Control engineers focus on security

About 10 years ago, you would not have found many industrial control engineers asking questions about cyber security. In fact, the Corporate IT gurus seemed to have responsibility for that area, and Industrial Control Systems experts seemed to think the control system was almost immune to cyber attacks.

That all began to change when commodity operating systems and hardware became more prevalent in control system configurations. But, even with those changes, it took several years to gain broad attention within the ranks of industrial control systems – then Stuxnet appeared in June of 2010, and now it seems everyone in the industrial control systems community is talking about security breaches, how to stop them, and how to plan for a more secure digital environment.

Threats and vulnerabilities are often discussed together, and the list shown on the right is no exception. Consider that threats come from internal and external sources – they are any event that disrupts normal operation. A vulnerability is a weakness in the control system’s network, policies, practices, or security culture.

The list of potential causes of digital breaches of an industrial control system parallels the list confronted by the business IT organisations around the world. There are differences in mindset of the business IT professional and that of the Industrial IT professional – primarily focusing on the importance placed on system availability.

This difference in mindset results in the application of different techniques or approaches in resolving similar issues. The key takeaway here is that Industrial IT requires the sensitivity of industrial control systems knowhow. For today’s industrial control systems management, that might mean inducting business IT professionals into the control systems staff or training control systems staff to become Industrial IT experts.

The elusive air gap

Recently , you might have heard more comments about control systems environments being less vulnerable to cyber attacks because of an air gap – a method intended to secure a network by isolating it from potentially insecure networks.

The air gap seems like a perfect solution – but, for most installations, it simply doesn’t work. What happens when you need updates to the air-gapped system? The first solution that comes to mind might be “put the changes on a USB stick.” This sneakernet method is how Stuxnet was transmitted!

As much as we would like to pretend otherwise, modern control systems need a steady diet of electronic information from the outside world. Severing the network connection with an air gap simply spawns new pathways – like the mobile laptop and USB key, which are more difficult to manage and just as easy to infect.

Honeywell Process: SecuritySurvey findings, depicted in the pie chart on the left, indicate 71 percent of control engineers expect to see either significant or moderate increases in connectivity between industrial endpoints and corporate IT infrastructure over the next 3 to 5 years.

So, what does this mean for industrial control system security? We must recognise that a modern ICS or SCADA system is highly complex and interconnected, resulting in multiple potential pathways from the outside world to the process controllers.

Assume that an air gap between ICS and corporate networks is unrealistic, as information exchanges are essential for process and business operations to function effectively. Therefore, all mechanisms for transfer of electronic information to or from an ICS must be evaluated for security risk. Focusing on only a few obvious pathways, such as USB storage drives or the Enterprise/ICS firewall, is a flawed defense.

All control industries should begin to include security assessments and testing as part of the system development and periodic maintenance processes on all ICS – just one step in implementing defense in depth.

If the critical infrastructures of the world are to be safe and secure, then the owners and operators need to recognise that their control systems are now the target of sophisticated attacks. Improved defense in depth postures for industrial control systems are needed urgently. Waiting for the next worm may be too late.

[Mike Baldi is Chief cyber security architect, Honeywell Process Solutions.]

[The IICA has partnered with PACE to bring together experts to present leading edge applications and case studies on Cyber Security. The IICA Cyber Security Seminar will be held on October 30, 2013 in Sydney; email nsw@iica.org.au or call 0410 334 333 for more information.] 

Send this to a friend