Over the past two weeks, I have either presented and/or participated in numerous cyber security meetings. Each of the meetings had representatives from both IT and ICS. There were many discussions where the IT and ICS attendees talked past each other without realizing it. The issue is that cyber security lexicon was developed by the IT community for IT use in IT applications. Consequently, applying these definitions to ICS can either be misleading or inappropriate. Examples include:
Many people in the non-ICS community use the term "SCADA" to represent all ICSs. Since a modern electric industry SCADA system is essentially an IT system, the IT community tends to assume that ICSs use Windows, have Internet access, use Internet Protocol (IP) communications, and utilize traditional IT technologies and policies. However, the term ICS is generally not understood by the IT community and certainly terms such as RTUs (remote terminal units, IEDs (intelligent electronic devices), VFDs (variable frequency drives), SISs (safety instrumented systems), CEMs (continuous emission monitors), etc. are not part of traditional IT lexicon. Moreover, most field communications originate as serial before they are converted to IP. However, there is a lack of addressing the cyber vulnerability of serial communications.
The "worst case" scenario in IT is denial of-service. However, ICSs are often designed to continue to function even if the network is lost. Consequently, a denial-of-service leading to loss of data may not be critical. However, loss of control and loss of view (new terms to IT) are the major ICS cyber concerns as both relate to impacts on reliability and safety. Stuxnet (as does Aurora) involved both loss of control and loss of view. This is where a term such as "Functional Security" or "Operational IT" would be more meaningful.
The CIA (Confidentiality, Integrity, Availability) model is used in both IT and ICS. However, the orders are reversed for IT and ICS. Consequently, the technologies required to meet the CIA triad can be different. For IT, encryption is critical as confidentiality is the priority. For ICS, integrity and availability may require other means besides encryption as message integrity and end-device authentication are critical. Encryption can actual be a problem as demonstrated at the 2006 ICS Cyber Security Conference. The input to the VPN was compromised. Consequently the compromised packets were encrypted which meant they were unintelligible and the operator assumed since the information was encrypted it must be trusted. In this case, the compromised packets sent via a VPN took over a utility SCADA system changing system voltages and operator screens.
"Cyber incident" is probably the most contentious term. In IT, cyber means a malicious attack. However, the NIST definition of a cyber incident is an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Moreover, several other factors come into play as to why a cyber incident does not have to be identified as malicious:
- Unintentional cyber incidents can, and have, caused great harm and economic damage.
- Often, if a incident can be caused by unintentional means, it can also be caused intentionally
- Some cyber incidents can be either malicious or unintentional (e.g., the 2008 Florida outage) depending on the motivation of the individual involved
- Often unintentional incidents are not monitored by network intrusion systems and are therefore not identified as cyber
Moreover, there is a lack of ICS field device cyber logging and forensics. People often ask will there be a
"Cyber Pearl Harbor". There are actually two answers - probably but it may not be identified as cyber due to lack of logging, training, and a disincentive to identify it as cyber.
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPSs) are focused on the IT paradigm that the network is the only issue and the attack vectors are known. In the ICS environment, the concern is both the network and the engineering design and features. As Stuxnet and Aurora have demonstrated, there were no known ICS-specific attack vectors for IDSs or IPSs to identify.
In the IT community, there is a push for general purpose computing with more technology and automation. In the ICS community, the computers are purpose-built with limited computing resources. There is no need for all of the features a tradition general purpose operating system for a ICS workstation. There really is a need to develop a "skinny" version of Windows without all of the vulnerable features or go "back to the future" with operating systems such as VAX/VMS, Field Programmable Gate Arrays, etc. There will be a discussion on the functional requirements to secure ICSs at the 2012 ICS Cyber Security Conference (www.icscybersecurityconference.com).
A current focus in IT security is the Advanced Persistent Threat. Since many ICS vulnerabilities are inherent in the design of the systems, the focus should be on the Physical Persistent Vulnerability. That is an apt description of Stuxnet and Aurora.
Joe Weiss