About 10 years ago, you wouldn't have found many industrial control engineers asking questions about cyber security.
In fact, the Corporate IT gurus seemed to have responsibility for that area, and Industrial Control Systems (ICS) experts seemed to think the control system was almost immune to cyber attacks.
That all began to change when commodity operating systems and hardware became more prevalent in control system configurations.
But, even with those changes, it took several years to gain broad attention within the ranks of industrial control systems.
Then Stuxnet appeared in June of 2010, and now it seems everyone in the industrial control systems community is talking about security breaches, how to stop them, and how to plan for a more secure digital environment.
Threats and vulnerabilities are often discussed together, and the list shown here is no exception. Consider that threats come from internal and external sources – they are any event that disrupts normal operation.
A vulnerability is a weakness in the control system's network, policies, practices, or security culture. The list of potential causes of digital breaches of an industrial control system parallels the list confronted by the business IT organizations around the world.
There are differences in mindset of the business IT professional and that of the Industrial IT professional – primarily focusing on the importance placed on system availability. This difference in mindset results in the application of different techniques or approaches in resolving similar issues.
The key takeaway here is that Industrial IT requires the sensitivity of industrial control systems knowhow. For today's industrial control systems management, that might mean inducting business IT professionals into the control systems staff or training control systems staff to become Industrial IT experts.
Recently, you might have heard more comments about control systems environments being less vulnerable to cyber attacks. This is because of an air gap – a method intended to secure a network by isolating it from potentially insecure networks.
The air gap seems like a perfect solution – but, for most installations, it simply doesn't work. What happens when you need updates to the air-gapped system? The first solution that comes to mind might be "put the changes on a USB stick."
This sneakernet method is how Stuxnet was transmitted! As much as we would like to pretend otherwise, modern control systems need a steady diet of electronic information from the outside world.
Severing the network connection with an air gap simply spawns new pathways – like the mobile laptop and USB key, which are more difficult to manage and just as easy to infect.
Survey findings, depicted in the pie chart above, indicate 71 percent of control engineers expect to see either significant or moderate increases in connectivity between industrial endpoints and corporate IT infrastructure over the next three to five years.
So, what does this mean for industrial control system security? We must recognise that a modern Industrial Control System or SCADA system is highly complex and interconnected.
This results in multiple potential pathways from the outside world to the process controllers. Assume that an air gap between Industrial Control Systems and corporate networks is unrealistic, as information exchanges are essential for process and business operations to function effectively.
Therefore, all mechanisms for transfer of electronic information to or from an Industrial Control System must be evaluated for security risk. Focusing on only a few obvious pathways, such as USB storage drives or the Enterprise/Industrial Control System firewall, is a flawed defence.
All control industries should begin to include security assessments and testing as part of the system development and periodic maintenance processes on all Industrial Control Systems. This is just one step in implementing defence in depth.
If the critical infrastructures of the world are to be safe and secure, then the owners and operators need to recognise that their control systems are now the target of sophisticated attacks.
Improved defence in depth postures for industrial control systems are needed urgently. Waiting for the next worm may be too late.
[Rick Kaun is Global Business Manager, Industrial IT Solutions, Honeywell Process Solutions.]