“We face real dangers from sophisticated, nimble and organized adversaries who will stop at nothing to achieve their objectives. The truth is that our networks and control systems are vulnerable, and they’re exposed, and we have to change that,” declared Bruce Landis, deputy assistant secretary for Cyber Security and Telecommunications for the U.S. Department of Homeland Security (DHS). “We know that control systems run some of our nation’s most critical assets,” Landis added. “I can tell you the risks are substantial, and this directly affects each and every one of the more than 300 million Americans.”
Landis’ comments came during an opening-day keynote address at the annual meeting of the Process Control Systems Forum (PCSF) March 6-8 in Atlanta. Landis may have been “preaching to the choir” at this gathering, comprised of control system security experts from government, academia and industry, including end-users, systems integrators and vendors. But at least, there is evidence that the “choir” is getting larger.
Previous meetings of the two-year-old organization have drawn 150 to 160 attendees, said Michael Torppey, PCSF technical manager. “But we’re happy to say that for this meeting, we had registered close to 200 people,” he noted. And a show of hands on opening day revealed a large number of first-time attendees.
Those who made the trip were treated to a range of reports and presentations on the latest tools, techniques and projects aimed at securing the nation’s process control systems.
What to ask for
A number of PCSF sessions focused on security activities involving the energy sector. One presentation that drew high levels of interest, for example, came from Gary Finco, SCADA security researcher at the Idaho National Laboratory, Idaho Falls, Idaho. Finco described the development of common procurement language that electric power generators and others can use in requests for proposals, to ensure that security is integrated into control systems that they acquire. “A lot of end-users want to have secure systems, but they really don’t know what to ask for,” said Finco. “So what we were trying to do was give them some ideas.”
The procurement language project began last March, said Finco. A draft document Version 1.5 was completed last November and is on the Web site of the federal Multi-State Information Sharing and Analysis Center, at www.msisac.org/scada. “We’ve had almost 5,000 downloads of the document since November,” Finco said. The project team is currently taking comments from electric utility asset owners and vendors for suggested changes and revisions to the language, said Finco. The Lab is also working with vendors to develop procurement language that is appropriate to other industry segments, he added, because “one size doesn’t fit all. Oil and gas will be different from power, or from refineries, or from chemical.”
One electric industry-specific session provided a status report on OPSAID, a joint government/industry project to develop an interoperable open system security architecture for potential use by all of the nation’s 3,000 electric utility companies. OPSAID, which stands for Open PCS (Process Control System) Security Architecture for Interoperable Design, is one of various projects of the Department of Energy’s (DOE) National SCADA (Supervisory Control and Data Acquisition) Test Bed. The OPSAID initiative is led by Sandia Laboratories, in Albuquerque, N.M., and includes participation by Entergy Corp., New Orleans, the nation’s fifth largest power utility. The nine-month old effort, which is using Linux software, has already produced some early deliverables, said Sandia’s Jason Stamp, the project principal investigator.
Push or pull?
Many sessions covered specific PCSF interest group topics. The “Anti-Virus (A/V) Software on Control Systems Interest Group” meeting produced a lively discussion, as vendors and end-user representatives alike debated the best way to deal with A/V software. The merits of “push” versus “pull” models on the control side got plenty of discussion. And some friction between end-user information technology (IT) and control system departments was evident. “We’d rather not run A/V in our control systems, but we have to. IT puts everybody in the same shoe box, and we haven’t had a lot of success with that,” complained a control systems engineer from one major chemical company.
A variety of new products aimed at control systems security were also discussed at the PCSF event. For example, Nate Kube, chief technology officer at Wurldtech, a SCADA security firm based in Vancouver, British Columbia, Canada, and Dale Peterson, director of network security practice for Digital Bond, Sunrise, Fla.-based network security consultants, discussed Wurldtech’s Achilles offering. The Achilles Vulnerability Assessment Platform is billed as the first automated, comprehensive testing product for systematically assessing network stack robustness and locating zero-day vulnerability in industrial control devices.
In another session, Eric Byres, chief executive officer of industrial security consultants Byres Security, in Lantzville, British Columbia, Canada, discussed his company’s soon-to-be-released Tofino Industrial Security Solution. As part of what Byres calls a “defense-in-depth” approach to security, the Tofino “appliance” is designed to provide an additional layer of security within the control system environment against hackers or viruses that may penetrate a company’s perimeter firewall and other defenses.
The Tofino device can be thought of as a combination personal firewall and intrusion detection system for operator stations, programmable logic controllers (PLCs), Digital Control Systems (DCS) and other devices, says literature for the product. “Plug a Tofino appliance onto the control network in front of a PLC, DCS or HMI (human-machine interface) station and it learns what type of device it needs to protect, looks up the device’s vulnerabilities in a central database and then tunes itself to protect that specific device.”
Byres said the Tofino will undergo beta testing at six companies until July, and general availability will come soon after that. List price for the appliance device will be in the $1,000 to $1,200 range, while Tofino software modules such as firewall, virtual private network and others will go for about $200 each, he said.
Idaho National Laboratory
Sandia National Laboratories
Process Control Systems Forum
U.S. Department of Energy
U.S. Department of Homeland Security