4 The Situation

4.1 General

Industrial automation and control systems operate within a complex environment. Organizations are increasingly sharing information between business and industrial automation systems, and partners in one business venture may be competitors in another. However, because industrial automation and control systems equipment connects directly to a process, loss of trade secrets and interruption in the flow of information are not the only consequences of a security breach. The potential loss of life or production, environmental damage, regulatory violation, and compromise to operational safety are far more serious consequences. These may have ramifications beyond the targeted organization; they may grievously damage the infrastructure of the host region or nation.

External threats are not the only concern; knowledgeable insiders with malicious intent or even an innocent unintended act can pose a serious security risk. Additionally, industrial automation and control systems are often integrated with other business systems. Modifying or testing operational systems has led to unintended electronic effects on system operations. Personnel from outside the control systems area increasingly perform security testing on the systems, exacerbating the number and consequence of these effects. Combining all these factors, it is easy to see that the potential of someone gaining unauthorized or damaging access to an industrial process is not trivial.

Although technology changes and partner relationships may be good for business, they increase the potential risk of compromising security. As the threats to businesses increase, so does the need for security.

4.2 Current Systems

Industrial automation and control systems have evolved from individual, isolated computers with proprietary operating systems and networks to interconnected systems and applications employing commercial off the shelf (COTS) technology (i.e., operating systems and protocols). These systems are now being integrated with enterprise systems and other business applications through various communication networks. This increased level of integration provides significant business benefits, including:

a) increased visibility of industrial control system activities (work in process, equipment status, production schedules) and integrated processing systems from the business level, contributing to the improved ability to conduct analyses to drive down production costs and improve productivity

b) integrated manufacturing and production systems that have more direct access to business level information, enabling a more responsive enterprise

c) common interfaces that reduce overall support costs and permit remote support of production processes

d) remote monitoring of the process control systems that reduces support costs and allows problems to be solved more quickly.

It is possible to define standards for models, terms, and information exchanges that allow the industrial automation and control systems community to share information in a consistent way. However, this ability to exchange information increases vulnerability to misuse and attack by individuals with malicious intent and introduces potential risks to the enterprise using industrial automation and control systems.

– 33 – ANSI/ISA–99.00.01–2007
Copyright 2007 ISA. All rights reserved.

Industrial automation and control systems configurations can be very complex in terms of physical hardware, programming, and communications. This complexity can often make it difficult to determine:

a) who is authorized to access electronic information

b) when a user can have access to the information

c) what data or functions a user should be able to access

d) where the access request originates

e) how the access is requested.

4.3 Current Trends

Several trends contribute to the increased emphasis on the security of industrial automation and control systems:

a) In recent years there has been a marked increase in malicious code attacks on business and personal computer systems. Businesses have reported more unauthorized attempts (either intentional or unintentional) to access electronic information each year than in the previous year.

b) Industrial automation and control systems are moving toward COTS operating systems and protocols and are interconnecting with business networks. This is making these systems susceptible to the same software attacks as are present in business and desktop devices.

c) Tools to automate attacks are commonly available on the Internet. The external threat from the use of these tools now includes cyber criminals and cyber terrorists who may have more resources and knowledge to attack an industrial automation and control system.

d) The use of joint ventures, alliance partners, and outsourced services in the industrial sector has led to a more complex situation with respect to the number of organizations and groups contributing to security of the industrial automation and control system. These practices must be taken into account when developing security for these systems.

e) The focus on unauthorized access has broadened from amateur attackers or disgruntled employees to deliberate criminal or terrorist activities aimed at impacting large groups and facilities.

f) The adoption of industry standard protocols such as Internet Protocol (IP) for communication between industrial automation and control systems and field devices. Implementing IP exposes these systems to the same vulnerabilities as business systems at the network layer.

These trends have combined to significantly increase organization’s risks associated with the design and operation of their industrial automation and control systems. At the same time, electronic security of industrial control systems has become a more significant and widely acknowledged concern. This shift requires more structured guidelines and procedures to define electronic security applicable to industrial automation and control systems, as well as the respective connectivity to other systems.

ANSI/ISA–99.00.01–2007 – 34 –
Copyright 2007 ISA. All rights reserved.

4.4 Potential Impact

People who know the features of open operating systems and networks could potentially intrude into console devices, remote devices, databases, and, in some cases, control platforms. The effect of intruders on industrial automation and control systems may include:

a) unauthorized access, theft, or misuse of confidential information

b) publication of information to unauthorized destinations

c) loss of integrity or reliability of process data and production information

d) loss of system availability

e) process upsets leading to compromised process functionality, inferior product quality, lost production capacity, compromised process safety, or environmental releases

f) equipment damage

g) personal injury

h) violation of legal and regulatory requirements

i) risk to public health and confidence

j) threat to a nation’s security.

– 35 – ANSI/ISA–99.00.01–2007
Copyright 2007 ISA. All rights reserved.