As we consider facilities operating process control, especially those associated with critical infrastructure, we are increasingly concerned with the defence of the environment – protecting it from intrusion both from the inside and outside.
We have made great strides in building this defence, and a small percentage of top tier suppliers of control systems and customers are applying best practices to this problematic area.
Over the next three to five years, new and maturing technologies will be added to the portfolio of available and proven strategies for defending and protecting control system assets.
To get started addressing the security challenge, organisations will benefit by implementing a security feedback loop that operates on the following premise: Threats intending to exploit vulnerabilities require counter-measures to minimise risk to assets. That's the Threat/Risk Assessment portion of the loop.
The security feedback loop represents an on-going process. Consistency and confidence in the process is the goal. Through the process, security awareness and defence continues to evolve to meet the ever changing threats and new vulnerabilities.
To support the security process, there are several areas that are relatively robust today, including:
· Risk Assessments
· Control Firewalls
· Policies and Procedures
· Segregated Process and Information Technology
· Microsoft Patches
· Locked down / Least privilege approach on Personal Computers
· Network policies for squelching Denial of Service attacks
· Monitoring Security Audit Logs
· Firewall Segregation
Viewed graphically the Threat/Risk Assessment portion of the loop looks something like this.
One of the logical first steps in determining the exposure of a control systems environment is a Risk Assessment, providing a summary of risk areas and actionable recommendations to either remove or neutralise the risk.
And as technology advancements are introduced into the control systems environment, we're seeing requirements for increased vigilance and the application of best practices and techniques that will continue to offer increased peace of mind. Where do we go from here?
With the process security foundation defined above, the next question is – what technology and process evolution can help us make a step change in security process control systems into the future?
I propose four areas that will play a significant role in security improvement over the next five years:
· Role Based Access Control
· Increased usage of Remote Security Operations Centers
Why white list? Perhaps your first introduction to the "white list" approach was for email management – specifically, for eliminating spam and allowing messages you want to receive. We see it today as a way to prohibit unapproved software/applications from running on the protected system.
"Good" software makes its way onto the white list, while unauthorised software is prohibited from executing and doing whatever "bad thing" it was intended to do. Many enthusiasts believe whitelisting is a good defence against "zero day" intrusions – preventing some, but not all.
Whitelisting advocates in Australia are looking at advancements in whitelisting as a way to quarantine unauthorised software upon discovery, quarantine after blocking, enhance whitelist management, and as a way to produce a file system inventory that can accelerate verification of software on a hardware platform.
Regardless of the depth of initial usage in control systems, whitelisting is a technology that provides another layer of defence and will be available for process control systems.
Almost all communication on a control system is cleartext, sometimes used synonymously with plain text. With this situation, a man-in-the-middle (MITM) attack, a form of active eavesdropping, is possible.
This type of attack allows the intruder to "fake out" its victims, passing information as though it were a trusted endpoint, operating in a "trust the sender" scheme.
A solution is to adopt encrypted communications. Encryption is the process of transforming plain text, using an algorithm, to make "the message" unreadable to anyone, except those possessing the encryption key.
It is a common method for protecting information in commercial systems and with wireless communication. One of the questions is where to encrypt the data – at rest or in transmission.
Encryption, by itself, can protect the confidentiality of messages, but other techniques are needed to protect the integrity and authenticity of a message.
For process control, we recognise the need to protect against modification from sender and receiver end-points. Today, with Internet Protocol security (IPsec), we can perform end-to-end authentication, allowing the protection of the message without encrypting the data.
As an IPsec configuration option, data can be encrypted as well.
One point to be considered, however, is how some network intrusion detection features are implemented. For example, encrypting data can cripple network intrusion detection capabilities. The security strategy for the control system environment must balance the benefits and select the appropriate set of options.
Intrusion Detection Systems (IDS) are applications that can include both hardware appliances and software solutions. The IDS resides on the network and is useful in detecting attempts to access the network.
Once again, traditional IT organisations have used these systems for many years, and we have found them equally useful in the control systems environment.
An IDS will act to alert the network administrator of intrusion attempts and record all alert information, according to parameters set by the administrator.
There are network-based as well as host-based IDS'. Some control systems today are integrated with network-based IDS. However, over time we expect to see a migration towards greater pervasiveness of this technology as well as the application of host-based IDS.
IDS' have the capability to inspect the network packets as they flow through the system. Today very few control system protocols are understood by IDS' and we see that changing in the future as more of the protocols are defined and implemented making the IDS for control systems more effective.
In addition to intrusion detection, the idea of intrusion prevention is very attractive.
Intrusion Prevention Systems (IPS) are relatively new to the world of incident detection, and offer the benefit of preventing the intrusion, not just detecting an intrusion and reporting on it after it has occurred.
Remote centres for network and security management help to ensure optimal performance and administration of a process control network and security infrastructure via a set of remote services.
Many process control organisations today are challenged to address areas requiring specialised skills – skills that are more closely aligned with the IT organisation. While these capabilities are both valuable and necessary, focusing on business results ranks higher with in-house resources.
For these reasons, many organisations will turn to a solution that provides the skills and services necessary to keep the process control network running in a secure environment. Over the coming years, we expect to see an increased utilisation of this type of remote service.
Plant of the Future
The Plant of the Future will be compliant with IEC 62443 – which means that our industrial information technology will be compliant. IT best practices for security will increasingly be applied on process control.
We will see a move toward more individual accountability. This increased individual accountability will be achieved through more role-based control and access-enforced end points instead of "in the middle" approaches.
Today, change points are detected and made on the server. In the future, these change points will move closer to where the impact of the change resides – in other words, closer to the controller.
For role-based access control (RBAC), a way of increasing individual accountability, we will see encryption used as a step in the right direction.
We need to adopt a security mindset – based on the premise that all trust is limited. One element of that mindset is compartmentalisation in order to minimise what must be defended, minimising the increment of potential loss.
Another aspect of a security mindset is Defence in Depth – one "Maginot Line" is not sufficient. Trust is an important element in our security mindset, but we must understand that unverified trust decays over time.
Verification testing then becomes an important aspect – we must re-verify the basis for trust and our verification testing should not be predictable.
As part of our mindset, we must assume that some personnel and equipment are compromised by "the attacker" – just another reason why a single "Maginot Line" is not enough.
As we consider the next five years or so, we can see that the Plant of the Future will take advantage of more security technologies, more and more integrated into the control systems, with easy to use management and configuration tools.
The security mindset will become ingrained, just as safety has become ingrained in our control systems today. Being prepared, informed, and optimistic will help to ensure continued success. It's an evolution – not a revolution!
[Jason Urso is Chief Technology Officer, Honeywell Process Solutions.]