Cyber Security Hits Home
With the coming of the new year, cyber security activity at power plants and larger electric utilities has taken a major step. NERC CIP (National Electric Reliability Corporation, critical infrastructure protection) regulations are coming into force that require producers and distributors of bulk power to take specific security precautions to ensure uninterrupted delivery.
With the coming of the new year, cyber security activity at power plants and larger electric utilities has taken a major step. NERC CIP (National Electric Reliability Corporation, critical infrastructure protection) regulations are coming into force that require producers and distributors of bulk power to take specific security precautions to ensure uninterrupted delivery. These requirements have teeth in the form of substantial fines that can be charged against offenders.
Many that are not in the utility industry are watching the situation with the expectation that deployment of similar regulations will spread to other verticals sooner rather than later. Over the last year or two, industrial cyber security issues have been developing with greater intensity. One event was a report about a year ago from the CIA that an overseas utility had been compromised successfully by cyber attackers in an extortion scheme. The nature of serious hacking (see graphic) has expanded from being simply an amusement to criminal, terrorist, or even state-sponsored espionage. Such escalation demands an appropriate and dynamic defensive response.
Implementation of the NERC CIP regulations has been compared to the confusion surrounding Sarbanes-Oxley (SOX) after its passage in 2002. Eric Casteel, manager of SCADA and security business development for Emerson’s power & water division recognizes the similarities. “When SOX compliance came out, there was very little guidance and interpretations varied widely,” he says. “We’re seeing the same kind of thing with the NERC CIP standard. Some customers are taking the high road and want to adopt best practices to get an 'A’ for their audit. Others just want to pass with a 'C.’ Some plants try to say, 'We’re not a critical asset.’ If they don’t have black start facilities and they’re not a significant megawatt generator, they might have a case. But when you look at the overall security of the grid, you’re only as strong as your weakest component. At some point, regulators will come back and say, every power generating, transmission, and distribution provider must implement these regardless of whether it’s a critical asset or not.”
Hackers can have a wide variety of skills and motives to break into your systems. These characterizations are general, but suggest what might be out there. Hobbyists aren't too difficult to fend off with a little effort, but a skilled and motivated terrorist or criminal is a different story.
Where to start?
If you’re with an electric utility or other industry, how do you begin to implement basic cyber security practices for your DCS (distributed control system), SCADA (supervisory control and data acquisition), or other industrial control network? Such a project should begin with an assessment of where you are today, specifically taking inventory of all the devices on your networks, what they’re connected to, and what software is running on them. This is the first step in finding out how hackers can get into your systems from the outside, and setting up appropriate barriers.
“Users usually have a very poor feel for their actual system architecture and connectivity,” says Todd Stauffer, process automation systems marketing manager for Siemens Energy and Automation. “A lot of things get connected directly or indirectly to control networks that people responsible for the process have little control of. One of the first things that folks should do is establish what their real system architecture is, and it will likely be significantly different than what they think they have. As a rule, people will almost always find connections they didn’t realize were there.”
David Rehbein, senior data management solutions consultant for Emerson Process Management, spent many years evaluating networks while working for Microsoft. He agrees that making an assessment is a critical first step. “Those system inventories can sniff every IP address on your network, and things often pop up that nobody even knew were out there. Somebody came in and put something on the network and forgot to tell IT, and all of a sudden you have a rogue client or server on your system. If you don’t know it’s there, you don’t know if it is getting patched at the right levels. You don’t know if it’s secure. You don’t know if it’s running virus check software.”
Understanding your connections
Control systems that exist as islands are easy to protect, however few of these still exist. When management wants to know what’s going on in the plant, the easiest way to get information is to look into the control system. This means a link with the corporate network which is undoubtedly connected to the Internet. If this connection is not well protected, this is a primary point of access. The larger the extent of integration, the larger number of potential entry points. This is called the attack surface area.
Rehbein recalls a project he was involved with while at Microsoft: “We finished our first assessment in a day because it was a very unsophisticated site. They didn’t have a connection between their plant floor network and anything else. You had to get into their building even to get access to it. Compare that to somebody who wants to share inventory or current production levels with customers or the corporate IT department in Switzerland. That requires direct Internet connection, which provides a door for anybody to come into your system.”
Business demands for connectivity are putting more pressure on operators and control systems, and that opens potential attack vectors. Shawn Gold, global program manager for open systems services for Honeywell Process Solutions, worries about companies losing their ability to handle problems internally. Increasing dependence on outside support means adding entry points. “You have risks associated with any connections to the outside world,” he warns. “But you have a greater demand, especially in today’s economy, to allow more connections for outside services and resources to help you out. You may have documented all those connections, and that’s a good thing, but there are potentially undocumented connections that take place, or ad hoc connections that take place to manage through emergencies. These can create security risks, so you need to be aware of what you’re going to have to do in the case of an emergency and what you have to do to protect yourself while you’re working through those difficult times.”
In addition to connections, you need to know what software resides on your networks. This is critical for two major reasons: some software has vulnerabilities that can be exploited by hackers, and poorly written programs can cause problems internally.
“Every time you add software, you increase the attack surface,” advises Kevin Staggs, global security architect for Honeywell Process Solutions. “You might bring in some piece of unnecessary software that causes a conflict on the system with some other piece of necessary control software and then causes the system to fail, and you have a loss-of-view incident. Sometimes software isn’t written as well as it should be and causes a memory leak. One anti-virus system patch we found had a memory leak in it, and a control system using that program would run for about 35 days before it ran out of memory. When that happens you have a terrible slowdown or warnings on the display, and the operators don’t know what to do about those.”
Staggs adds that those problematic programs can have similar consequences to malware introduced by a hacker. If programs are not thoroughly vetted by your control system vendor, they can cause conflicts that may not be apparent immediately. He suggests, “It’s a matter of having very good change management procedures in place, and when you do execute a change, make sure you check baseline performance before, check again immediately after, and watch it for a period of time. You can detect problems if you use that level of rigor.”
When you know what is on your networks, you will know if you have to deal with a specific problem that comes to light. Siemens’ Stauffer warns of situations where white hat organizations publish vulnerabilities they’ve found in common software platforms in an effort to force vendors to fix them. “They aren’t realizing that they’re getting the system all out of whack,” he says. “People are forced to do things that they aren’t ready to do when holes in legacy systems are posted on the Internet for everybody to see. That’s enough to tell a hacker what to shoot for with a given system. Security by obscurity? Forget that. The weaknesses of your system are posted on the Web.”
Consult your vendor
One of the easiest steps you can take is to consult the supplier(s) who built your systems originally. Most companies can provide instructions, case studies, best practices, and other advice based on collected experience.
There are many more aspects of cyber security that are not practical to discuss here. Personnel policies, management buy-in, physical security, defense in-depth, and so on, all influence strategy. Many organizations and companies have produced resources on cyber security for industrial systems. The sidebars attached to this article are an excellent place to begin your research. Always keep in mind that there are no ultimate answers, and there is no absolute security. The best you can hope for is to have levels of protection that are stronger than your attackers.
Peter Welander is process industries editor. Reach him at PWelander@cfemedia.com .
Resources for your cyber security implementation
Control Engineering cyber security bloggers Matt Luallen and Steve Hamburg have compiled a list of their favorite resources with comments on each. Read this sidebar online at
Many resources are at our disposal for properly “securing” process control systems. Securing process control systems entails appropriate defense-in-depth controls, such as gaining management support, performing assessments, identifying risk factors, selecting remediation solutions, gaining management support and effectively integrating the appropriate technology, procedures and security awareness and training program after you have gained management support. And don’t forget gaining management support.
There are many options available to provide education regarding the process; however, the best starting point would be to review and gain a thorough understanding of the following:
1. NERC CIP (North American Electric Reliability Corporation, critical infrastructure protection): These are important cyber security standards affecting organizations in the bulk electric system. They also pertain to other process control-enabled verticals, such as aviation, railroads, wastewater treatment, natural gas, refinery, chemical, and manufacturing as they are also considered internationally as critical infrastructures. NERC CIP is the first cyber security standard that can impose sanctions, which can include fines up to $1 million per day for encountered instances of non-compliant findings. Other verticals with SCADA and DCS systems are reviewing this since it is identified as a larger critical infrastructure protection standard. The NERC CIP standards are available at
2. Idaho National Laboratory National SCADA Test Bed and DHS Control System Security Program: This program provides many details regarding security awareness, security assessments and secure architecture. It is also massive in scope and can prove to be difficult to navigate. One item we would recommend particularly is the Cyber Security Procurement Language for Control Systems, located at
3. NIST SP 800-82 (National Institute of Standards and Technologies Special Publication): This new document provides guidance on securing industrial control systems. The final version is forthcoming after the third and final public comment period, which expired on November 30, 2008. You can download the final draft document at
4. ISA 99: This standard provides specifics for establishing and operating a control system security program. Part 4 of the standard is to provide additional clarification about what sets apart control systems security from traditional IT security. Go to
5. Traditional IT solutions such as Control Objectives for Information and related Technology (CObIT), ISO 27005 and ISO 17799: Many frameworks for IT control and security exist that can support foundational work within industrial control system environments. Traditional IT business systems and process control systems are interconnected for efficiencies and cost reductions; therefore, it is appropriate to couple specific IT and process control operations synergistically. The critical question is what defines appropriate demarcation points between jointly and uniquely operated systems? Finding the answer is a challenge, which will be specific to the organization and industry.
Many organizations have produced standards specific to SCADA systems, including: ISA, ISO, IEC, API, AGA, ChemITC, DHS CSSP, PCSF, CIGRE, NSTB, IEEE, EPRI, I3P, NERC, and NIST. In an effort to assist all critical infrastructures in addressing prevalent security challenges, Control Engineering will continue to provide clarity regarding these standards in a practical and applied manner via its cyber security blog.
A key reference on defense in depth
One document considered a classic in the industrial cyber security arsenal is “Control Systems Cyber Security: Defense in Depth Strategies, May 2006,” by David Kuipers and Mark Fabro. Fabro is president and chief security scientist at Lofty Perch, and has worked extensively with the U.S. DHS and INL (Idaho National Labs). He has this to say about developing that paper:
“As the DHS Control Systems Security Program (CSSP) works so closely with private sector, one of the major ideas explored was how to build effective cyber security into large scale systems that were previously isolated. The issues of convergence, combined with the age and operational nuance inherent in some of the 'for purpose’ technologies made contemporary cyber security solutions unfeasible. Asset owners and operators had shown that some measures, such as IDS (intrusion detection system) and firewalls, can be used effectively with no impact to operations. A solution was needed that provided asset owners direction to leverage proven security practices in a manner that was not going to break their systems but was going to reduce cyber risk.
“The defense in depth model uses the concept that appropriate levels of security can be applied at different levels in the control architecture, such that the aggregate of all the security elements creates an extensive security defense posture. The approach in creating the practice guide was to educate readers about some of the more common vulnerabilities that can exist within control system environments, and how the appropriate deployment of security solutions can help mitigate those vulnerabilities. The goal was to leverage all of the feedback CSSP had collected from stakeholders, provide insight into how to address their needs, and create guidance that could be reviewed by the community of interest. In the end, the product was something that was vetted and reviewed by the very stakeholders that were looking for guidance, and the impact has been very positive. Now we have a recommended practice that provides insight into several proven methods that can secure control system architectures, and have it done in such a way that the balance between security and performance is maintained.”