Greg McMillan and Stan Weiner bring their wits and more than 66 years of process control experience to bear on your questions, comments, and problems. Write to them at firstname.lastname@example.org.
Greg: The topic this month is cybersecurity. Since Stan and I are insecure by nature, we have asked Mark Nixon, the chief architect of the original DeltaV development, editor for the WirelessHART network management specification and the manager for the DeltaV future architecture team, to provide secure answers that get to the heart and HART of the matter.
Stan: Why is there such an increased focus on security?
Mark: Over the past several years, the drive for increased efficiency has led companies toward supporting larger networks that support a wider range of applications. Control applications that traditionally were isolated and self-contained are now incorporating scheduling, product materials information and lab samples. For example, SAP-based lab data may be pulled back into the control system and used in multivariable control strategies. It is no longer viable to view the security of control systems in terms of isolation (separation of control systems from other corporate computing networks).
Greg: What does this mean for control system suppliers?
Mark: Process control and SCADA systems, with their reliance on proprietary networks and hardware have long been considered immune to the network attacks that have caused IT departments so much grief. The move to standard platforms, such as Windows and Linux, and use of open standards such as Ethernet, TCP/IP and Web technologies have opened the door, for a much wider ranger set of vulnerabilities.
Stan: What kind of vulnerabilities are we talking about? Are we just talking about hackers and terrorist? Can we just verify their age? Retirees can hardly get into a system even when permitted.
Mark: Although newspapers tend to focus on hackers and terrorists, we are talking about much more than that. Because of the open platforms, open standards and the role of control systems in plant operations, we need to take a much wider view. Vulnerabilities include natural disasters, the unintended consequences of operator actions, management practices, regulatory policy, inadequate technology and system designs, and, yes, hackers and terrorists.
Greg: You can add my lunch to that list. I wish I could figure out a way to have people stop stealing my lunch from the refrigerator. Tell me, what kinds of things are we talking about?
Mark: As I said, control networks that used to be limited to a single facility or organization now increasingly are connected to business systems. Some of the business systems transport information on electric power demandandoil and gas transport, and coordinate transport and logistics. A shipping company can now coordinate shipping and delivery operations directly with its customers, linking systems and creating a web of functionality and interdependence.
Stan: This is a pretty broad topic. How do you break the problem down?
Mark: Segmentation is the key to the problem. The folks at ISA have been busy working on a standard to help. In the tried-and-true way of engineering, they have broken the problem down into pieces. They refer to these pieces as security zones. These security zones can be physical or logical zones. In the case of physical zones, equipment such as a firewall can limit traffic between zones. In the case of logical zones, profiles and roles can limit a specific user or application. Most companies today provide some form of physical security. With physical security, networks are segmented into zones. A zone may be an isolated stand-alone network segment or a network segment separated from the organizations network by some sort of a network barrier device. These barrier devices, often referred to as demilitarized zone devices (DMZ), provide isolation by filtering and remove nonessential communication traffic. DMZ devices should be designed to complement other cybersecurity measures.
Greg: What are these other security measures?
Mark: Todays control systems are connected to and integrated with business systems both within companies and between partner companies. Exposing control systems to all of this traffic increases the likelihood of security incidents. In keeping with the principles of least privilege and need-to-know, the control systems themselves should be architected so that applications and functionality are also compartmentalized. For example, this means that operators would be restricted to areas of the plant that they are authorized to operate in and applications that they have been certified to operate. Compartmentalizing applications and functions into zones does not necessarily mean isolating them. Conduits connect the security zones and facilitate the transport of necessary communications between the segmented security zones.
Stan: There has been a lot of talk about wireless. Can we use wireless for monitoring and control applications?
Mark: A lot has been printed on the issues surrounding securing wireless networks. We can get a view for how wireless is being addressed by looking at the SP100.11a and the WirelessHART standards. In both cases, security is designed into the standards. In the case of WirelessHART security is inherent. In the case of SP100, users need to be careful to configure their systems to disable distributing security keys in clear text.
One of the ways that wireless networks ensure that the networks are secure is to limit the way that devices can join the network. In order to join a wireless network, the device needs to have join key. A device wishing to join the network encrypts its join request with its join key and sends the join request to the network or system manager. If the network manager has a corresponding join key for the device wishing to join (all devices are identified by unique IDs), the network manager approves the join and responds by allowing the device into the network. The device is then issued unique session and broadcast keys for each device it wishes to communicate with. In a secure network, keys are encrypted and transferred from the network or system manager to the device. At a minimum, devices will have unique session keys for communicating with the gateway and network or system manager. A session enables private and secure communication between a pair of network addresses. Only the network manager may create or modify sessions.
Join keys are entered into devices through a process called provisioning. In WirelessHART devices can be provisioned using the FSK modem port (i.e. connects wires and writes the join key into the devices memory). In SP100, the provisioning interface is unspecified and will be the responsibility of each supplier to provide. Once joined, all communication between devices is encrypted, and all packets are protected with a message integrity code. The network is protected from replay attacks.
Greg: How do users get started?
Mark: I recommend a cyclical approach. Start with a security assessment. From this, select the places where your system and operation are most at risk, address those first and keep going. Along the way, I recommend putting in on-going measures to evaluate how well the implementations are working. This is an on-going process.
Stan: How can technical managers evaluate risk?
Mark: Before evaluating risk, it is important to ask the question, What are you protecting against? Risks include natural, technological or terrorist sources. Keeping the lights on, no matter what is a huge task, mostly performed out of public sight, except when problems arise, as with the blackout of 2003 and, of course, Hurricanes Katrina and Rita in 2005. Once you have a good idea of what you are protecting against, you need to look at your current operation and systems. System designers and operators struggle to balance the requirements of highly reliable, real-time operations against the demand of increasingly efficient and cost-effective service, where operating margins are cut to the bone in a deregulated environment. Terrorism only adds to the challenge, because attackers seek vulnerabilities, communicate with one another and learn to defeat defensive measures. Once you have determined what you are protecting against and have good information on how your systems currently are put together, start dividing your operation and systems into zones. ISAs SP99 spec is a good source of information.
Greg: Have there been any reported cases of cyber attacks in the control industry?
Mark: This is an interesting question. The majority of security breaches are internal. A study by the FBI and the Computer Security Institute on Cybercrime released in 2000 found that 71% of security breaches were carried out by insiders. Critical infrastructure security expert, Eric Byres, has a good explanation for this, Control systems have become a target of opportunity rather than a target of choice. Byres goes on to note that the transition from proprietary systems to open systems, such as Windows and Linux, has opened the door for common IT attacks, such as viruses. Herman Storey added to this, he described a real-life an actual situation where shutting down a corporate computer to install patches caused a disruption to key data required by the control system which in turn caused some equipment to shutdown.
Greg: We conclude with some comic relief from Randy Reiss who has become our ultimate resource for top ten lists.
Top Ten Reasons why the IT Guy Thinks Security is Lax
10. He found your password list written on the wall in Stall #3 of the bathroom.
9. Those stupid users keep including the password for their password-protected zip file attachment in the body of the same email.
8. Its common knowledge that the best pickup line in the bar just outside the plant entrance is Hey baby, whats your password?
7. The enforcement of password complexity has had a direct effect on the pen and paper consumption at the plant.
6. You dont have all 254 critical Microsoft security updates on your PC.
5. Youre logged in as administrator.
4. Your password never expires.
3. He thinks that all computers are connected to the Internet.
2. The DCS is not integrated into the corporate Windows domain.
1. Youre not running Vista.
Top Ten Reason Security is Lax at the Plant
10. Last Wednesday, your mother-in-law showed up in the control room wearing slippers and her pajamas with your lunch pail that you left on the kitchen table this morning. When you asked her how she got past security, she said, What security?
9. Unbeknownst to management, cell-phone texting has replaced the walkie-talkie.
8. A simple call to IT saying, I forgot my password will have your password reset to password.
7. An audit showed that 90% of the passwords are now password.
6. The UPS man has more sophisticated computer equipment than the plant.
5. The last time you were back in the tank farm, there was an auction going on.
4. The most popular text message at the plant is w@z yr pw
3. Zipping your document, password protecting it, communicating the password separately from the email to which it is attached, and hoping the recipient can unzip it is a lot harder than printing a zillions hardcopies and distributing it at meetings.
2. Look under your keyboard
1. The firewall has more holes in it than last quarters stockholders report.