Are Industrial Control Systems Secure?

In July 2010, Stuxnet, the highly sophisticated designer-malware, targeted five organizations in Iran, spying on and subverting their uranium enrichment infrastructures. The malware targeted and destroyed supposedly secure equipment while evading detection for months. This is just one of a number of recent cyber attacks that demonstrate the increasing vulnerability of hardened industrial control systems, called Supervisory Controls and Data Acquisition (SCADA) systems. These networks contain the computers and applications that perform the key functions in providing essential services and critical infrastructure which span manufacturing, power generation and refining plants, infrastructure and facility processes in water treatment plants, oil and gas pipelines, electrical power distribution and buildings, airports, ships and space stations. By allowing the collection and analysis of data and control of such equipment as pumps and valves from remote locations, SCADA networks offer the benefits of performance, reliability and flexibility for mission critical processes. However, Stuxnet demonstrated the extent to which common industrial machines are vulnerable to the threat of electronic attacks. Consider a SCADA breach of a power supply and distribution plantall business would be impacted and economies could suffer incalculable losses. Failure to adapt SCADA systems to the changing threats and vulnerabilities of the cyber world exposes companies and governments to the very real possibility of a catastrophic event.

Related Reading: The Increasing Importance of Securing The Smart Grid

Historically, SCADA systems were kept separate from other corporate systems. Even though these networks may not have been effectively secured, they were traditionally difficult to break into because they were isolated for health and safety reasons. More recently, however, major companies are driving their process control through ERP systems, which not only control their financial data, but link their suppliers and customers. Third parties are now being given direct access to SCADA networks via the Internet to manage them and/or to do diagnosis. These connections to the outside world create a massive challenge from a security perspective. Other security challenges inherent to todays SCADA networks include the following:

Ownership. Many wrongly believe that the IT department automatically looks after SCADA as well as
enterprise security. This, in fact, is rarely the case. While IT departments may provide security for systems they understand for example, Windows and SAP the critical control systems that run the pipelines and refineries on a daily basis are largely foreign to them and have been traditionally managed by the engineering side of the business. These control systems have unusual, engineering-derived operating systems like VxWorks or RSLogix. This means that many of the proven IT security solutions will either not function correctly or, even worse, may interfere with SCADA operations.

Exposure. SCADA architectures increasingly involve Commercial Off the Shelf (COTS) software, such
as Win servers, TCP/IP protocols, and management tools, many with inherent vulnerabilities. Without clear ownership and responsibility, these products are frequently left unpatched and exposed.

Origin of Attacks. Many managers mistakenly assume that all cyber security problems arise from
outside the company premises, generally from hackers. The assumption is that hackers attempt to attack SCADA systems through obvious pathways that can be managed by a single Bastion firewall between the business and SCADA networks. While the more infamous attacks have occurred from outside, the truth is that many problems originate from within the company and in these cases, the firewall affords little protection, leaving the networks exposed. Additionally, many organizations have

had to break through the firewall to allow ERP systems to drive the process control by SCADA integration. Third parties connecting to ERP systems can then access SCADA networks.

Common Design Flaws. For many years, simply keeping the systems communicating posed a major
challenge for SCADA engineers. The emergence of Ethernet, TCP/IP and Web technologies radically altered the equation. The result? The creation of control networks that act as common pathways for all industrial control communications. When a new control application needs a network to transport its data on, too often the answer means connecting it to the control network. Over the last few years, any clear understanding of exactly what devices are attached to most corporate networks, or what traffic is travelling over the network, have become impossible. This results in well-intentioned staff tapping into the control systems to add or access network traffic, causing an unreliable and insecure SCADA network. The first step for organizations should be to assign responsibility for managing security around the SCADA process control environment. Whether thats an extension of the Chief Security Officers responsibility or someone dedicated within the process control area, there has to be accountability for this area. To ensure that its SCADA networks are brought under control, an organization needs to follow the standards spelled out by the American National Standards Institute. These are divided into three fundamental categories: Risk Analysis, Addressing Risk with Cyber Security Management System (CSMS) and Monitoring and Improving the CSMS. More specifically, the first category lays out the path a company needs to follow in order to both assess its current security situation and determine the security goals it wants to achieve. The second category outlines the processes needed to define security policy, security organization and security awareness in the company and provide recommendations for countermeasures to improve SCADA security. The final category describes those methods that make sure that a SCADA system not only stays in compliance with CSMS, but follows a continuous improvement program. The benefits of these recommendations extend beyond the goal of reducing the possibility of an attack. By improving the corporate processes concerning SCADA systems and more effectively managing the actual traffic on the control systems networks, organizations can enhance overall system reliability, justifying the cost of the security program. The time to take action is now. The effort needed to secure SCADA networks cant wait any longer.