A guide to industrial control system security

Although the field of computer security and its relation to ICS security is extensive and highly technical, these recommendations can help mitigate many of the most common and easily exploitable security holes.


Although the field of computer security and its relation to ICS security is extensive and highly technical, these recommendations can help mitigate many of the most common and easily exploitable security holes. Courtesy: Cross Company Integrated Systems GroupFor the majority of their existence, industrial control systems (ICS) have been isolated from external access. But with the increased prevalence of computers and the internet in modern society, these once isolated systems are being exposed to the world.

This exposure has created a myriad of new security concerns that were impossible to predict when many of these systems were first installed, and because of the mutability of the internet and modern technology, many of these systems are no longer secure against unauthorized access.

One important concept to remember about security in general, is that given unlimited resources and time, an attacker will ALWAYS gain access to a guarded system. Therefore, the main goal of security systems is not to prevent unauthorized access, but to make it as difficult as reasonably possible for an attacker to gain access, without inhibiting normal use.

A good example is the lock on your front door. A lock will prevent someone from just opening the door and walking in, but it won’t prevent someone from breaking it down or simply finding another way. One option to fix this weakness would be to encase the house in cement and post armed guards at the perimeter, but that would likely interfere with your daily activities and be cost prohibitive. The more reasonable solution would be to accept the limitations of your home’s security and to make the most of it by locking the door, not advertising when you’re leaving, etc.

Compared to your house, however, an industrial facility likely has more value to be gained from unauthorized access, and therefore has an increased budget and need for security. The reasonable option is often fences, gates, cameras, and an access control system. These systems won’t stop a determined intruder, but they often provide enough of a deterrent to prevent unauthorized access.

Like your house and an industrial facility, a computer system can only be secured to a reasonable degree, which is usually dictated by a budget and the system’s normal operation. Also like a house and industrial site, a computer system’s security is easiest to bypass by taking advantage of human error.

The common example of this is social engineering, or manipulating someone into divulging protected information, but other examples would be computer viruses or malware accidentally introduced by a user. Unfortunately, this is also one of the hardest security threats to minimize because it requires changing human behavior. Often the better solution is to make it harder for a user to follow unsafe practices. Some simple solutions to this are as follows:

  • Require every user to have an individual account and strong password.
  • Require passwords be regularly changed.
  • If practical, make sure user accounts automatically log off when inactive.
  • Use a smart card reader in addition to a username and password.
  • Remove CD or floppy drives, and use external USB versions when required.
  • Place physical port blockers on all USB ports and connect the keyboard and mouse through PS2 ports.
  • Use a virus scanner, if supported, and keep all parts of the system as up-to-date as possible.
  • Send out regular reminders to users about not sharing passwords, and other good security practices.

Most of the above practices are relatively inexpensive and will not interfere with normal operation, but will help mitigate many common security weaknesses.

One topic of special note is the idea of a strong password. One of the most common issues with passwords is creating a strong but easy to remember password. The strength of a password is mostly related to its length, and in many cases a longer password is harder to remember. To solve this problem, try using a sentence as a password. A password created like this is far easier to remember, and far harder for a computer to guess, than the typical 8 character password.

The next most common method of unauthorized access is poor design with respect to security. Computer and network security is a vast and complicated field, but the basics are simple, easy, and the most important. Because industrial control systems are inherently insecure, the best practice is to keep them completely isolated from any network access. Unfortunately, this is not always possible, so the next best option is to remove any non-essential network access.

This can be done with a properly configured firewall. In this case properly configured means using a whitelist for all inbound and outbound traffic. This is something that needs to be set up by a knowledgeable administrator, and will often be specific to an individual site. It is important to remember that the firewall should be placed at the access point of the ICS, as seen below.

An additional system called an intrusion detection system (IDS) can also be installed and configured. The purpose of an IDS is to alert an administrator to unusual traffic or activity on a network or system. These systems are commonly used in corporate networks, and with proper configuration can add additional security to an ICS. If network access is only needed occasionally, to allow an integrator to work remotely for example (Read: The benefits of adding remote access to your DCS system), then a good policy would be to keep the network cable unplugged when not needed.

If wireless access is required ,or the system needs to communicate over the internet, additional security measures will need to be applied. For a wireless network, the best choice is to use WPA2-PSK security with a strong password. Connections over the internet should be passed through a VPN and care should be taken to ensure that any remote connections are on a secure network as well. When setting up a VPN, the best option is to use a certificate instead of a password, as it is often harder to break. Setting up a VPN to use a certificate is trivial in most scenarios for a knowledgeable administrator.

Although the field of computer security and its relation to ICS security is extensive and highly technical, the above recommendations can help mitigate many of the most common and easily exploitable security holes. In the end, the responsibility of security is on the owner of the system, so if security is a major concern to your business then, the best way to ensure there are no weaknesses is to consult an ICS security professional. More information about ICS security, as well as the the latest information on system vulnerabilities, can be found at ics-cert.us-cert.gov.

Andrew Riedel is an Electrical Engineering graduate from the University of Tennessee with experience in industrial control systems, embedded electronics, and software/firmware development. Andrew Riedel is an Electrical Engineering graduate from the University of Tennessee with experience in industrial control systems, embedded electronics, and software/firmware development. In his spare time Andrew enjoys rock climbing, music, and photography. This article originally appeared on Cross Company Integrated Systems Group blog. Cross Company Integrated Systems Group is a CFE Media content partner.

Cross Company is a CSIA member as of 7/6/2015

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me