Industrial Cyber Security
Matt Luallen and Steve Hamburg are co-founders of Encari, a critical infrastructure information security consulting company. Together, they bridge the gap between information technology (IT) and plant security to help process control (DCS/SCADA) systems engineers be aware of system vulnerabilities and have processes in place to respond.
Matt Luallen, who started out in network engineering at Argonne National Laboratory, is a cyber security author, consultant, researcher and trainer for critical infrastructure and SCADA/DCS process control systems. Steve Hamburg is a licensed professional civil / structural engineer who ultimately transitioned his career to cyber security consulting ten years ago. Steve is also a published author, public speaker and instructor.
Analogies Abound - Defining Security within Your Control Environment; We Are at a Crossroads
April 06, 2010
Have you had difficulties in expressing risk within your organization, or have your colleagues provided guidance that is challenging to fully understand? This is quite common in every discipline and specifically appears to be more pervasive in any vertical where the numbers of acronyms outnumber the number of support personnel. Many of us are aware of how far reaching control systems are within our lives; however, simultaneously the world marches onward with many not aware of how much the physical world is now controlled by cyber assets.
Where are control networks today? SCADA networks exist covering far-reaching physically geographic areas, such as fresh water and waste water delivery, electricity generation and delivery, heavy and light rail, transportation control, natural gas, and oil pipelines. Distributed control systems provide automated solutions for oil refineries, electricity generation, manufacturing, and agriculture. There are even more localized control systems within aircraft, semi-trucks, and even your automobile. These networks have become increasingly automated over the past two decades and increasingly interconnected over the past five years. This interconnectedness provides richness of data to aid in business decisions, performance enhancements, and increased productivity. The connectivity provides for both distributed and centralized real time control of multiple physical assets with built-in safeguards to reduce the probability of system failures.
It is truly amazing – what feats we have accomplished in such short time during both the industrial and now the technological revolution.
Sadly, in present day, these feats come with a price: increased risk due to the lack of our historical physical security controls providing the expected security to which we are accustomed. The reality is that on the Internet, the highly sought after “good part of town” does not exist; each of us in this virtual world is literally the speed of light away from each other’s digital doorstep. This is a paradigm shift from our current thought processes associated with our “security.” The physical security controls of the past lack in providing the visibility or necessary response associated with this virtual world. Furthermore, the natural human senses of sight, sound, smell, taste, and touch do not directly apply to this virtual world. Literally, we need to educate ourselves with a sixth sense to understand the risks we are undertaking with our technological advances and appropriate solutions to reduce them to levels deemed comfortable by our society.
How do we move forward in today’s world? How can we define our logical security in such a way that provides the same level of security as we have physically?
(Physical) Someone is constantly attempting to pick your door lock or break down your door.
(Logical) Your home network is continuously scanned from around the world in an attempt to find the vulnerability in your outer walls.
(Comments) If our physical doorstep was attacked as often as our logical doorstep, each of us would attempt to find another place to live.
(Physical) You arrive home to find someone sleeping on your couch that is not anyone you know.
(Logical) A new service or port has been enabled on your cyber asset (e.g. HMI, PLC, Relay, Workstation)
(Comments) The tools necessary to truly understand our digital environment at the same level as our physical world are too complex and often misunderstood. Recently at a conference attended by Encari, the concept of “Cyber Archaeologist” was coined. We are highly abstracted from the physical world in which we live and the logical world that automates it.
(Physical) You find a needle lying next to your car in the parking lot and inject yourself.
(Logical) You find a USB flash drive lying next to your car in the parking lot and plug it into your computer.
(Comments) No comments necessary: just don’t do it! Don’t take candy, drugs, i.e., anything from strangers.
(Physical) You purchase an automobile with a flawed accelerator or braking mechanism and have it repaired via a recall notification.
(Logical) You purchase a control system with vulnerable code and have it patched by the vendor (both appear to take the same amount of time)
(Comments) In this most recent example for the control system in automobiles, it is setting precedence that the manufacturer is responsible for software flaws (Toyota Prius braking system).
Use our perspective as an opportunity to provide your own analogies; it is invaluable that we as an industry and more broadly as a global society can convey what is happening within cyber security. We are at a crossroads.
Posted by Matthew Luallen & Steve Hamburg on April 6, 2010
April 11, 2010
In response to: Analogies Abound - Defining Security within Your Control Environment; We Are at a CrossroadsDoron Truk commented:
Excellent explanation!!!! wouldn't it be more logical to separate the control network from the other networks and the outside world completely?? ! no door locks will be picked and no "strangers" will sleep on your couch.
i will be more than happy to explain how.