Understanding industrial control systems security basics
fAn industrial control system (ICS) is a general term used for any distributed control system (DCS), programmable logic controller (PLC), supervisory control and data acquisition (SCADA) or any automation system used in industrial environments that includes critical infrastructures. ICS security is designed to protect the system from any interference either intentional or unintentional, which may lead to unintended ICS operations.
Industrial control system security
ICS security can be very broadly categorized as cybersecurity. Though the word "cybersecurity" implies the intention is to look at only the "internet" connection, that is not the case when it comes to ICS environments.
The necessity of ICS security is sought after even more now that the number of threats has increased. Regulations are being enforced and companies have a legal, moral, and financial obligation to limit the risk. IEC 61511:2016- Functional Safety- Safety instrumented systems for the process industry sector also demands security assessments on safety instrumented system (SIS) design in control systems.
Because of the recent outcry over cyberattacks, ICS security has received more attention as a necessity to protect against external hackers. However, cybersecurity is one part of ICS security; threats against modern control systems come in many forms.
Threats can be external or internal and can be categorized as deliberate, intentional and accidental, or unintentional. Typical external threats are hackers (professional, amateurs, script kiddies), rival business competitors, rival organizations/states. Typical internal threats are erroneous actions, inappropriate behavior, disgruntled employees, and similar activities.
The Repository of Industrial Security Incidents (RISI) by the Security Incidents Organization provides the incidents data where many of the threats were identified as unintentional and accidental.
Recent ransomware attacks have busted the myth that most ICS personnel’s "we are not a target." Other typical myths are, "Our ICS is not on the internet," "We have firewalls," and "We have an SIS." Believing an ICS cannot be a target will lead to issues and not being properly protected against internal/accidental threats.
To protect against external threats, more needs to be done than just strengthening the network. Not all internal threats can be avoided by strengthening the internal procedures/policies. Optimal ICS security is achieved by strengthening the network and backed up correct policies and procedures.
Identify ICS security vulnerabilities
ICSs used to be standalone systems, but not anymore. ICSs are vulnerable to external threats primarily because of using commercial off-the-shelf (COTS) technology and being highly connected within a network for various reasons (i.e. businesses offering remote access for employees). Internal threats occur primarily because of erroneous actions. For example, the RISI database showed an employee accidentally uploaded the programs into a live PLC and caused production loss by half a day due to not communicating properly with the engineering consultant who setup the actual test and the employee.
A control system’s top vulnerabilities are inadequate policies/procedures, no defense-in-depth design, inappropriate remote access controls, improper software maintenance, inadequate wireless communication for control, using control bandwidth for on-control purposes, failure to observe inappropriate activity in the system, control network data is unauthenticated and inadequate to support to critical components and systems. A threat can use many pathways to enter into a control network (See Figure 1).
Firewalls can help disrupt a threat’s pathway into a system. Installing a firewall is easy, programming one is difficult, and programming correctly is very difficult. An improperly configured firewall is equal to not having one.
An SIS is susceptible to threats if COTS technology is being used. Especially if they are integrated as part of the control network and communicate over an insecure, open protocol. Compromising an SIS may lead to temporary setback or a loss.
Although information technology (IT) security may help, IT and operations technology (OT) have different objectives. In addition, IT personnel may not have any knowledge about ICS environments. A common misconception in many organizations is IT personnel are taking care of control network details in the plant.
System availability is the prime objective since continuous and time-critical operations are performed by ICSs. Human safety is also paramount. In IT environments, confidentiality matters and system availability is not a major priority. It is not the end of the world if connectivity to the internet is lost for few hours. In ICS environments, companies can’t afford to lose control for even a few seconds because response time is critical. Imagine losing control over a valve that needs to be closed while a discharge line is cracked and liquid is spilling.
Security standards for ICSs
Governments and other industry organizations are developing security standards to provide guidance and suggesting best practices to strengthen systems against potential threats.
Some of the main standards are:
- ISA99 – Industrial Automation and Control Systems Security /IEC 62443 series of standards
- The National Institute for Standards Technology (NIST) SP 800-82 – Guide to Industrial Control Systems Security standard
- The North American Electric Reliability Council CIP series of standards.
The following are other industry and sector-specific standards:
- The American Petroleum Institute (API) 1164 – Pipeline SCADA Security
- Chemical Sector Cyber Security Program
- American Water Works Association (AWWA) G430-09 Security Practices for Operation and Management.
Like a functional safety lifecycle, a cybersecurity’s lifecycle also depends on three fundamental components: analysis, implementation, and maintenance. The lifecycle is a continuous process and feedback is crucial. The process can be visualized as a proportional-integral-derivative (PID) closed-loop function where the way of addressing (the manipulated variable) is adjusted based on the feedback to reach the acceptable risk level/security target (setpoint) and is a continuous process. (See Figure 2).
It’s difficult for some companies to maintain a budget to implement and maintain a cybersafety lifecycle. Without the commitment of company leadership and other senior management, the cybersafety lifecycle likely will fail. Present a business case to management outlining the potential threats, consequences (physical, economic, social impacts), and benefits to the business.
A proper risk assessment should occur to suit the organization’s needs. The risk assessment may include:
- The plan
- The test environment
- Metrics and documentation.
Various tools are available to evaluate risk assessments A qualitative or quantitative can be chosen based on the organization’s requirements to evaluate the impacts of a safety cycle. In a quantitative assessment, previous data is used. In qualitative assessments, proper definition consequence parameters are required. Often risk assessment can be part of vulnerability assessments. A common vulnerability scoring system is often a free tool for a vulnerability assessment.
Tools such as implementing a virtual private network (VPN), an intrusion detection system (IDS), and a paired firewall with a demilitarized zone (DMZ) are tools to use to strengthen the network against threats. Firewall programming needs to start with "deny all" access and permit access to specific IP address TCP/UDP ports later on.
In suitable test environments, a scanner can perform a vulnerability assessment. Results from scanner tools, as Figure 1 shows, are not enough. ICS security alone does not protect against from cyber attacks but also involves personnel, physical, and environmental security.
Physical security requirements may include controlling access to restricted areas, CCTV, motion sensors, thermal video systems, and other areas. Environmental protection against dust, temperature, and toxic gases can be achieved with a proper HVAC system and proper alarm systems for failure identification.
Awareness, policies, and procedures are crucial for addressing accidental and internal threats. Referring back to Figure 1, for example, infected USB keys can directly impact the control/plant network. Access and authorization control to access and perform particular actions needs to be addressed through policies and procedures that are put in place. Logs also can be used to keep track of access levels.
Security plans also need to be incorporated while developing software to achieve software security assurance. Cybersecurity certified components shall be used in the control system. An in-depth defense technique is necessary to secure the ICS and minimize the risk. See Figure 3.
Since cyber threats rapidly change, security risk management should be a continuous process. A periodic review and audit of the cybersafety lifecycle is necessary to maintain operations. This includes patch management, antivirus updates, and being aware of industry trends and risks.
Sunil Doddi is a controls systems engineer at Hydro-Chem, a division of Linde Engineering North America. Edited by Emily Guenther, associate content manager, Control Engineering, CFE Media, firstname.lastname@example.org.
KEYWORDS: Industrial control system, safety lifecycle
- Determining security standards for industrial control systems (ICSs)
- The purpose of implementing cybersecurity measures for an ICS
- Threats that leave ICSs vulnerable to cyber attacks.
What pathways are vulnerable in your system that needs to be protected against threats?