Advances Needed in Control System Cyber Security

April 9, 2008
Cyber Security Is A Shared Responsibility.

“I am very passionate about this subject,” said Rob Hoffman from Idaho National Laboratory (INL), “because when Idaho National Lab got hacked, I was doing IT work, and I got tabbed to ‘make sure this never happens again.’” Hoffman went on to become the leader of the Control System Security Program (CSSP) at INL, one of the government national laboratory foundations working with the Department of Homeland Security to protect the national infrastructure.

“We need to build a culture of reliability, security and resilience,” says Idaho National Lab’s Rob Hoffman discussing the need for cooperation among government, industry and international organizations to reduce control system threats.

“There’s a new book out,” Hoffman said. “It is called Hacking SCADA: Industrial Network Security from the Mind of the Attacker. You can buy it at Barnes and Noble. It has become fashionable in hacker circles to talk about control systems and how to use commonly available tools to enter and control the systems you all work with and maintain.”

Hoffman went on to describe the differences between IT security on enterprise systems and control-system cyber security. IT systems tend to last three to five years, while control systems last at least twenty. Application of patches is slow and vendor-specific in control systems, and because control systems need to be running 24/7, “you can’t send out a memo that says the servers will be going down for maintenance for four hours on Thursday night.”

Hoffman asserted that control-system cyber security is immature from a policy and standards development standpoint, and most control system engineers aren’t accustomed to thinking in security terms. “Control systems are usually one generation old, as far as processors are concerned,” he said.

His objective for CSSP is to strengthen the control system security posture by coordinating across government, private sector and international organizations to reduce the risk. “We need to build a culture of reliability, security and resilience,” he said, “and we have to demonstrate value.”

There are interdependencies in the security sectors as well. Many government agencies and many private companies and organizations are stakeholders in cyber security, and CSSP intends to help coordinate these interdependencies and provide thought leadership for cyber issues. This is extremely important, Hoffman said, adding, “Because of our critical infrastructure, something like 85% is privately owned and unregulated. I don’t necessarily think additional regulation is the correct path, either. So we educate.”

CSSP has produced some significant risk reduction products, including a cyber security self-assessment tool, a detailed cyber security procurement language for control systems, a pocket guide to securing SCADA and control systems, and a set of recommended practices. CSSP has also set up a group within US-CERT to produce control-systems- related vulnerability notices, and CSSP teaches control systems security awareness and mitigation training classes. All of this information is available at http://www.US-CERT.gov/control_systems.

One of the most important initiatives CSSP has undertaken, Hoffman revealed, is the technology assessments they do under contract, and with nondisclosure agreements, for control systems vendors. “Basically, we get the hardware and the control systems engineers from the vendor, and we build a system and get it ready. Then our “Red Team”—that’s the attackers—get six weeks to invade and take control of the system.

“In four years of doing this,” Hoffman said, “we have never been stopped from gaining full operational control over the control systems.”

Then they tell the vendors how they did it, and the vendors go off and fix the problems and tells their end users what to look for and how to fix it.

CSSP is responsible for the scenario development that led to the Aurora vulnerability that was revealed last year and shown on CNN. Hoffman said, “We bought a heavy diesel generator, had it installed, connected its control system up, hacked the control system and destroyed the generator.”

Cyber vulnerabilities of control systems are real, Hoffman added, citing the CIA’s Tom Donahue’s revelations at the recent SANS conference that CIA had documented evidence of organized crime holding some municipalities ransom with threats to their control systems. “Give us what we want or your lights won’t work, your water system won’t work, and your wastewater system won’t work.”