Cyber security needs cooperation between IT and control

Originally, industrial control systems were physically and electronically-isolated systems that used proprietary operating systems, and obscurity generally provided the cyber security. However, a confluence of technical developments, governmental mandates and productivity requirements have led to the "opening up" of control system infrastructures. Effective plant-floor protection requires cooperation between IT and control.

By Joe Weiss PE, CISM

Industrial control systems (ICS) include supervisory control and data acquisition (SCADA), distributed control systems (DCS), programmable logic controllers (PLC), remote terminal units (RTU), intelligent electronic devices (IED), smart transmitters and drives, continuous emission monitoring systems (CEMS), meters, vibration monitoring systems, and more. They’re used throughout the global industrial infrastructure, including electric power generation, transmission and distribution; water and wastewater; oil/gas; chemicals; pipelines; pharmaceuticals; mining and manufacturing.

Originally, industrial control systems were physically and electronically-isolated systems that used proprietary operating systems, and obscurity generally provided the cyber security. However, a confluence of technical developments, governmental mandates and productivity requirements have led to the “opening up” of control system infrastructures. Some examples include:

View more content on PlantServices.com

  • Powerful microprocessors that enable ICS field devices to perform control functions remotely from the DCS or SCADA master stations.
  • Communication and networking technologies including the Internet, industrial Ethernet and wireless technologies such as IEEE 802.x and Bluetooth.
  • Productivity requirements resulting in the need for more automation.
  • Control system archival databases that provide acknowledged value to the corporate environment but result in remote access from corporate, engineering and other non-operational organizations.
  • Government mandates such as environmental controls.

Approximately half of a limited number of ICS suppliers are internationally-based. The U.S.-based suppliers such as General Electric, Honeywell, Emerson and Rockwell supply not only North America, but the rest of the world. Similarly, the foreign manufacturers such as Siemens, ABB, SMAR and Yokogawa supply their regions as well as the rest of the world. From a cyber security perspective, ICSs are the same whether they’re used in power plants, refineries or auto assembly lines. They use similar control system architectures and the same vendor-supplied default passwords. Because of U.S. export rules, domestic suppliers can’t furnish systems to certain countries while the internationally-based suppliers have no such constraint. Consequently, it can be assumed that the cyber-security knowledge of these systems isn’t limited to any country or industry, including those not necessarily friendly to the U.S.

ICS and IT systems

ICSs are technologically, operationally and administratively different from traditional information technology (IT) business systems. Technologically, the ICS is a deterministic device with precise timing requirements and they’re often limited by computer resources and bandwidth. IT systems follow the paradigm of CIA — confidentiality, integrity and availability — and IT security technologies are based on those priorities. However, ICS priorities for control system data in motion are almost the opposite. That is, the priorities are availability and integrity, with confidentiality being significantly less important. This means that technologies needed to secure ICSs can be very different. Operationally, they require extremely high reliability and interoperability between different vendors’ systems and control system communication protocols such as Modbus, Profibus, Devicenet, DNP3 and the like. The control system engineer often is the system administrator, and traditional IT security approaches, such as disconnecting a system after three missed password attempts, can’t be applied to a control system workstation without extreme risk. Most important, an ICS’s primary function is to provide flexible, reliable monitoring and control performance, whereas security is of secondary importance. Security generally tends to affect performance. Consequently, a trade-off between performance and security is required.

Unlike the traditional information technology (IT) systems with their three-year to five-year lifetimes, ICSs generally have 20-year to 30-year lives. ICSs generally are replaced either because of equipment obsolescence or inability to meet government requirements, not because of cyber security limitations. Consequently, any identified cyber security vulnerabilities need to be addressed without equipment replacement.

An ICS is generally composed of an operator interface, typically using commercial operating systems (Figure 1), and field devices using proprietary operating systems (Figure 2). For the operator interface, cyber security threats generally consist of denial-of-service (DOS) because of loss of communications. This can lead to system shutdown, but is generally short-lived and doesn’t affect system health. However, cyber security threats to a field device can lead to equipment damage and personnel safety concerns. Moving networking and the Internet into the ICS domain has led to an unintended consequence — a cultural clash between IT and operations. The ICS begins to look more like a traditional IT system with traditional IT infrastructure such as firewalls and intrusion detection systems and using TCP/IP communication. There’s a tendency for the IT organization to want to exert control over the ICS networks without understanding the implications of such an undertaking. Applying traditional IT testing and policies have led to ICS performance problems ranging from short-term communication denial of service to control system shutdown to actual damage to control system hardware requiring hardware replacement.

Consequently, there’s a great need for the IT community and the ICS community to come together to help secure these critical networks.

However, a major concern is the dearth of experts who truly understand control system design and operation as well as security. This situation is getting worse. As can be seen from the arrows on Figure 3, many more people are getting into “SCADA” (ICS) security from the IT side without an understanding of control system operation, as opposed to control system engineers moving into security. This migration needs to be reversed. Additionally, those with an interest in ICS security need to develop better education and training programs.

Certifications such as the Certified Information System Security Professional (CISSP) and the Certified Information Security Manager (CISM) are based on traditional IT technologies and don’t address the unique aspects of ICSs. The same can be said of IT security policies and procedures. ISO-17799 and its successor, ISO-27001 Information Security Management — Specification With Guidance for Use, were developed for IT applications, not ICS purposes.

ICS cyber threats

Cyber threats to ICSs are real. Even though facilities are unlikely to report incidents, there have been more than 80 known cases (intentional and unintentional) in all industries. Effects range from trivial to significant equipment and environmental damage to deaths.

Threats to any ICS include intentionally targeted attacks, unintended events and unintentional events. Intentionally targeted events are the lowest probability, but highest consequence events. Attackers would generally be disgruntled insiders or terrorists with knowledge of the specific end user or ICS. Terrorists could be eco-terrorists, nation-state or nation-state-financed. There have been very few cases to date of targeted events.

Unintended events include computer viruses and worms. While virus developers aren’t targeting ICSs, many ICSs have been affected when the ICS networks haven’t been isolated sufficiently or used devices such as telecom frame relays that had previously unknown vulnerable connections. These events are the highest probability, but generally have short-term, limited consequences.

Unintentional events occur because of inappropriate testing or instituting inappropriate security policies. As with unintended events, unintentional events have medium to high probability with consequences that can range from trivial to ICS equipment problems. These events have caused facility downtime and equipment damage requiring hardware replacements.

Need to share information

An unintended consequence of ICS cyber security has been a dearth of information-sharing and the resulting perceived lack of a business case to address ICS cyber security. Without more detailed knowledge of the facility’s cyber risk, it’s difficult to justify spending money on cyber mitigation rather than on other upgrades or modifications that have a direct effect on the operations and maintenance bottom line.

There are two aspects to the lack of information. The first is inability to determine that a cyber event has occurred. Many industrial facilities don’t use firewalls or intrusion detection systems, or don’t have logging capabilities for electronic communications. Consequently, it wouldn’t be possible to know that a cyber event closed a valve or opened a breaker because a root cause investigation looks only at mechanical and electrical issues. Several ICS cyber events have taken more than 24 hours or multiple intrusions before cyber was identified as being the event initiator. Secondly, there are significant corporate inhibitions to disclosing information about cyber events. Nobody wants to reveal to the hacker community that they’ve been hit. Nobody wants Wall Street or customers to know they’re vulnerable.

What to do

There are several steps that can be taken now:

  • Get buy-in from senior management and other stakeholders, including IT.
  • Perform a detailed vulnerability assessment of your facility to determine potential weaknesses.
  • Perform a risk assessment to determine the criticality of what you’ve found and to prioritize funding and implementation.
  • Develop security policies and procedures specific to your ICS.
  • Maintain a living program that reassesses the situation each time the cyber infrastructure has been changed

Industrial control systems are critical to the industrial economy and national security. They’re technologically, operationally and administratively different from IT systems and need to be treated accordingly. Modern communications and networking technologies can render your ICS vulnerable to intentional or unintentional cyber events. Consequently, operations and IT need to address these potential cyber vulnerabilities with a joint effort. In the long run, there’s a need for more trained control system cyber security professionals.

Joe Weiss P.E., CISM, is managing partner of Applied Control Solutions, LLC, in Cupertino, CA. You can contact him at joe.weiss@realtimeacs.com and (408) 253-7934.