Control systems cyber security
Insurance companies, lawyers, governments, and individuals throughout the world are increasingly concerned about the possibility and impacts of cyber attack against manufacturing and critical infrastructure. Likewise, manufacturing and critical infrastructure industries, such as electric power, water, and oil/gas, around the globe are concerned about the cyber vulnerabilities of their critical ...
Insurance companies, lawyers, governments, and individuals throughout the world are increasingly concerned about the possibility and impacts of cyber attack against manufacturing and critical infrastructure. Likewise, manufacturing and critical infrastructure industries, such as electric power, water, and oil/gas, around the globe are concerned about the cyber vulnerabilities of their critical process control systems: DCSs, PLCs, SCADA systems, HMIs, and control systems networks.
There are reasons for concern—while potential vulnerabilities in traditional IT systems are well known and understood, process control system security handicaps are wide spread, badly misunderstood, and remain largely unaddressed. As a result, many find themselves faced with an uncertain fear that it is only a matter of time before the 'big one' hits.
Few in the industry have done much to allay these fears. In fact, many have stepped up to spread fear, uncertainty, and doubt to new levels, prompting many to wonder if, as Chicken Little says, the sky really is falling. Some rationalize that with this much noise, the problem cannot really be serious, and they ignore it. Others throw up their hands and wait to see if or when it will happen and how bad it will be.
To others, however, the message is clear. They define security as another aspect of ensuring process control system reliability and availability. Ensuring the integrity and availability of control system assets allows system users to take a more balanced approach to addressing security, prevention, and recovery, if an issue does indeed arise.
Traditionally, the corporate IT organization has the knowledge and budget to manage cyber security. However, IT often does not understand control systems. And while the operations staff has operations and maintenance (O&M) responsibility for control systems, their understanding of and budget for cyber security is less than IT's. Additionally, technology and culture gulfs widen the gap:
IT often does not appreciate the need for 24/7 availability of control systems;
IT also does not understand the possible shortcomings of applying IT technology and policies to control systems; and
Operations staff generally believes that availability trumps security.
Like those in non-control system industries, many entities impacted by control systems cyber mishaps are unwilling to publicly share information, or even acknowledge the incidents. However, information is being gathered on control system security issues across industries and around the world. Taking a pragmatic look at the growing accounts of cyber security issues, identifying what is real, and discounting what is hype, trends emerge about types of attacks, performance and financial losses, and industry responses.
Control system cyber incidents have occurred in electric power (transmission, distribution, and generation-hydro, fossil, and nuclear), water, oil/gas, chemicals, and manufacturing. Recent targeted control systems cyber events include increased 'probing' and analysis of critical infrastructure control systems as noted by the FBI. There also is an increase in 'chatter' about control systems vulnerabilities on hacker Internet message boards known as black hat boards and vulnerability boards.
An accurate accounting of cyber attacks on control systems has not yet been performed by an independent organization. There are a number of 'independent' databases out there on control systems at this point, but drawing statistical conclusions from such limited data is dubious at best at this point. However, those of us in the industry who have been focusing on this space see similar growth trends between vulnerabilities exposed in traditional IT systems and those being found in control systems (see 'Cyber security incidents reported to CERT' graphic).
Among the different types of actual events targeting controls systems in a specific company, there are three broad categories: (1) intentional hits such as hacking (unauthorized entry into secure electronic files), denial of service (DoS—an attack designed to bring down a network by flooding it with useless traffic), or spoofing (forging the 'from' field in an email to send out email with a 'from' address that is not your own); (2) unintentional consequences or collateral damage from worms and viruses; and (3) unintentional internal security breaches, such as inappropriate testing procedures of operational systems or inadequate control systems architecture.
Of the three, targeted attacks are the least frequent. Targeted attacks are potentially the most damaging, but also require detailed knowledge of the entity and supporting infrastructure. Consequently, the most likely attacker is a disgruntled employee, ex-employee, or someone who has worked with, or for, the entity being attacked.
The highest probability events are the unintentional internal events caused by inappropriate or inadequate testing or procedures. Penetration testing of control system networks by personnel unfamiliar with control systems is asking for trouble. The most common events are Internet viruses and worms that have not targeted any end-user but generically target Microsoft Windows or other basic IT infrastructure. As control system HMIs have been migrating toward commercially available operating systems, there has been an increasing number of DoS attacks. Such incidents on control systems tend to be unpredictable, and are largely based on the control systems platform and age of the device. The most typical result is erratic behavior of the system, including slowdown, loss of response, and shutdown.
Compromised manufacturing and control systems can include endangerment of public or employee safety, loss of public confidence, violation of regulatory requirements, loss of proprietary or confidential information, economic loss, and impact on national security. Specifically, direct financial losses stem from:
Control system performance degradation (such as performance losses, opportunity losses, regulatory compliance issues, etc.);
Personnel resources needed for system recovery; and
Customer complaints/lawsuits, higher insurance premiums, loss of reputation, etc.
Viruses, worms, and other cyber attacks to traditional IT systems are on the rise, as the charts show. However, because few of these incidents are reported, there has not been a quantitative business case that can be used by an operations manager to make an economic trade-off between cyber vulnerabilities and traditional O&M considerations.
Additionally, many in the electric industry have assumed a loss of power would be required to cause a large economic loss. Based on a study performed by KEMA, case histories were prepared on companies that had control systems influenced by cyber attacks (intentional, unintentional, and virus/worms). Results demonstrate that significant economic losses occurred even with events that did not lead to loss of power or production. These results, while preliminary, can be used to build a quantitative business case for implementing cyber security risk mitigation, including vulnerability assessments, development of control system cyber security policies, and implementation of relevant IT technology (such as appropriately configured firewalls).
Control systems security is a real concern. Is it all bad news? Not necessarily. Involving those who know control systems is key.
Incidence of cyber attack/intrusion, whether intentional or accidental, have increased dramatically over the past few years; More than 310,000 incidents occurred in 1998-2003, compared to just over 10,000 from1993-1997.
ISA and other standards bodies are actively engaged in developing broad-based standards to protect control systems. The ISA-SP99 Committee, comprised of people knowledgeable about control systems from many different industries, is establishing standards, recommended practices, technical reports, and other related information designed to define procedures for implementing electronically secure manufacturing and control systems and security practices, and for assessing electronic security performance. Guidance is directed towards those responsible for designing, implementing, or managing manufacturing and control systems and shall also apply to users, system integrators, security practitioners, and control systems manufacturers and vendors.
Of course, users must adapt solutions to specific systems and locations. However, many manufacturers that have taken steps to implement security programs (even basic security techniques such as firewalls at the controls layer) have reported great success.
How to succeed?
1. Start with a comprehensive risk analysis that includes every major area of risk to the environment. It is far easier to reduce the scope of a security program later than it is to miss something important in the beginning. A good risk analysis will help allay fears, bringing security back to a manageable set of issues that need to be dealt with.
2. Look at the money. Financial analysis of risk will help companies cost-justify security measures, and determine when they have reached an acceptable level of risk.
3. Organizations also must implement good policies and procedures and carefully select technologies. Ultimately, security is a process, not a technology problem, and many security events can be prevented through enforcing good discipline and practices in a process controls environment. Enforcing desirable, consistent, and effective behavior is key to reducing risk. This applies to the use of technology and behaviors in the environment.
4. Read more. Standards bodies and industry groups are working to address the needs of security on control systems. These include ISA (Instrumentation, Systems, and Automation Society), NIST (National Institute for Standards and Technology), CIDX (Chemical Industry Data Exchange), IEC (International Engineering Consortium), CIGRE (International Council on Large Electric Systems), NERC (North American Electric Reliability Council), and others. Each is publishing documents on control systems cyber security.
Formed in 2002, the ISA SP-99 committee has published two technical reports, available through ISA. ISA TR99.00.01 covers common security technologies and how to apply them to control systems. ISA TR99.00.02 is a guidance document to assist users through the process of creating an effective security program, including policies, procedures, and technologies. ISA SP-99 committee has initiated work on a multi-part general industry standard for manufacturing and control systems security. The ISA effort focuses primarily on technologies available for protecting control systems, and provides the means for establishing, maintaining, and evaluating a security program the considers all facets of risk to the control systems environment. The ISA SP-99 effort is industry non-specific, and currently has more than 250 members representing over 220 companies (most every major manufacturing and process control-related industries).
Many groups conduct relevant and useful activities in this space. The NIST Process Control Security Requirements Forum (PCSRF) is working on defining precise, common-criteria based requirements for existing and new control systems. ISA and PCSRF collaborate on security efforts. The Chemical Industry Data Exchange (CIDX) group continues to work on control system cyber security considerations for the chemical industry and is sharing much of its work with ISA SP99 and the control systems industry in general.
5. While working to prevent security incidents, also look at remediation, restoration, and recovery. Because most security events affecting a process go undetected for some period, focusing only on preventing a security incident is insufficient. Industry must focus on preventing the loss of production/ process control, and improve ability to detect problems, remediate, and restore processes through maintenance procedures, quality assurance, risk management, production and product safety, and business continuity plans and disaster plans.
6. Look beyond your organization for system integrators or consultants to help if you don't have the time, staff, and/or expertise.
Statistics show that security incidents are just as likely to originate in-house as they are to be caused by outside attackers.
Considering all that's been done thus far and all that still needs to be completed to make process control systems safe, can one say that the sky falling? At the very least, dark clouds have gathered. Many potential problems exist, and industry already has seen incidents, with more possible.
The message is not all bad however. There are measured responses that industry can take today to significantly reduce the risk of such problems:
Focus on identifying issues that can affect the reliability of the controls environment;
Take a well-balanced solution engineering approach to reduce the likelihood of occurrence;
Isolate impact to as small of an area as possible; and
Work on remediation and restoration of recover from incidents as quickly as possible.
As the industry begins to learn more about these security threats, engineers should focus on adapting programs, policies, procedures, and technology to incorporate the latest protection available for control systems.
More from Control Engineering on control system cyber security include:
Bryan L. Singer is chairman of ISA SP-99 and works for Rockwell Automation as a senior business consultant and leader for security services.
Joseph Weiss, PE, CISM, is executive consultant at KEMA and chairman of the IEEE Power Engineering Society's task force reviewing equipment standards for cyber security, a member of ISA's process Control Systems Security Committee - SP99, and CIGRE's Task Force on cyber security.