What if you were to wake one morning to the news that someone had just published a way into your supervisory control and data acquisition (SCADA) system? What if a researcher had posted 34 vulnerabilities in four popular SCADA systems to the Internet, and this list contained some of yours? Would you be prepared to defend your control network against intruders?

If your company is like most, probably not, according to Bryan Singer, principal consultant for Kenexis Security Corp. headquartered in Columbus, Ohio. Most manufacturing facilities are using conventional cyber-security protection that has depended upon keeping up with the latest threats and blocking them. Unfortunately, last summer’s Stuxnet infection and more recent events in March have proven that this strategy is no longer secure. Manufactures need to replace it with a defense-in-depth strategy that erects multiple lines of defense that not only block known threats but also actively search for intruders.

Mounting an active, multilayered defense is more important now than ever before because security vulnerabilities are no longer dribbling out one or two at a time through controlled channels. As far as Singer and other security consultants are concerned, the waking-to-a-nightmare scenario already occurred this year in late March. One Monday, Italian researcher Luigi Auriemma published a list of 34 SCADA vulnerabilities in the BugTraq e-mail list. To make matters worse, a few days before, a Moscow-based security firm named Gleg published 11 unpatched exploits of SCADA vulnerabilities in its Agora SCADA+ exploit package.

Consequently, a large number of vulnerabilities and exploits had been circulating for a while before vendors could even begin to generate patches, says Singer. After searching the Internet for exposed systems on the morning that the news broke, “I found dozens of them within a very short amount of time,” he reports. “These control systems are directly accessible across the Internet, and we have active exploit code available for some.”

Even when such vulnerabilities and exploits come to the attention of automation vendors and security firms, fortifying control networks with threat signatures and patches takes time. Not only do patches take time to develop, but they also require testing to ensure that they are safe to implement. In a study conducted by AstraZeneca, the fastest that the pharmaceutical company could safely deploy patches to all systems throughout its plants was 31 days, reports Eric Byres, chief technology officer at Byres Security Inc., developer of specialized firewalls for industrial control systems in Lantzville, British Columbia, Canada.

Deploy diverse defenses

Because repairing vulnerabilities takes so much time, the current thinking on protecting industrial control systems involves multiple layers of protection. “This strategy accounts for the probability that there will be vulnerabilities in your cyber armor,” explains John Cusimano, director of security services and managing director of exida.com LLC, a safety-consulting firm based in Sellersville, Pa. “Through multiple layers and dissimilar technology, the strategy provides for other mechanisms to prevent threats from reaching their targets.” The idea is to construct their networks so that critical systems are many layers removed from most threats.

Singer at Kenexis thinks that the best way to implement a defense-in-depth strategy is to follow the ISA99 Manufacturing and Control Systems Security standard being developed by the International Society of Automation (ISA) in Research Triangle Park, N.C.  “There is a lot of good guidance [in the standard] for understanding and describing your environment from a security perspective,” says Singer, who is co-chair of the committee.

The zone-and-conduit model outlined in the standard breaks a network into zones that can be secured independently of one another. Data, then, flow among the zones by means of carefully controlled conduits and are inspected whenever they cross boundaries. Hence, once inside a network, no one has free access everywhere within it.

Singer reports that, of the standard’s 14 documents, two have already been published and the others are pending. “We’ve also released two technical reports,” he adds. As the various parts of ISA99 are approved and published, the International Electrotechnical Commission in Geneva has been internationalizing them as IEC 62443.

As with the ISA99 model, IEC 62443 cannot be used as a mere checklist, warns Cusimano at exida. “Suppliers’ reference architectures need to be adjusted for ‘real’ applications, and data collection must be performed very carefully on live control systems,” he says.

One of Cusimano’s customers, a South African petrochemical company, learned these lessons the hard way when a worm shut down two OPC (a communications standard) servers in December 2009. The operators had to run the plant ...