Control System Security

Digital Control Systems and their associated industrial networks/protocols are extending the depth to which bi-directional communications extend throughout an enterprise. In many cases, the underlying technology for the business network and the process control network are the same. Consequently, many of the risks that are found in today's corporate or business environments can now impact the reliable operation of the process control system. This page and the links highlight some of the vulnerabilities, their sources and remedies that the modern integrated control system needs to address.

The Following Technical Articles and White Papers are from Tofino Security.

Insider Threat to Utilities - More Focus Needed on Critical Components - Recently the Unites States’ Department of Homeland Security (DHS) released a report on “Insider Threat to Utilities” that has been getting a lot of attention in the mainstream media. While released “For Official Use Only (FOUO)”, the report has been posted on the Internet and portions of it have received considerable media coverage. Unfortunately media coverage so far tends to focus on the dramatic, such as the potential threat of Al-Qaeda attacks on the ten year anniversary of 9/11, and don’t actually help utility owner operators secure their systems. In this article Eric Byres share his thoughts on how critical infrastructure operators need to extend the report’s recommendations to include additional protective measures.

New SCADA Security Reality: Assume a Security Breach - This article highlights that sometimes the "fortress" mentality on security does not work. Antivirus Protection for PLCs - Not Enough on its Own - If any security expert claims systems can be secured by just using antivirus products on the Windows computers in a control system, they are crazy, irresponsible or both. Antivirus (AV) technology helps protect the plant floor, but it is not enough on its own. For the most part, AV software only works if you have a signature, which is great for dealing with well known common malware like Conficker. Unfortunately, there is no signature for a worm using a zero-day vulnerability. Stuxnet proved that - it was in the wild for a year before there were any signatures available. Antivirus software did not spot the worm for that year.

SCADA Cyber Security Problems - Just How Common are the Programming Errors? - This interesting article by Rob Hulsebos has been posted on the Practical SCADA Security blog - Find out how and why common programming errors still exist in today’s SCADA systems.

SCADA Security and the Broken Business Model for Software Testing - David Alexander - Recently Rob Hulsebos wrote an article for this blog where he raised the perennial problem of programming errors contributing to security vulnerability. I have a newsflash for you - this isn’t new. It may be a new concept to some in the world of Industrial Control Systems, but it’s been a problem for software engineers since about 5 seconds after the first ever program successfully compiled.

Technical Briefing Kit: “Understanding Deep Packet Inspection for SCADA Security" - Eric Byres - This Technical Briefing Kit explains:

The lack of granularity of SCADA/ICS protocols, making Deep Packet Inspection a necessity.
How DPI improves the security and reliability of industrial systems.
The urgent need for DPI given the advanced malware, such as Stuxnet, that is attacking industrial control systems nowadays.
Tofino Security DPI technology for securing the OPC and Modbus protocols.

Securing Offshore O&G Platforms - Advanced Threats need Advanced Firewalls - Heather MacKenzie - When engineers look at security, a topic they should know about is Deep Packet Inspection (DPI) and why offshore networks need to use it if they want to be secure. The critical systems managing production and safety on offshore platforms are largely based on legacy SCADA and Industrial Control System (ICS) products and protocols. Many of these products are decades old and were never designed with security in mind. Unfortunately these same systems are now connected to external systems using Ethernet and TCP/IP. That has been great for efficiency, but it exposes mission critical production systems to malware - from Tofino.

The iPhone is Coming to the Plant Floor - Can we Secure it? - Eric Byres - This is an issue that industry needs to come to terms with quickly if we are ever going make our plant floors secure. What is your company doing about mobile devices on the plant floor? Does it have a strategy?

Address SCADA Security Vulnerabilities NOW, Not Later - Eric Byres - Who is responsible for fixing the thousands (some say 100,000) of vulnerabilities that exist in PLCs, DCS, RTUs and other automation devices that are in use in facilities around the world?

SCADA Security Basics: Integrity Trumps Availability - Eric Byres - There is more to consider when it comes to industrial security priorities.

SCADA Security Basics: Why Industrial Networks are Different than IT Networks - Heather MacKenzie - This blog looks at SCADA security from another angle, which is “Why is securing Industrial Networks different than securing IT Networks?” It covers three ways to address these differences.

Shamoon Malware and SCADA Security - What are the Impacts? - Heather MacKenzie - The most destructive post-Stuxnet discovery of advanced threats is a malicious malware known as Shamoon. Like Stuxnet, Duqu and Flame, it targeted energy companies in the Middle East, this time Saudi Aramco, Qatar’s RasGas and likely other oil and gas concerns in the region. It is a new species however, because it did not disrupt an industrial process as Stuxnet did, nor did it stealthily steal business information as Flame and Duqu did. Instead it removed and overwrote the information on the hard drives of 30,000 to 55,000 (yes those numbers are correct!) workstations of Saudi Aramco (and who knows how many more at other firms). Nothing this damaging has been seen in a while. As a Kaspersky Lab expert commented “Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often.”What does Shamoon mean for SCADA and ICS Security? This is an interesting article into what is in effect cyber terrorism.

The Cost of Cyberattacks - Greg Hale - Can You Afford NOT to Deploy Best Practices? There is a spectrum of awareness and capability regarding cyber security in industry, with the oil and gas sector being at the forefront of implementing best practices and many other sectors still unconvinced that it merits expenditure and resource allocation. According to Greg companies that implement cyber security best practices are 2.5 times less likely to experience a major cyberattack and 3.5 times less likely to experience unplanned downtime than companies that don’t. Cyber incidents cost organizations:

$558,000 in revenue losses
$480,831 in brand damage
$366,301 in compliance fines
174,309 in lost productivity

It all adds up to costing U. S. industry $6 million a day or $20 billion a year.

Presentation: "Unicorns and Air Gaps - Do They Really Exist?" - Eric Byres' presentation explains:

The current status of air gaps and industrial control systems.
The challenge of air gaps and today’s infrastructure systems.
Why real world security measures are needed.
How an oil and gas refinery deals with multiple pathways.
The importance of last-line-of-defense critical systems.

This presentation will increase your knowledge of air gaps as a security measure and provide you with practical advice on real-world security for control systems.

SCADA Security: A Call-out to Control Engineers about Air Gaps - Recently Eric Byres discussed how security experts and ICS / SCADA vendors are giving up on the dream of the air gap as a viable security solution for the modern control system. Unfortunately, it is still all too easy to believe your control system is isolated. Recently he had a very enlightening conversation with a control engineer who thought his system was air gapped.

SCADA Security: New Vulnerability Disclosure Framework a Step Forward - In a move that may be helpful for critical infrastructure asset owners, on July 23 2012 the Industrial Control Systems Joint Working Group (ICSJWG) published a new document for disclosing Industrial Control System (ICS) vulnerabilities titled Common Industrial Control System Vulnerability Framework . It provides building blocks for a new vulnerability disclosure process that will benefit both vendors and asset owners.

SCADA Security Basics: SCADA vs. ICS Terminology - “What’s the difference between a SCADA system and an ICS system, and if there is no difference, then why do we have two different names?” - This is a good question, because unless you have worked in the industrial automation field for a few decades, the terminology can seem very confusing. Not only do we have SCADA versus ICS, we also have terms like Process Control, Discrete Control, Industrial Automation, Manufacturing Automation Systems, Distributed Control Systems, Energy Management Systems and so on.

SCADA Security Basics: Why are PLCs so Insecure? - An interesting discussion on this point which provides much "food for thought".

32 Minutes to Understanding SCADA Security - Engineers as well as IT staff in the process control and SCADA industries have varying levels of knowledge about industrial cyber security. We come across this regularly when talking to people at industry events or speaking with customers or partners. To help you, no matter where you are in the learning curve, we have recently released a five-part video series. This article summarizes the videos and provides you with direct access to them.

ICS Security and VLANs - Boogeyman or Helper? - Virtual Local Area Networks (VLANs) should not be counted on as a security feature of modern managed Ethernet switch networks. This is now common knowledge, both in IT departments and also in the Industrial Control Community. Indeed in Eric Byres’ article "Why VLAN Security isn't SCADA Security at all" he points out that switches with VLANS are not firewalls. But are VLANs the boogeyman of industrial control system security...or are they underestimated helpers? This article examines that question in detail.

Why SCADA Firewalls Need to be Stateful - Joel Langill of SCADAhacker.com and Eric Byres are leading experts in the field of SCADA security. Their article will help you learn about stateful firewall inspection. It explains (a) What "state" is in regard to data communication (b) How Stateless and Stateful firewalls work (c) How a PLC can be attacked using the HTTP protocol (d) The relevance of Stateful Firewalls in today's ICS and (e) this article will increase your knowledge of Stateful Inspection and will provide useful guidance and examples for mitigation planning.

Using ANSI / ISA-99 Standards to Improve Control System Security - Eric Byres is recognized as one of the world's leading experts in the field of SCADA security. He has also been acclaimed by the group behind the standards, ISA, with the honor of ISA Fellow. Eric's White Paper will help you understand (a) why the "push for productivity" has degraded control network security (b) the ANSI/ISA-99 Zone and Conduit Model (c) how to implement zones and conduits for your control network and (d) how a major oil refinery implemented network segmentation using ANSI/ISA-99 zones and conduits Start using the Zone and Conduit Model to protect your plant against process disruption, safety incidents and business losses from modern cyber security threats.

SCADA Security: Justifying the Investment - Frank Williams - In the blog article Industrial Data Compromise - The New Business Risk it was recommended that End Users and Control Engineers need to redouble their efforts in relation to securing their process. However, finding the best way to justify the costs of implementing and maintaining a more secure process environment is new territory even for the most seasoned control system engineer. This article suggests a way to determine the right amount of investment in ICS and SCADA security measures.

Uninterruptible Power Supplies and Cybersecurity - Hackers can Remotely Power Down Critical Automation - Michael A Stout - The recent number of cyber-attacks and their level of sophistication have demonstrated the inadequate network security measures employed by many large corporations, government, and military agencies. Time is on the hackers’ side. They only have to find one unsecure computer or device on a segment of a corporate or governmental network, and they can use any number of methods to eventually gain access to critical data. Should they not be able to find an unsecured computer, they simply have to send a cleaver e-mail containing a one-off designer backdoor virus that will evade many corporate level antivirus software and firewalls - and again they are in - from ISA and InTech.

Cyber Security Nightmare in the Netherlands - Rob Hulsebos - The first two weeks of February have been exciting times in the Netherlands, with many cyber security incidents making headlines in the news. One of the most worrisome involved keeping my country, a country that is below sea level, dry. This task is delegated to industrial systems - and one would expect the safety of millions of people properly managed and kept up to the highest standards. But is it? - From Tofino Security.

7 Steps to ICS and SCADA Security - This paper provides a process for operators to go through so that they can improve their cyber security practices and protect their facilities from modern cyber security threats - From Tofino Security.

Securing Your OPC Classic Control System - Thomas Burke and Eric J. Byres - OPC Classic is a software interface technology used to facilitate the transfer of data between different industrial control systems. It is widely used to interconnect Human Machine Interface (HMI) workstations, data historians and other hosts on the control network with enterprise databases, Enterprise Resource Planning (ERP) systems and other business-oriented software. Unfortunately, securely deploying OPC Classic has proven to be a challenge. This white paper describes two independent techniques for ensuring strong security in systems using OPC Classic technology. This first creates zone-based defenses using OPC-aware firewalls. The second takes advantages of improvement in the Windows operating system to managing OPC accounts and permissions. Both security techniques are available and proven for use in today’s control systems.

Stuxnet and Other Threats

Siemens PLC Security Vulnerabilities - It Just Gets Worse - A new article by Eric Byres has been posted on the Practical SCADA Security blog.

Securing SCADA systems from APTs like Flame and Stuxnet - Part 1 - Eric Byres - Recently a very complex worm called Flame has been discovered attacking companies in the Middle East, and it is an excellent example of what security experts call an Advanced Persistent Threat (APT). Figuring out how to defend against APTs is a major focus in the IT security world.

Securing SCADA systems from APTs like Flame and Stuxnet - Part 2 - Professor Paul Dorey recently presented a paper about the seven important lessons the IT world has learned in managing Advanced Persistent Threats (APTs). This article discusses lessons #2, #3 and #4, and how to apply these lessons to ICS and SCADA security.

Air Gaps won’t Stop Stuxnet’s Children - Eric Byres - As someone working in the field of industrial cyber security I never thought I would see the day when a cyber attack would be the topic of a prime time television show. Recently the U.S. program “60 Minutes” aired a segment called “Stuxnet: Computer worm opens new era of warfare,” If you have not seen it, I recommend viewing it. It does a good job of explaining a complex malware and it is interesting to learn about it from the people who were directly involved in deciphering and tracking it. Post-Stuxnet, well-designed ICS worms such as Night Dragon, Duqu and Nitro have been revealed. Each of them has focused on stealing intellectual property such as oil field bids, SCADA operations data, design documents and other information that could cause business harm. This focus on industrial data compromise is new, and signals a new era of industrial malware.

Process Control Security Applications

Offshore Oil and Gas Platform: Cyber Security Implementation - An oil and gas production company operates a fixed natural gas and oil gathering and processing platform located in deep water on the US continental shelf. The platform serves multiple natural gas and oil wells connected by pipes running along the seabed back to the platform. The facility was designed to handle a high volume, thus there is a strong emphasis on reliability. Any downtime, whether caused by accidental or malicious forces, would interrupt oil and gas production and be very costly. The production company presented Cimation, a Tofino Certified System Integrator, with the challenge of maximizing the reliability and uptime of the platform.

Cyber Security And The Pipeline Control System - Eric J. Byres - Sound strategy, regardless of whether it is for military, physical or cyber security, relies on the concept of “defense in depth.” Effective security is created by layering multiple security solutions so that if one is bypassed another will provide the defense. This means not overrelying on any single technology such as a firewall. Firewalls aren’t bad technology. In fact, they are a fantastic tool in the security toolbox. But, industry has misused them by believing they will solve all security - from Tofino Security.

Industrial Cyber Security Videos

The following videos are from Tofino Security, it is recommended that they are viewed in the following sequence;

What is Cyber Security? - Our modern lifestyle relies on critical infrastructure and industrial plants that use complex networks of computers, PLC controllers, remote terminal units and other specialized equipment. However as these industrial networks have become more complex and interconnected, Cyber Security becomes more and more important to ensure their continued safe and reliable operation. This video examines the current state of cyber security in SCADA and industrial control networks, talks about how we got to this point, and lays the foundation for discussing how to improve the security of these systems.
We're Secure - We Have A Firewall! - Many companies already use firewalls to isolate the plant and enterprise networks. What's so bad about this approach? Aren't these networks already protected? In this video, we'll explore the types of cyber security issues we often see in plant networks and learn how these issues can impact plant operations in spite of these firewalls.
Security Strategies that Work on the Plant Floor - The previous video in this series showed that a firewall on the plant network could not protect us against many cyber security threats. But if that doesn't work, then what ARE we supposed to do to protect our plant? IT engineers have been dealing with cyber security issues for years. This video examines the security strategies that they have found to work, and see how we can implement them on the plant floor.
Why Is Cyber Security still a Problem in SCADA and Control Networks? - IT engineers have been dealing successfully with cyber security issues for years, and there are many security products in daily use in enterprise networks. Why is cyber security such a challenge on control networks? Why can't the same tools and techniques be used to secure these systems? The answers to these questions lie in understanding the unique requirements of control and SCADA networks, and applying cyber security strategies in ways that are appropriate to these applications.
How does Tofino Protect my Plant? - Previous videos in this series have discussed how Defense in Depth can be an effective strategy to secure control networks. So how exactly does Tofino implement Defense in Depth? And what makes it the best solution? This video takes a deeper dive into the components of the Tofino Industrial Security Solution, and examines how they work together to implement cyber security on the plant floor.

Process Control Security Standards

ISA99 Cyber Security Standard Defines Key Technical Requirements for Secure Industrial Control Systems - The ISA-62443 series of standards, being developed by the ISA99 committee of the International Society of Automation (ISA) and adopted globally by the International Electrotechnical Commission (IEC), is designed to provide a flexible framework to address and mitigate current and future vulnerabilities in industrial automation and control systems (IACS). A newly published standard in the series, ISA-62443-3-3-2013, Security for Industrial Automation and Control Systems Part 3-3: System Security Requirements and Security Levels, addresses risks arising from the growing use of business information technology (IT) cyber security solutions to address IACS cyber security in complex and dangerous manufacturing and processing applications - from the ISA.

The Following are from NIST

National Institute of Standards publication “Protecting Industrial Networks from Cyber Attacks”.

Guide for Conducting Risk Assessments - This guide focuses exclusively on risk assessment—the second step in the information security risk management process. The guidance covers the four elements of a classic risk assessment: threats, vulnerabilities, impact to missions and business operations, and the likelihood of threat exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequences.

"As the size and complexity of our collective IT infrastructure grows, we cannot protect everything we own or manage to the highest degree," says Ross. "Risk assessments show us where we are most at risk. It provides a way to decide where managers should focus their attention. "The risk assessment guidance is designed to meet the needs of a variety of organizations, large and small, including financial institutions, health care providers, software developers, manufacturing companies, military planners and operators, and law enforcement groups.