required to create a cyber weapon that would target control systems. The Duqu malware seems to target industrial manufacturers, but this may only represent another vector of attack against control systems that rely on the parts these manufacturers create.

With an understanding that all control systems need to be protected, the focus becomes what smaller control system owners and operators can afford to do in terms of security. A limited number of people understand both control systems and cybersecurity well enough to properly defend the networks, which makes these personnel highly sought after and generally unattainable for many in the control systems community. Because of this and the fact that there is no checklist to supplying complete security, the task of securing networks can seem daunting and nearly impossible. What owners and controllers can do is adopt a security mindset and get back to the basics of cybersecurity.

The basics of cybersecurity begin with evaluating the systems. No one knows the network layout more in depth than the owners and controllers of those networks. Excluding the insider threat, no attacker has this level of knowledge, and this is one of the asset owner's greatest defenses. End users and the companies that employ them must take responsibility for their systems and recognize when hardware and software in their networks are missing or acting in a manner outside of their intended use. Furthermore, if pieces of hardware or software that are unaccounted for are attached to systems, there should be concern. This network accountability is not an easy task, but is much less cumbersome than surviving a network attack where business secrets are stolen or network operations are halted.

After accepting and properly implementing network accountability, security measures must be put into place. An air gap—the complete isolation of your network—is difficult, if not impossible to achieve. However, air gap best practices are a good step towards network security. Asset owners should ensure that their networks are not connected to outbound connections, and that there are methods of physical and electromagnetic security in place. Those in charge of network security must then assume this barrier of defense will be compromised. With this assumption, other steps for security must be taken. A defense-in-depth approach is as unique to each situation as is the network it protects, but some security steps are universal.

On a control system network there should be a demilitarized zone (DMZ) that separates internal parts of the network from other less operationally important sections. Firewalls with properly defined rule sets should limit traffic to only what is necessary to continue operations. Networks should use intrusion detection systems (IDS) or intrusion prevention systems (IPS) to look for malicious network activity. Vulnerability assessments using trusted software and reputable red teams should look for vulnerabilities in the network. Identifying vulnerabilities allows for patching and mediation to occur in areas that hackers would use to compromise a network. User agreements must be established with employees, so that proper use of the network is clearly defined. No number of security steps will prevent a network compromise if users are allowed to use the network improperly by, for example, connecting personal external hard drives to it. Asset owners must also implement access controls to limit who can gain physical or network access to resources.

One of the most important parts of network security is detection. As Capt. Jeremy Sparks, instructor at the Air Force's Undergraduate Cyberspace Training school teaches the future Air Force's network defenders: Prevention is key, but detection is a must. Detection not only mitigates the damage and duration of an attack, but it can also deter and prevent an attacker altogether. One of the most appealing aspects of cyber warfare is limited attribution. Without this aspect, the motivation of nation-states and hackers to conduct operations in cyberspace greatly decreases.

All of what is mentioned above is a broad look at network security for control systems; it is not an all-inclusive list. The security mindset must be used to think about each level of the network and what would be available to prevent or mitigate a compromise there. It is an ongoing process that must be given proper attention and resources even when both are limited.

Control system and software vendors must take responsibility as well and provide better software and hardware that has a focus on security instead of just availability. Better code and hardware testing, as well as longer durations for patching support are all a great start. Asset owners must participate in this process too, and work with vendors to identify issues. Both vendors and asset owners must then work with the government and regulation committees to identify regulations and standards that must be enforced. The minimum standard is not something that can foster true security, especially with systems that affect national security. However, this is not an issue of pointing blame at any party involved. Instead, this is an issue of getting the community to come together, and bringing different experiences to find solutions.

This community is where the battle over control systems will be won. Both the cyber community and the control systems community have very talented and passionate individuals working together to bring about positive change. The best advice for those involved in control systems is not based in varying and ever-evolving security practices. Instead, the single greatest piece of advice is to reach out to the community, and share information, practices and lessons learned. There is a real fight going on in cyberspace involving control systems, but it is not a fight one has to wage alone. With a security mindset, networking and a touch of optimism the community as a whole can enable itself to truly secure control systems.

Author's note: I want to thank the individuals I spoke with at the 11th ACS Control System Cyber Security Conference. The information and inspiration gained from the community involved was invaluable. I would also like to thank the Air Force's Undergraduate Cyberspace Training school at Keesler AFB, Mississippi, especially my mentors, Jeremy Sparks and Paul Brandau, for their continued work and acceptance that cyber security is not solely a military issue, but one that affects us all.

Duqu is primarily an information-gathering platform with strong ties to Stuxnet. It seems to target industrial manufacturers.

More Voices

Cyber Warfare and the Control Systems Community
12/02/2011
What Must the Control Systems Community Do to Adapt to the Threat of Cyber Warfare?

Protecting ICSs from Electronic Threats, II
08/01/2011
ICS Security Is a Lifecycle Process that Begins With Conceptual Design of a System and Continues Through to Its Retirement

Protecting ICSs from Electronic Threats, Part 1
06/06/2011
It Takes a Team of Experts in IT Security, Telecom, Networking, ICS and More to Understand Cyber Security

Do Firms Expect Too Much Cyber Threat Data?
04/04/2011
A Key Expectation from Industry Is for Actionable Cyber-Threat Information from the Federal Government

Wolves at the Security House Door(s), Part 2
01/04/2008
If the Single Firewall is not Secure Enough for Control Systems, What Security Model Is?

How Shell E&P assesses and addresses control system security risks
06/13/2007
Dan McDougall of Shell Exploration and Production speaks about the company’s drive to ensure security of its global assets at the Honeywell User Group Americas 2007 Symposium in Phoenix.

Edge protection a first layer of defense-in-depth security
06/13/2007
Control system security expert Eric Byres presents defense-in-depth strategies for process control systems to some 150 attendees at the Honeywell Users' Group Americas 2007 Symposium in Phoenix.

Invensys appointment signals shift of emphasis to services
03/14/2007
Here are excerpts from the February 2007 issue of Andrew Bond’s Industrial Automation Insider, a monthly newsletter covering the important industrial automation news and issues as seen from the U.K.

SCADA system makers pushed toward security
11/17/2006
Idaho National Laboratory and the New York State Office of Cyber Security and Critical Infrastructure have teamed up with utilities and makers of distributed control system software to offer advice on how to make system security a major part of the critical infrastructure.

Practical methods for protecting industrial networks
09/05/2006
The Fall Issue of Industrial Networking magazine features a cover story that discusses ways process control engineers can protect against potentially destructive attacks on vulnerable networks.

Raising the bar for control system security
08/07/2006
Security researchers at Wurldtech Analytics are partnering with ISA to establish procedures and an operations model for the security testing and certification of products used for control.

Are your security practices up to IT standards?
03/14/2006
Joe Weiss and Jay Abshier, world class security consultants for process automation, write about the battle between the world of IT and Plant Operations. So, who’s right in the fight for control system security?

A word about cyber security
01/10/2006
A determined hacker can wreak havoc with your plant or steal your secrets without blinking an eye. But don't leave it to the folks in the IT Department to protect your control systems. Read why.

Who's working at your plant?
01/10/2006
The backgrounds of intruders may be a mystery, but the backgrounds of people regularly on your site shouldn't be. How carefully does your company check the references of people at your plant?

Safety is no accident
01/10/2006
Plant safety and security has never been more important given the current political climate. Here are some web resources for a coordinated, plant-wide response to madness and mayhem.

What you should know about plant security
01/10/2006
By being aware of the red flags, process plant personnel can enhance the potential for preventing security breaches in their industrial control systems.

A disaster safety checklist
01/10/2006
There is no one-size-fits-all solution for business resumption following a negative event. However, ASSE offers this safety and security checklist to assist you before, during and after a disaster.

Security: A Practical Approach to Plant Protection
01/10/2006
Just thinking about the possible threats out there today can give you sleepless nights. Here’s a calm look at principles, approaches and practical tools you can use to increase security at your facility.

SecureSystems Insider: Top Five White Paper downloads
11/04/2005
SecureSystems Insider probes the latest system advances designed to safely control and securely your critical SCADA control systems. The following are the Top Five White Paper downloads from the SSI monthly E-newsletters.

SecureSystems Insider: Archived issues
11/01/2005
SecureSystems Insider probes the latest system advances designed to safely control and secure your critical SCADA control systems.

OPC considerations for network security
10/11/2005
It seems that whenever IT meets real-time control systems, trouble usually erupts, but this article shows that while industrial cyber security is complex, there are ways to keep your plant assets protected.

10 principles for securing control systems
10/11/2005
KEMA Consultant Jay Abshier takes an unbiased and highly detailed look at where plant security really is, and what is being done to better protect our process automation systems and infrastructure.

Cyber security for the electric sector
09/13/2005
This article addresses the compliance cost of NERC attack prevention standards in the electric power distribution industry and just how little work gets done in a typical plant when the network is down.

Intrusion detection and cyber security
08/09/2005
SecureSystems Insider Contributor Dale Peterson disucusses current SCADA security deficiencies within the process control community and how we need to find compensating security controls until secure systems are available.

Protocol for SCADA field communications
07/13/2005
ControlGlobal.com contributor Dale Peterson offers his review of the AGA 12 standard, a serial link encryption and authentication protocol for SCADA field communications.

Hacking the grid: control systems under attack
07/13/2005
Security experts warn it wouldn’t be hard for a cyberpunk or terrorist to hack into a monitoring and control SCADA system and wreak havoc on a good portion of the U.S. (First of three parts.)