āYou are not secure because you did vulnerability analysis, and you are not secure because of the latest patch.ā Wurldtechās Nate Kube discussed the maturing practice of evaluating and managing control system risks.
|
āToday, however, we see rapid adoption of industrial Ethernet and distributed control systems based on open networks,ā Kube said. āThere is interoperability, and real-time data access is a key functionality. There is an increase in the frequency, severity and complexity of cyber threats. Security in the process industries is not well understood, and the ownership of security issues is unclear.
āTomorrow, weāll see industrial organizations outsourcing security solutions. We will see the emergence of sophisticated, multi-vendor āblended threats.ā And without IC-specific data, threats will bypass legitimate openings in perimeter devices like firewalls and IPS/IDS. Security,ā he added, āwill be a major product differentiator.ā
āWe must first understand the risk and then implement and maintain solutions,ā Kube said, reducing control system security to its simplest terms. āIT governance and assessment methodologies do not expose shop floor risk, and in the absence of clear risk data, companies are often making critical mistakesāeither doing too much or doing too littleāand current vulnerability test methodologies generate too many false positives and negatives.ā
Industrial cyber security, like safety, is best quantified by the impact of losing control of a given process, Kube continued. āVulnerability discovery and disclosure have always had an element of cloak-and-dagger and contribute to a āhair on fireā syndrome. Every time a new vulnerability comes out, a new patch is required, generating an alarmist response, which is nothing more than chasing your tail.ā
āThe key is to understand the resilience of each device and make it more so,ā Kube continued. āDevice testing and vulnerability analysis can complement each other to understand the exploitable threats against the device.ā
Engineers design with the intended purpose of the system in mind. They consider failure in terms of entropic events, such as safety or machine failure, where the other compensating controls maintain a safe state. āAs engineers, we assume that the process will fail safe,ā Kube said. āHackers, on the other hand, donāt just send one bad packetāthey research for weeks or months. Intentional attackers will bypass safety systems and other systems.ā
Kube discussed a case study where the CIO of a power plant asked Wurldtech to attack it, even though it had just passed several NERC CIP audits. In four hours, they disabled all generation systems, caused erratic behavior on sensor networks, interrupted communications to the historian and to the shift office and real-time traders, demonstrated a theoretical attack against dam spillway management, disabled the firewall and demonstrated numerous malware- and virus-based attacks.
āWe need to develop models that are based on threat vectors, not on threat agents,ā Kube said. āIn other words, we need to figure out what can happen and prevent that, rather than try to figure out who might attack. We need vulnerability analysis, robustness and resilience testing for industrial environments. Then we can develop and implement mitigation strategies against these broad classes of threats.ā
The benefits of doing it this way are significant, Kube contends. Greater upfront design costs are offset by fewer touch points later in the life cycle. It gives the owner greater confidence in the installed architecture. It creates improved performance of the overall system, not just from a security standpoint, and sets the stage for benefit-driven security. Finally, it resembles safety-driven models, with which the controls industry is quite familiar.
Unfortunately, this model also requires a level of device testing that is not yet commonly in use. Operators and owners can either "roll their own" approach or wait on the ISA99.04 standard and the Industrial Security Compliance Institute (ISCI). āThe models under development do not address every vulnerability,ā Kube said, ānor could we, because of the fundamental limitations of device testing. This technique should address security in terms of design constraints and how to design a resilient process. It is not a guarantee of no-fault, but it does provide a robust system that is fault-tolerant. This model still requires business continuity and incident response plans.ā
"In summary," Kube said, "you are not secure because you did vulnerability analysis; you are not secure because of the latest patch. Understanding your risk level requires a greater level of understanding than is often available. The emerging trends in security are towards system resilience over patching. Resilience testing is essential to identifying risk, and it can be implemented by anyone today.ā