Cover story: Giving your plant a cyber health checkup
Creating a strong cyber security health regimen so you can defend against threats, external and internal.
Jason Urso and Kevin Staggs, Honeywell
Moving from proprietary to open systems in industrial control led to seamless integration across business systems and networks, which has in turn improved control and made businesses more agile overall. However, the same interoperability between systems also leaves those systems exposed to exploitation. From viruses and worms to Trojan horses and data tampering, cyber threats can infect control systems and disrupt plant operations. Recent cyber events in process control contexts reveal that without a comprehensive security strategy, industrial control systems can be vulnerable.
Still, even with all that, statistics show the majority of threats plant engineers face do not come from malicious outsiders—most actually come from inside their facilities.
More than 60% of engineers questioned reported that industrial security breaches do, in fact, come from within. This doesn’t mean employees or contractors are deliberately compromising their systems with malevolent intent. Security breaches often occur due to well-meaning employees who simply aren’t aware of proper security procedures.
The reported incidents are often caused by malware, including viruses, worms, and Trojans, not specifically targeting the affected facilities. And the rest? Most of them are pure accidents, the unintentional consequences of user or configuration errors.
At Browns Ferry nuclear plant in 2006, for instance, excessive traffic between two vendors’ products on the control system network was the likely cause of the failure of redundant drives controlling the recirculating water system, resulting in emergency shutdown. In 2008, the Edwin I. Hatch nuclear power plant went into emergency shutdown after a software update was installed on a computer in the plant’s business network.
Protecting process control systems, though, is not a daunting task; it’s actually very manageable. Think of it like a health regimen: just like a human body needs regular care, control systems should be thoroughly vetted and evaluated on a regular basis. Based on how control systems perform during cyber health checkups, plant operators can then determine what actions should be taken to align their systems with sound strategies.
A complete regimen
With Stuxnet on their minds, many plant operators are looking for that one thing they can do to make themselves immune from attacks. The truth is there’s no single cure-all for cyber security. Doctors can’t prescribe a pill that guarantees good health; it is the result of proper diet, exercise, sleep, and weight control. Protecting control systems from vulnerabilities lies not in a single solution, but rather within multiple safeguards that defend many points.
A cyber-secure plant should have a solid mix of technologies, policies, and procedures in place to combat potential threats effectively. Much like the right health plan, plants should define objectives, take inventory of where they currently stand, and then work to achieve the desired results.
So what then, does a picture of good cyber health look like? Some of these best practices might seem obvious, yet aren’t widely implemented. For example, vendors’ products usually come with default passwords, yet it’s surprising how often many of these passwords go unchanged. Leaving default passwords and security settings in place is analogous to leaving car keys in the ignition with the doors unlocked.
Other simple yet often neglected steps include MS Windows operating system patch management and anti-virus updates, which are extremely critical to maintaining a secure network. Patches keep control systems up to date and are often released when new vulnerabilities are identified. When patches are not deployed, a system remains exposed to vulnerabilities that have already been identified.
Process control vendors can also assist in qualifying anti-virus software, and should be involved in qualifying patches such as Microsoft security updates. Offering a choice of qualified anti-virus software is beneficial to industrial plants, as one leading anti-virus system may be preferred over another. Vendors can also embrace a locked-down model that facilitates system security. This provides customers with preconfigured security settings for files, directories, and registry keys, protecting against malware from both malicious users and unintentional mistakes.
Policies around the use of portable storage devices such as memory sticks need to be defined and enforced. Plugging a memory stick into a USB port circumvents all network security mechanisms that were put in place to defend against an infection. One of the infection paths of Stuxnet, for example, started with USB sticks being plugged into air-gapped systems.
Understanding defense in depth
Not every step in becoming cyber security healthy is quite as obvious and easy to understand, though, especially when it comes to the roundly discussed topic of defense in depth. The core premise behind defense in depth is that multiple layers of protection are in place to guard against threats. How can cyber security measures be layered?
According to the ANSI/ISA-99 or IEC 62443 standards, cyber security is best accomplished in layers, or zones. This methodology helps to protect against threats and can help to prevent problems from spreading throughout the network. Key automation and control devices should be grouped into zones that share common security level requirements. Communication between these zones must then pass through a protected and monitored conduit, a path that regulates the flow of data between zones and allows for more secure communication.
ISA-99 defines high, medium, and low levels of security zones. Each zone requires a security-level target, based on risk analysis of the plant and taking into account the severity and range of possible threats. Equipment in each zone is given a security-level capability. When this capability is lower than the zone’s security level target, a security technology or policy must be implemented to balance the two, which helps to mitigate the risk.
Using this approach, cyber security is much more manageable. With security zones, increasing security levels is only done where the security level target requires it, which is based on possible risk.
Relying on security zones also improves threat detection (assuming threat-detection capabilities are included as part of a zoning strategy). Determining the origin of issues that do arise is much simpler, as plant operators can fix an issue at the source and identify any other immediate vulnerabilities. Proper segmentation limits traffic between zones to what is necessary, and then only through defined and appropriately secured conduits. This can help prevent problems from spreading to other areas, including critical control systems. The strongest possible strategy is to implement defense in depth one step further, creating zones within zones. This prevents a worker misstep in one area of the network from spreading between devices within a single zone, creating a defense system of multiple layers.
The process for establishing how layers are defined follows a logical path of importance. A layered network with the most critical system at the deepest points provides multiple levels of protection.
Level 1: Critical devices, process controllers, and I/O work in Level 1. Generally, these critical embedded control devices should be segregated from the network with control firewalls.
Level 2: Process control operator stations and supervisory control follow in this level. Operator stations are generally Windows stations that should employ a high security model to lock down the nodes, use node-based firewalls, and employ specialized networking techniques to squelch network abnormalities like broadcast storms.
Level 3: This houses the site-wide or plant-wide control applications, examples of which include advanced control and optimization. A secure gateway should exist between Level 3 and the process control systems on Level 2 that limits communication to only what is needed for control. A firewall with access control and communication filtering rules can help accomplish this segregation.
Level 4: Business systems are typically located on this level and are connected to a plant intranet. The link between Level 3 and Level 4 is where the key security break comes into play. The connection between the process control networks and the business system networks require special attention and segregation. One way to accomplish this is to establish a demilitarized zone (DMZ) that can carefully manage communication between process and business.
DMZ: The process control DMZ is also a good place to put enterprise historians, system management servers, as well as patch management/anti-virus servers.
By employing multiple layers of protection, security risk can be reduced while still allowing for interoperability of networks and systems.
Checking your health
Once an industrial plant has identified the elements of a healthy cyber security infrastructure, the plant management can assess where the plant currently stands, identify vulnerabilities, and, if necessary, implement the necessary practices to receive a clean bill of cyber health.
Risk assessments reveal the vulnerabilities that already exist in a system by taking an inventory of a facility’s networks, policies, and procedures, among other things. An inventory of the networks, for example, will determine where design drawings are no longer up to date and detect the areas of highest risk. Then, the entire range of threats can be identified, instead of placing all the emphasis on high-profile events, such as a Stuxnet-type attack. With all threats identified and evaluated, plant managers can prioritize, tackling the high-probability, high-impact vulnerabilities first.
While existing technological measures must be thoroughly evaluated, it’s also critical to determine the effectiveness of existing personnel policies and procedures. Regarding visitors and contractors, for instance, think about the steps visitors go through before being allowed to tour a plant. These steps most certainly include some sort of safety training, and always include measures to shield them from the inherent risks of industrial plants with hard hats, protective clothing, and steel-toe boots being standard issue.
The same rigorous approach should be considered for cyber security. Giving visitors and contractors training and specific guidelines to follow when working in an industrial facility can curtail a certain set of cyber threat risks. Outsiders should be informed explicitly about where they are allowed to plug in their computers, how to audit those computers, and what to do with USB sticks. That can include having rules that require visitors to leave USB drives with security guards prior to entering the facility, for example. A strict, comprehensive policy will help outsiders understand the seriousness of a plant’s cyber security culture.
Of course, there also is a certain culture that must be instilled among employees. Once the policy is in place, it is important to establish which employees have access, and with what privileges. There should be well-defined limits of access based on the level of the worker’s responsibility. Consider implementing a strategy of role engineering; that is, creating a model that defines the desktop behavior within an organization based on preconfigured groups and group policies. For example, role engineering dictates that policies for operators are locked down, limiting the user to applications deemed necessary for operating the process. Plants should also consider having these programs already running and available on operator desktops. Supervisors are granted similarly protected access. Engineers, however, have more access but are still restricted to their relevant engineering functions. Administrators are granted unlimited access, but with more-secure settings and a requirement to change passwords more frequently. It’s also worth pointing out that the more privileges a user has, the more trustworthy that individual should be.
A comprehensive assessment covers all assets of a network and leaves the plant management with a firm understanding of how the plant compares to industry standards and best practices. Based on that assessment, plant managers can identify and prioritize vulnerabilities and determine what steps they need to take to improve cyber health.
The next step is to remediate the network, policies, and procedures with a custom-designed security management program. Like each person, each network is unique. The security management program in every industrial plant should be uniquely tailored to protect the plant’s most valuable functions and defend against its greatest vulnerabilities.
A new culture
It can be easy to lose focus on maintaining cyber security. Anyone who has taken up a new workout program or changed their diet is familiar with the challenge of adopting and keeping new routines. However, the consequences of complacency are great, and without discipline industrial plants can fall back into insecure practices that leave them vulnerable to inside risks.
Keeping up with the cyber health regimen is just as critical as building it in the first place. Knowledge is the key to keeping networks safe, and people are one of an industrial plant’s strongest assets in cyber defense. A workforce of people that understand their network’s vulnerabilities and can demonstrate best practices are indicators of a working strategy. This also minimizes the risk of the common accidental setback.
An established security response team composed of cross-functional employees, for instance, can monitor every section of a network. This should diminish the probability of intentional exposure to harmful malware. Security teams can keep one step ahead of potential issues by holding regular meetings that cover the latest threats and technologies.
Health is not simply the absence of pain or disease; health is the presence of physical and mental well-being. Therefore, cyber health is not the absence of cyber threats, but a robust defensive preparedness to overcome any issue, and keep operations running, should one arise. Following these best practices and procedures can help plant managers protect their networks from the dangers within.
Kevin Staggs, CISSP, is an engineering fellow with Honeywell Automation and Control Solutions. Jason Urso is vice president and chief technology officer for Honeywell Process Solutions.