Security: a national priority
By saying, in February 2003, that the protection of control systems had become "a national priority," President Bush set off a flurry of security activities in the industrial sector. We remain, however, a long way from reaching the goal of secure industrial infrastructures. So that an appropriate layer of security can be added, most of the past few years' security efforts have been spent simply...
By saying, in February 2003, that the protection of control systems had become 'a national priority,' President Bush set off a flurry of security activities in the industrial sector. We remain, however, a long way from reaching the goal of secure industrial infrastructures.
So that an appropriate layer of security can be added, most of the past few years' security efforts have been spent simply sorting out the array of connections that have made once proprietary controls hardware, software, and networks open to the outside world. These audit processes can be painstaking, but are a necessary part of any control system security implementation. At several recent seminars, I have heard security consultants recount instances where, prior to an audit, they were assured that the systems under review had no connections to the outside. In each instance, various connections—typically modems installed years ago for a project long-since forgotten—were easily discovered.
That's all it takes to make your control system vulnerable—one modem buried somewhere in the infrastructure that, quite possibly, no one currently on your staff even knows about.
According to the U.S. Government Accounting Office report on Cybersecurity of Control Systems security experts say that unauthorized access to a control system can be had with a port scanning tool and a factory manual found on the Internet that contains the system's default password—an item rarely changed at installation.
If you're still thinking that control systems can only be breached with great difficulty, consider this. The GAO report also states that a George Mason University graduate student has reportedly mapped every business and industrial sector in the American economy to the fiber-optic network that connects them by using unclassified material publicly available on the Internet.
Another misconception to get past is that someone must be 'out to get' you or your company for your systems to be vulnerable. Think about all the viruses swirling around on the Internet at any given moment. Now think about the Web browser or e-mail program on your HMI. Without appropriate precautions, your control systems are vulnerable.
The purpose of this column is not to scare you, because the problem can be addressed nearly as simply as it was created. But it will require great attention and ongoing effort, because a number of unknowns still exist.
To help you sort through the unknowns, our cover story is loaded with advice from Joe Weiss and Bryan Singer. Both are members of the ISA-SP99 control systems security committee and work full-time in positions devoted to control system security. I hope you find their input helpful.
David Greenfield, Editorial Director