Understanding industrial control systems security basics

Cover story: It’s critical to implement an in-depth cybersecurity plan to help protect industrial control systems (ICSs) against a cyber attack. Identify threats, vulnerabilities, standards, and documents.

04/06/2018


fFigure 1: This illustration shows how safety control systems could be compromised at various points. In addition, unintentional mistakes may happen due to procedural errors at the control network. Courtesy: Sunil DoddiAn industrial control system (ICS) is a general term used for any distributed control system (DCS), programmable logic controller (PLC), supervisory control and data acquisition (SCADA) or any automation system used in industrial environments that includes critical infrastructures. ICS security is designed to protect the system from any interference either intentional or unintentional, which may lead to unintended ICS operations. 

Industrial control system security

ICS security can be very broadly categorized as cybersecurity. Though the word "cybersecurity" implies the intention is to look at only the "internet" connection, that is not the case when it comes to ICS environments.

The necessity of ICS security is sought after even more now that the number of threats has increased. Regulations are being enforced and companies have a legal, moral, and financial obligation to limit the risk. IEC 61511:2016- Functional Safety- Safety instrumented systems for the process industry sector also demands security assessments on safety instrumented system (SIS) design in control systems.

Because of the recent outcry over cyberattacks, ICS security has received more attention as a necessity to protect against external hackers. However, cybersecurity is one part of ICS security; threats against modern control systems come in many forms. 

Identify threats

Threats can be external or internal and can be categorized as deliberate, intentional and accidental, or unintentional. Typical external threats are hackers (professional, amateurs, script kiddies), rival business competitors, rival organizations/states. Typical internal threats are erroneous actions, inappropriate behavior, disgruntled employees, and similar activities.

The Repository of Industrial Security Incidents (RISI) by the Security Incidents Organization provides the incidents data where many of the threats were identified as unintentional and accidental.

Recent ransomware attacks have busted the myth that most ICS personnel's "we are not a target." Other typical myths are, "Our ICS is not on the internet," "We have firewalls," and "We have an SIS." Believing an ICS cannot be a target will lead to issues and not being properly protected against internal/accidental threats.

To protect against external threats, more needs to be done than just strengthening the network. Not all internal threats can be avoided by strengthening the internal procedures/policies. Optimal ICS security is achieved by strengthening the network and backed up correct policies and procedures. 

Identify ICS security vulnerabilities

ICSs used to be standalone systems, but not anymore. ICSs are vulnerable to external threats primarily because of using commercial off-the-shelf (COTS) technology and being highly connected within a network for various reasons (i.e. businesses offering remote access for employees). Internal threats occur primarily because of erroneous actions. For example, the RISI database showed an employee accidentally uploaded the programs into a live PLC and caused production loss by half a day due to not communicating properly with the engineering consultant who setup the actual test and the employee.

A control system's top vulnerabilities are inadequate policies/procedures, no defense-in-depth design, inappropriate remote access controls, improper software maintenance, inadequate wireless communication for control, using control bandwidth for on-control purposes, failure to observe inappropriate activity in the system, control network data is unauthenticated and inadequate to support to critical components and systems. A threat can use many pathways to enter into a control network (See Figure 1).

Firewalls can help disrupt a threat's pathway into a system. Installing a firewall is easy, programming one is difficult, and programming correctly is very difficult. An improperly configured firewall is equal to not having one.

An SIS is susceptible to threats if COTS technology is being used. Especially if they are integrated as part of the control network and communicate over an insecure, open protocol. Compromising an SIS may lead to temporary setback or a loss.

Figure 2: This diagram is a broad representation of a cybersecurity lifecycle approach. Courtesy: Sunil DoddiAlthough information technology (IT) security may help, IT and operations technology (OT) have different objectives. In addition, IT personnel may not have any knowledge about ICS environments. A common misconception in many organizations is IT personnel are taking care of control network details in the plant.

System availability is the prime objective since continuous and time-critical operations are performed by ICSs. Human safety is also paramount. In IT environments, confidentiality matters and system availability is not a major priority. It is not the end of the world if connectivity to the internet is lost for few hours. In ICS environments, companies can't afford to lose control for even a few seconds because response time is critical. Imagine losing control over a valve that needs to be closed while a discharge line is cracked and liquid is spilling. 

Security standards for ICSs

Governments and other industry organizations are developing security standards to provide guidance and suggesting best practices to strengthen systems against potential threats.

Some of the main standards are: 

The following are other industry and sector-specific standards:

Like a functional safety lifecycle, a cybersecurity's lifecycle also depends on three fundamental components: analysis, implementation, and maintenance. The lifecycle is a continuous process and feedback is crucial. The process can be visualized as a proportional-integral-derivative (PID) closed-loop function where the way of addressing (the manipulated variable) is adjusted based on the feedback to reach the acceptable risk level/security target (setpoint) and is a continuous process. (See Figure 2).

It's difficult for some companies to maintain a budget to implement and maintain a cybersafety lifecycle. Without the commitment of company leadership and other senior management, the cybersafety lifecycle likely will fail. Present a business case to management outlining the potential threats, consequences (physical, economic, social impacts), and benefits to the business.

Figure 3: Defense-in-depth can be incorporated by strengthening security measures. If the network security is broken, it can be countered with correct policies and procedures. Courtesy: Sunil DoddiA proper risk assessment should occur to suit the organization's needs. The risk assessment may include: 

  • The plan
  • The test environment
  • Metrics and documentation.

Various tools are available to evaluate risk assessments A qualitative or quantitative can be chosen based on the organization's requirements to evaluate the impacts of a safety cycle. In a quantitative assessment, previous data is used. In qualitative assessments, proper definition consequence parameters are required. Often risk assessment can be part of vulnerability assessments. A common vulnerability scoring system is often a free tool for a vulnerability assessment.

Tools such as implementing a virtual private network (VPN), an intrusion detection system (IDS), and a paired firewall with a demilitarized zone (DMZ) are tools to use to strengthen the network against threats. Firewall programming needs to start with "deny all" access and permit access to specific IP address TCP/UDP ports later on.

In suitable test environments, a scanner can perform a vulnerability assessment. Results from scanner tools, as Figure 1 shows, are not enough. ICS security alone does not protect against from cyber attacks but also involves personnel, physical, and environmental security.

Physical security requirements may include controlling access to restricted areas, CCTV, motion sensors, thermal video systems, and other areas. Environmental protection against dust, temperature, and toxic gases can be achieved with a proper HVAC system and proper alarm systems for failure identification.

Awareness, policies, and procedures are crucial for addressing accidental and internal threats. Referring back to Figure 1, for example, infected USB keys can directly impact the control/plant network. Access and authorization control to access and perform particular actions needs to be addressed through policies and procedures that are put in place. Logs also can be used to keep track of access levels.

Security plans also need to be incorporated while developing software to achieve software security assurance. Cybersecurity certified components shall be used in the control system. An in-depth defense technique is necessary to secure the ICS and minimize the risk. See Figure 3.

Since cyber threats rapidly change, security risk management should be a continuous process. A periodic review and audit of the cybersafety lifecycle is necessary to maintain operations. This includes patch management, antivirus updates, and being aware of industry trends and risks.

Sunil Doddi is a controls systems engineer at Hydro-Chem, a division of Linde Engineering North America. Edited by Emily Guenther, associate content manager, Control Engineering, CFE Media, eguenther@cfemedia.com.

MORE ANSWERS

KEYWORDS: Industrial control system, safety lifecycle

 

  • Determining security standards for industrial control systems (ICSs)
  • The purpose of implementing cybersecurity measures for an ICS
  • Threats that leave ICSs vulnerable to cyber attacks.

Consider this:

What pathways are vulnerable in your system that needs to be protected against threats?



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me