"We can't afford perfect security," Byres says, "and if you can, and you have the money, please call me."
Eric talked about what security can do, and about ISID, the Industrial security Incident Database.
He also talked about the Merseyshire Sewage Spill. Virtually no one in the audience had heard of it. "Everybody in Australia knows about it, and you should, too," Byres said, as he recounted the facts in the case. A hacker deliberately attacked the SCADA system because he was trying to blackmail the Shire authorities into paying him $100K a year.
He talked about the chem plant where the operator brought his home computer in, assigned it the same IP address as a controller, and knocked the controller offline, to detrimental effect.
ISID: 10 to 15 reported incidents per quarter.
Reported incidents changed in late 2001 (gee, I wonder why???) and the curve jumped radically up. There has been a short decline recently.
Byres estimates that there are 400-500 cyber security incidents occuring per year to Fortune500 companies in the US alone...and Europe is likely worse.
Prior to late 2001, most of the problems are accidental, with 75% coming from inside. External incidents are less than 20%.
In late 2001, externals are 61%, accidental is down to 32%. Viruses, trojans and worms proliferate.
"That's the bad news, now I want to give you some good news," Eric said.
Control System Security Certification
--and---
PLC/DCS vulnerability assessment
Eric told his favorite story of the time he and Joanne, his wife and business partner, were asked to test the vulnerability of a hospital network. Using a standard web-downloaded scanning tool, they were able to completely spoof an ICU into thinking the network was working...and it took 5 minutes.
"This is NOT a rare occurrence."
"We have redlighted a control system-- shut it down hard-- right through the firewall."
Eric talked about the project we've been working on since last May, the Control System Security Certification organization...which is in formation. The organization is designed to accelerate the development of standards.
"What would be the target of evaluation of this organization be? If it communicates with anything other than 4-20, it ought to be tested."
Even printers. There are attack points that have allowed printers to be, for example, a pornography server on the Internet.
"Anything that has an embedded processor has risks and needs to be tested."
There are strong benefits of this kind of testing for end-users, Byres says.
My team at BCIT did a significant amount of testing on Honeywell's C200 and C300 controllers. Eric repeated his statement that "of all the controllers we'd tested this was the most robust we'd ever tested."
Honeywell's team, he said, jumped on any tiny problems they found.
"With the C300 Firewall, the BCIT team was unable to attack the controller, and this was the first time that had ever happened," Byres says.
Byres Security will be releasing a study on how to use OPC securely-- that's not a non sequitur.
Dealing with control system vulnerabilities
--Fix the flaw
--Design mitigation strategies
What would we do in the IT world?
Patches
Personal Firewalls
Anti Virus Software
Encryption
But you can't do that in the automation world...you can't add software to your PLC or controller.
So it is better to add hardware instead. A micro firewall designed to be placed in front of individual control devices, that protect the device from attack. This strategy is called "defense in depth."
"A single point of defense is a single point of failure."
Why don't we just buy COTS firewalls and install them?
It was a disaster when tried. Operators just installed jumper cables and bypassed them.
First, to make it work, these distributed firewalls need to be industrially hardened, and they have to live in the DIN rail form factor..they have to be electrician-friendly, functional in the control environment, and it needs control system functionality and extensible and flexible.
Byres showed a prototype of such a firewall.
Electrician friendly:
Field technician need do more than simply plug the firewall in:
--layer 2 firewall requires no IP address
--configure and walk away
Needs to work with electronic data sheets like Foundation Fieldbus, so it can tune itself automatically to a specific device.
This, of course, is the Tofino device that Byres Security and MTL are just before complete release on...see Keith Larson's column in the December Control when it comes out.
"You need some global management system that enables you to manage and monitor thousands of firewalls, deployed in remote locations."
Should we throw out the IT department? Heck no! But we have to tune the IT learnings to work in the automation environment.
"Our view of risk in control systems is very different from the view of risk and mitigation in the IT world. In the IT space, if something goes wrong, you just shut it off. In a control system you can't do that. You can't just shut down a controller."
Control systems have a completely different philosophical and architectural model for security than enterprise IT...we are much more distributed than the enterprise.
"Both the C300 firewall and the MTL Tofino firewall are here...this is not future talk. This is real and you can see them today."
Security through obscurity doesn't work any more. There is a group of hackers in the Far East that is trying in a very organized way to hack into power system computer control systems. Why?
We need to start using the best practices. You cannot stick your head in the sand any more.
