Lessons In Cyber Security

“We face real dangers from sophisticated, nimble and organized adversaries who will stop at nothing to achieve their objectives. The truth is that our networks and control systems are vulnerable, and they’re exposed, and we have to change that,” declared Bruce Landis, deputy assistant secretary for Cyber Security and Telecommunications for the U.S. Department of Homeland Security (DHS, www.dhs.gov). “We know that control systems run some of our nation’s most critical assets,” Landis added. “I can tell you the risks are substantial, and this directly affects each and every one of the more than 300 million Americans.”

Wes IversenManaging Editor

Apr 10th, 2007

Landis’ comments came during an opening-day keynote address at the annual meeting of the Process Control Systems Forum (PCSF, www.pcsforum.org) March 6-8 in Atlanta. Landis may have been “preaching to the choir” at this gathering, comprised of control system security experts from government, academia and industry, including end-users, systems integrators and vendors. But at least, there is evidence that the “choir” is getting larger.

Previous meetings of the two-year-old organization have drawn 150 to 160 attendees, said Michael Torppey, PCSF technical manager. “But we’re happy to say that for this meeting, we had registered close to 200 people,” he noted. And a show of hands on opening day revealed a large number of first-time attendees.

Those who made the trip were treated to a range of reports and presentations on the latest tools, techniques and projects aimed at securing the nation’s process control systems.

A number of PCSF sessions focused on security activities involving the energy sector. One presentation that drew high levels of interest, for example, came from Gary Finco, SCADA security researcher at the Idaho National Laboratory, Idaho Falls, Idaho. Finco described the development of common procurement language that electric power generators and others can use in requests for proposals, to ensure that security is integrated into control systems that they acquire. “A lot of end-users want to have secure systems, but they really don’t know what to ask for,” said Finco.

The procurement language project began in March 2006. A draft document Version 1.5 was completed last November and is on the Web site of the federal Multi-State Information Sharing and Analysis Center, at www.msisac.org/scada. “We’ve had almost 5,000 downloads of the document since November,” Finco said. The project team is currently taking comments from electric utility asset owners and vendors for suggested changes and revisions to the language, said Finco. The Lab is also working with vendors to develop procurement language that is appropriate to other industry segments, he added, because “one size doesn’t fit all. Oil and gas will be different from power, or from refineries, or from chemical.”

Push or pull?

Many sessions covered specific PCSF interest group topics. The “Anti-Virus (A/V) Software on Control Systems Interest Group” meeting produced a lively discussion, as vendors and end-user representatives alike debated the best way to deal with A/V software. The merits of “push” versus “pull” models on the control side got plenty of discussion. And some friction between end-user information technology (IT) and control system departments was evident. “We’d rather not run A/V in our control systems, but we have to. IT puts everybody in the same shoe box, and we haven’t had a lot of success with that,” complained a control systems engineer from one major chemical company.

A variety of new products aimed at control systems security were also discussed at the PCSF event. For example Nate Kube, chief technology officer at Wurldtech (www.wurldtech.com), a SCADA security firm based in Vancouver, British Columbia, Canada, and Dale Peterson, director of network security practice for Digital Bond
(www.digitalbond.com), Sunrise, Fla.-based network security consultants, discussed Wurldtech’s Achilles offering. The Achilles Vulnerability Assessment Platform is billed as the first automated, comprehensive testing product for systematically assessing network stack robustness and locating zero-day vulnerability in industrial control devices.

In another session Eric Byres, chief executive officer of industrial security consultants Byres Security (www.byressecurity.com), in Lantzville, British Columbia, Canada, discussed his company’s soon-to-be-released Tofino Industrial Security Solution. As part of what Byres calls a “defense-in-depth” approach to security, the Tofino “appliance” is designed to provide an additional layer of security within the control system environment against hackers or viruses that may penetrate a company’s perimeter firewall and other defenses.

The Tofino device can be thought of as a combination personal firewall and intrusion detection system for operator stations, programmable logic controllers (PLCs), digital control systems (DCS) and other devices, says literature for the product. “Plug a Tofino appliance onto the control network in front of a PLC, DCS or HMI (human-machine interface) station and it learns what type of device it needs to protect, looks up the device’s vulnerabilities in a central database and then tunes itself to protect that specific device.”