Safety Instrumented Systems / Stuxnet

Really, Really, Really Cyber Secure

It Is Now Clear That Machine-level, Embedded Controllers, Such as PLCs, PACs and DCS Controllers Are Vulnerable From Both Inside and Outside the Plant

Walt BoyesBy Walt Boyes, Editor in Chief

The last year should have changed the landscape of industrial control system security (ICS), but did it? Honeywell got its Safety Manager through the ISASecure audit, and Siemens was thrown a curve by the Stuxnet virus. "There but for the grace of God go we," Joe Hogan, CEO of rival ABB, said at the Automation and Power World conference earlier this year, referring to Siemens and the Stuxnet attack.

It is now clear that machine-level, embedded controllers, such as PLCs, PACs and DCS controllers are vulnerable from both inside and outside the plant. So everyone who planned to put a Great Big Firewall in place around the plant and figured, therefore, it would be okay, got a taste of what the French got when the Wehrmacht just went around the Maginot Line during World War II.

We have also had good lessons on the difference between legal compliance and increased safety, and the folly of the North American Electric Reliability Corporation (NERC) declaring its plants just didn't have any critical cyber assets. Wanna bet?

When insurance company risk managers audit your plant, they should be asking security questions as well as safety- related ones.

Siemens, kicked pretty hard in the pants last year by some nation state or other, has emerged from the fire stronger, and with a clear holistic security policy from the code-writing phase to the installed unit audit phase. They are still working to plug holes, though.

That's not enough.

Contrary to the wishes expressed by one widely read commentator on his blog, wholesale rip-and-replace of control systems just is not going to happen. After all, Honeywell last year gave an award to Eastman Chemical for keeping its TDC2000 alive all these years.

We are, therefore, left with the problem of protecting completely defenseless open systems that were never designed to be protected, and we have to do it economically—because security is a sunk cost according to most accounting practices. We have yet to see widespread acknowledgement in risk management circles that safety systems are essential to the profitability of process plants. We are trying to get risk managers to acknowledge that security isn't its own issue by itself, but rather, security is a safety issue, and when the insurance company risk managers come to audit your plant, they should be asking security questions as well as safety-related ones.

The good news is that we now have a very well-defined roadmap. Honeywell proved that you can establish ab initio well-documented good practices in design, programming and management of embedded controllers. Siemens proved that you can change your practices and your culture too. Most of the vendor community is at least taking notice of the issues continually being raised by the increasingly hyperaware hacker/security consultant industry.

But that's not enough.

Ernie Rakaczky, Invensys Operations Management's top cyber authority, said at OpsManage2010 last year that all the efforts of the vendor community still amount to only about 25% of the needed effort. The end-user community, he said, is 75% responsible to see to it that its ICSs are secure.

Lots of people don't like what Rakaczky said, but he's right. The end-user community must compliment the work being done by the vendors by creating a security culture, with policies and procedures such as those called for in the ISA99 standard. It is just not okay to expect that the vendor community magically will protect asset owners, regardless of how the products are used. It is silly to expect redress from a vendor if you haven't specified that the system you purchased would be secure. Since you won't rip and replace, you will need to figure out how to keep systems secure that weren't meant to be.

Much work has been done. More is needed.