Cyber security is a team effort

Print page

Email page

By Joe Weiss PE, CISM

PlantServices.com

Keywords: "cyber security"

Originally, industrial control systems were physically and electronically-isolated systems that used proprietary operating systems, and obscurity generally provided the cyber security. However, a confluence of technical developments, governmental mandates and productivity requirements have led to the "opening up" of control system infrastructures. Effective plant-floor protection requires cooperation between IT and control.

Industrial control systems (ICS) include supervisory control and data acquisition (SCADA), distributed control systems (DCS), programmable logic controllers (PLC), remote terminal units (RTU), intelligent electronic devices (IED), smart transmitters and drives, continuous emission monitoring systems (CEMS), meters, vibration monitoring systems, and more. They’re used throughout the global industrial infrastructure, including electric power generation, transmission and distribution; water and wastewater; oil/gas; chemicals; pipelines; pharmaceuticals; mining and manufacturing.

Originally, industrial control systems were physically and electronically-isolated systems that used proprietary operating systems, and obscurity generally provided the cyber security. However, a confluence of technical developments, governmental mandates and productivity requirements have led to the “opening up” of control system infrastructures. Some examples include:

• Powerful microprocessors that enable ICS field devices to perform control functions remotely from the DCS or SCADA master stations.
• Communication and networking technologies including the Internet, industrial Ethernet and wireless technologies such as IEEE 802.x and Bluetooth.
• Productivity requirements resulting in the need for more automation.
• Control system archival databases that provide acknowledged value to the corporate environment but result in remote access from corporate, engineering and other non-operational organizations.
• Government mandates such as environmental controls.

Approximately half of a limited number of ICS suppliers are internationally-based. The U.S.-based suppliers such as General Electric, Honeywell, Emerson and Rockwell supply not only North America, but the rest of the world. Similarly, the foreign manufacturers such as Siemens, ABB, SMAR and Yokogawa supply their regions as well as the rest of the world. From a cyber security perspective, ICSs are the same whether they’re used in power plants, refineries or auto assembly lines. They use similar control system architectures and the same vendor-supplied default passwords. Because of U.S. export rules, domestic suppliers can’t furnish systems to certain countries while the internationally-based suppliers have no such constraint. Consequently, it can be assumed that the cyber-security knowledge of these systems isn’t limited to any country or industry, including those not necessarily friendly to the U.S.

ICS and IT systems

ICSs are technologically, operationally and administratively different from traditional information technology (IT) business systems. Technologically, the ICS is a deterministic device with precise timing requirements and they’re often limited by computer resources and bandwidth. IT systems follow the paradigm of CIA — confidentiality, integrity and availability — and IT security technologies are based on those priorities. However, ICS priorities for control system data in motion are almost the opposite. That is, the priorities are availability and integrity, with confidentiality being significantly less important. This means that technologies needed to secure ICSs can be very different. Operationally, they require extremely high reliability and interoperability between different vendors’ systems and control system communication protocols such as Modbus, Profibus, Devicenet, DNP3 and the like. The control system engineer often is the system administrator, and traditional IT security approaches, such as disconnecting a system after three missed password attempts, can’t be applied to a control system workstation without extreme risk. Most important, an ICS’s primary function is to provide flexible, reliable monitoring and control performance, whereas security is of secondary importance. Security generally tends to affect performance. Consequently, a trade-off between performance and security is required.

Unlike the traditional information technology (IT) systems with their three-year to five-year lifetimes, ICSs generally have 20-year to 30-year lives. ICSs generally are replaced either because of equipment obsolescence or inability to meet government requirements, not because of cyber security limitations. Consequently, any identified cyber security vulnerabilities need to be addressed without equipment replacement.

An ICS is generally composed of an operator interface, typically using commercial operating systems (Figure 1), and field devices using proprietary operating systems (Figure 2). For the operator interface, cyber security threats generally consist of denial-of-service (DOS) because of loss of communications. This can lead to system shutdown, but is generally short-lived and doesn’t affect system health. However, cyber security threats to a field device can lead to equipment damage and personnel safety concerns.
Moving networking and the Internet into the ICS domain has led to an unintended consequence — a cultural clash between IT and operations. The ICS begins to look more like a traditional IT system with traditional IT infrastructure such as firewalls and intrusion detection systems and using TCP/IP communication. There’s a tendency for the IT organization to want to exert control over the ICS networks without understanding the implications of such an undertaking. Applying traditional IT testing and policies have led to ICS performance problems ranging from short-term communication denial of service to control system shutdown to actual damage to control system hardware requiring hardware replacement.

Consequently, there’s a great need for the IT community and the ICS community to come together to help secure these critical networks.

However, a major concern is the dearth of experts who truly understand control system design and operation as well as security. This situation is getting worse. As can be seen from the arrows on Figure 3, many more people are getting into “SCADA” (ICS) security from the IT side without an understanding of control system operation, as opposed to control system engineers moving into security. This migration needs to be reversed. Additionally, those with an interest in ICS security need to develop better education and training programs.