Viruses and hackers and worms … oh my!

Computer viruses and worms are big topics in the IT world. Recent worms and viruses have infected company LANs (local area networks) and even shut down businesses. While these concerns were already important in the IT environment, they had not been as important in the control system environment. With the increasing use of standard Ethernet and Microsoft operating systems in control systems, inf...

By Dennis Brandl, BR&L Consulting November 1, 2003

Computer viruses and worms are big topics in the IT world. Recent worms and viruses have infected company LANs (local area networks) and even shut down businesses. While these concerns were already important in the IT environment, they had not been as important in the control system environment. With the increasing use of standard Ethernet and Microsoft operating systems in control systems, infection concerns now have to be considered in control system design and support. As proof of this, several companies have had to stop production because of recent attacks and because of actions taken in response to the attacks.

Part of the modern control system engineer’s skill set must include knowledge of how to protect networked control systems. The ISA TR99.01 Technical Report on Security Technologies for Manufacturing and Control systems is a good place to read about technologies you will need to apply.

IT systems generally follow three rules for protection: Defend at the edges, detect in the interior, and protect at each system. Defending at the edges means stopping viruses and worms from entering the local network. This includes establishing firewalls, installing email scanners, closing unused ports, and requiring security access control on any communication through the firewall. Detecting in the interior is scanning of network traffic for suspect and non-normal activity. Detection can also involve scanning server systems to make sure that approved applications, and only the approved applications, are running. Protecting each system uses virus protection software and personnel firewalls or each system. These same rules can be applied to networked control systems with one important exception. The exception is “protecting at each system.” Virus protection software requires continual updates of virus and worm electronic signatures. This usually involves downloading identification files and often requires installing software updates. Unfortunately, it is unacceptable to make these changes without extensive testing and revalidation on validated or critical control systems. Updates can occur several times per week, but testing and validation can take weeks, so it is nearly impossible to have current up-to-date virus protection software on validated or critical control systems.

Since we cannot follow the third rule on many networked control systems, the first two rules should be strengthened to take up the load. We can strengthen the first rule by adding firewalls between the control system networks and the rest of the corporate networks. Unprotected control systems are prime targets for infection, and they need multiple layers of protection. Control system networks which connect directly to other business system networks are at risk from viruses and worms and put other corporate systems at risk. Firewalls with limited ports provide one level of protection. Firewalls should be two-way—in addition to protecting control systems from infection by corporate systems, they must protect corporate systems from the control systems. Access control routers can also be added to augment firewall protection. Access control routers allow only specified systems on one side to access systems on the other side. The control system network can also be designed as a Virtual Local Area Network (VLAN) using intelligent switches. VLAN isolates traffic on the VLAN from other LANs, providing an additional measure of protection against broadcast storms and other denial of service (DOS) attacks.

Detection within the control system network should also be applied. This includes using Intrusion Detection Systems on the VLAN.

The cost of adding infection protection to control systems is small and available with off-the-shelf software. Control system professionals need to understand the technologies of infection protection and must work with IT departments to implement secure interfaces between the control networks and the corporate networks.

Author Information

Dennis Brandl is the president of BR&L Consulting, a consulting firm focusing on manufacturing IT solutions, based in Cary, N.C. dbrandl@brlconsulting.com