For years the warnings came with increasing regularity from an array of security experts. A major cyber attack on an industrial operation was bound to happen. It was a matter of when, not if, they said. As the years passed and the numbers of isolated security incidents increased, industry began to pay closer attention to cyber security, but few pockets of industry made it an operations priority.
Then came the news in the summer of 2010 that a computer worm called Stuxnet had been created and targeted at Iranian nuclear facilities.
Though the cyber security bomb that was Stuxnet was not pointed at an average production facility, the news that this complex, highly effective worm had been created and spread attracted the attention of industry on a global scale. After all, for years we had all been hearing about hypothetical cyber security threats. Now we were looking at the real thing. The industrial world had changed.
Post-Stuxnet realities
“Stuxnet did not have a significant impact on our business,” says Brian Ahern, president and CEO, Industrial Defender (www.industrialdefender.com) (a supplier of industrial security systems based in Foxborough, Mass.). “But it did begin to shift the mentality surrounding the viewpoint of industrial cyber security.”
This shift took the discussion from a purely operational concern and forced it into the executive suite. Companies are now beginning to assess security risk similarly to how they assess risks to their supply chain and other aspects of their portfolio. As a result, there are more discussions about developing a unifying approach to security to drive down total cost of ownership and fund it as a program rather than a project.
“Significant budgets are now being allocated to security,” says Ahern. This higher level of corporate involvement may mean that it [the process of deploying cyber security safeguards] will move slower, but in long run it will have positive impacts for securing the nation’s critical infrastructure.”
>> The stuxnet bomb dropped in the summer of 2010. Click here to read our coverage providing automation best practices on how to confine large cyber-security intrusions. Visit bit.ly/stuxnet001
Ken Modeste, global principal engineer at Underwriters Laboratory (www.ul.com), Northbrook, Ill., agrees that, since Stuxnet, there is now a much greater general sense of cyber security awareness in industry. Although manufacturers are now taking a more concerted effort to build systems with security, “when you are using products that have been deployed for years in an environment where security previously was not a priority, redress for deployed systems becomes an issue,” he added.
Along with this greater awareness of cyber security among manufacturing management who have to deal with security on older systems, there has been a push on automation vendors to provide greater levels of security as part of their product and services offering.
>> Click here to read about where to start with ICS Cyber Security.
Noting this increased focus on security by automation vendors, Joel Langill, industrial control system (ICS) cyber security specialist at SCADAhacker.com (Appleton, Wis.), points to Siemens and Honeywell as being particular examples of automation companies working on the frontlines of the cyber security issue.
Siemens’ most recent work in this area is focusing on a new communications processor that provides point-to-point authentication in the protocol. “This helps address issues directly on the control network because it is point-to-point,” says Rick Dries, director of systems and application engineering support, Siemens Industry (www.siemens.com) (Alpharetta, Ga.).
According to Dries, this new communications processor is a module that works with Siemens’ S7 300 and 400 controllers, as well as in a PC. “This module, which sits in between the controller and the HMI, will manage communications between those devices. It can be retrofitted, and we’re investigating now to determine the reach of its backward compatibility.”
Siemens expects to release this module in spring 2012.
Though cyber security experts like Langill applaud these efforts, the general consensus is that such steps still do not go far enough.
“Many automation companies are still missing some of the game-changing technologies from their lineups, like intrusion monitoring, network behavioral analysis and security event monitoring, which are key to a complete lifecycle approach to cyber security,” says Langill.
Government involvement
The presence of security related government agencies, particularly the Department of Homeland Security (DHS), have been increasingly evident at industry conferences in the past few years.
“The DHS is providing a number of valuable services,” says Eric Byres, chief technology officer and vice president of engineering at Byres Security (www.tofinosecurity.com) (Lantzville, British Columbia, Canada). “The most important of which is helping to increase awareness of the issue, and serving as a source of information that can be presented to your company’s board to get approval for securing your control systems. They also do a good job of providing a useful overview of what the trends are. Even big companies don’t always have a good understanding of what’s going on across different industries. Only the government has that view.”
Byres adds that DHS also acts as an “honest broker for vulnerabilities as they are discovered. Last year they handled 140 vulnerability reports on different products,” he says.
The Industrial Control Systems Joint Working Group is a DHS initiative that “is doing fantastic work as a mediator for automation vendors, security vendors and industry experts to collaboratively define best-in-class approaches to security,” says Ahern.
“They are currently working to build an audit staff and capability to assess the market’s responsiveness to regulatory requirements,” Ahern adds.
In his job as the SCADAHacker, Langill works very closely with DHS. Although he is “very pleased that the United States has taken steps to elevate the importance of ICS security,” he feels that DHS is underfunded.
“There is so much more they could do if they had the staff and resources needed,” says Langill. “I would like to see more public/private cooperation in this space, because there are just too many hurdles in place now to bring the necessary resources from the private sector into the core DHS team to help solve this problem.”
Despite his clear support for DHS, don’t mistake Langill’s support of the department as a call for more government involvement in the security issue via increased regulations.
“When it comes to security, regulations—though they may improve the baseline security posture of an organization—will not provide adequate defenses from an advanced threat over a typical asset’s lifecycle,” says Langill. “In fact, I believe that regulations can decrease security, because they essentially provide a list of things for people to do or not do, making it very easy for an attacker to know what someone is not doing within their architecture.”
(See the “ICS Cyber Security: Where to Start” sidebar accompanying this article for more information about the DHS-maintained ICS-CERT Web site).
The disconnect
On the bright side, it’s clear that the manufacturing and production industries are waking up to the issue of control system security. The problem is that, though some initial steps are being taken, there is not a lot of other good news to report about control system security for industry as a whole.
“Most industries have done a good job of establishing an electronic security perimeter and starting network segmentations, such as setting up DMZs,” says Ahern. “However, what’s not being done is getting down into the next layer of security, like security event management at the automation layer. You can’t protect against what you don’t know is happening. You can set up a great perimeter, but once you’re inside that perimeter, you can do anything you want if the next level is not secured as well. You need host intrusion detection; you need network intrusion detection.”
Though more customers are now beginning to evaluate this next layer of defense, Ahern says most are doing it with IT security tools. “Those tools are limited at the automation layer when it comes to providing true defense in depth,” he says.
>> Click here to read about "Whitelisting", a security tactic gaining momentum in the industrial sector.
Perhaps a bigger issue is that most manufacturers still don’t realize just how connected their control systems are. Security experts say that, when beginning an analysis of control system security at a site, the first question they often ask is if there are any outside connections to the system. The first response is typically “no.” Shortly following that response, the end user will recall that there is a connection to the enterprise system, but they will quickly note that there is a firewall between those systems so all is assumed to be safe.
According to Byres, DHS recently put teams into the field to analyze control system security at different companies in different industrial sectors. Byres says that DHS found that there was, on average, not just one connection from a control system to the business network, but 11.
“I was working on a large refinery in Texas,” Byres recounts, “and they gave me this wonderful line diagram showing all the dotted line connections and firewalls that were in place. We found 17 unknown connections by the time I left.”
Infection pathways
The most common way for control systems to become infected is through simple actions on the part of users. For example, consider an engineer who engages in the typical practice of taking his laptop home to do some work and connecting it to his home network. He then brings that computer back the next day and connects it to the plant network. If that user gets a virus at home, he has now brought it on to the plant floor.
“Do you think the control group at that plant had a dotted line diagrammed for that connection?” asks Byres.
Working with engineers at various facilities, Byres says he constantly hears about “the air gap” between the control system and outside networks. “That is such BS,” he says. “You can’t air gap. Control systems are no longer isolated little systems. The only isolated system I know of is my home thermostat, and that isn’t going to be isolated for very long either.”
Another way in which control systems get viruses, even without wired or wireless connections to the enterprise system, is when engineering groups create new PLC logic to improve a production process.
“You bring that new logic in on a USB drive or CD,” says Byres, “and that’s exactly how Stuxnet travels. You don’t need a wired connection to get infected.”
Byres says the bottom line is that engineers and operators have to stop treating the plant floor as “one big, flat happy network.” The answer is in following the best security practices from the IT world an adapting it to the specific requirements of the plant floor.
“If you look at anybody doing sophisticated security in the IT world,” says Byres, you’ll see that they segment their company operations into little pieces and secure them bit by bit—and that’s what you have to do to the plant floor. “You don’t want happening to you what happened to Chrysler a few years ago when a virus came into one plant via a laptop and a minute and a half later, 13 plants are infected and 50,000 workers get the afternoon off.”
If you don’t break your plant floor into security zones (see the image included with this feature), you’re asking for infection, cautions Byres.
The reality that manufacturers have to adapt to is that you can’t stop infections from happening, Byres says. “You can’t keep every virus or hacker out of your plant floor any more than you can keep a virus out of the human body. You have to build a system that can deal with viruses like the human body does. It has to be able to spot something nasty when it comes in and deploy the programs to deal with it. Your strategy has to be about how to contain and deal with security problems, not block them out entirely … because that can’t really be done.”