Industrial control systems need a new approach to IT security

Paul Boughton
Manufacturing organisations want convergence between office and plant networks but the emergence of the Stuxnet virus has caused organisations to take a fresh look at IT security. Alistair Rae considers the implications for designers of industrial control systems and reviews some of the security technologies currently available.

A current trend in industrial automation is towards 'boardroom to sensor' convergence, enabling manufacturers to benefit from better visibility of plant/machine processes, improved performance and increased plant availability.

At the same time, open Ethernet networks have developed, with some being capable of using unmodified IT infrastructure to make true convergence achievable.

Other changes involving manufacturing organisations' networks include the 'internet of things' (industrial and commercial devices equipped with Ethernet connectivity) and the wireless Ethernet revolution.[Page Break]

Lack of understanding

As office-based information technology (IT) and industrial control systems converge, the differences in knowledge and outlook of the individuals involved become apparent, often exacerbated by a lack of understanding of the each others' areas.

These differences have sometimes resulted in misunderstandings and incorrect assumptions, particularly in relation to responsibility for security and difficulties with operating system (OS) and software versions and patches that differ between IT and control systems.

Enforcing IT patches and software updates on control systems without testing and validation can cause significant disruption to production.

Automation security

Automation security is an issue for organisations that do notAutomation security is an issue for organisations that do not necessarily consider their systems as critical, but that view a loss of system availability as a risk.

Intentional wrongdoing might not be considered a significant threat; however, the actions of well-intentioned or disgruntled employees or former employees might be a more prominent risk.

In addition, viruses can cause major disruption even without targeting control systems, and Stuxnet has made people realise that there is a new and significant threat to industrial control systems, being the first virus to target programmable logic controllers (PLCs).

The complex nature of Stuxnet makes it unlikely that similar attacks will happen immediately, but it highlights a potential methodology for future attacks, and one that should be guarded against.

According to the USA's National Institute of Standards and Technology (NIST) Guide to Industrial Control Systems (ICS) Security, potential incidents may include:

- Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.

- Unauthorised changes to instructions, commands or alarm thresholds, which could damage, disable or shut down equipment, create environmental impacts and/or endanger human life.

- Inaccurate information sent to system operators, either to disguise unauthorised changes or to cause the operators to initiate inappropriate actions, which could have various negative effects.

- ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects.

- Interference with the operation of safety systems, which could endanger human life.[Page Break]

A new approach

Since the emergence of Stuxnet, the Trojan virus targeted Since the emergence of Stuxnet, the Trojan virus targeted at Siemens WinCC SCADA (supervisory control and data acquisition) software and Simatic PLCs, a fresh approach to industrial control system security has been necessary. This is because only a combination of physical security, correct processes, training and application of the right technologies could have prevented the Stuxnet infection.

'Security by obscurity' - the hope that industrial control systems are simply not understood or targeted by hackers - has now been shown to be unreliable.

One of the infection methods used by Stuxnet was auto-execution of programs held on USB memory sticks to infect programming PCs not normally connected to the network (see panel and Fig. 1).

With the control system manuals and protocol specifications freely available on the internet, and control system hardware readily available to purchase, only a lack of motivation could prevent an attack - which is an inadequate basis for defence

There has been criticism of vendor responses to identified vulnerabilities, though this is not restricted to the industrial sector - consider the reputational damage recently suffered by Sony, for example.

End users, control system designers and equipment vendors therefore need to consider potential suppliers' responsiveness to vulnerabilities, as swift action can prevent or limit damage to equipment and operations.

Security best practice

Control system designers should follow best-practice guidance starting with a defence-in-depth strategy. This includes the physical security of systems, as well as the security of networks, computers, servers, operating systems, applications and control systems. It is also important not to overlook the human element, associated policies, procedures and the personnel involved.

Role-based access control should be implemented to ensure that only authorised persons have access to the required systems. Resilient network architectures should be designed, with a DMZ (demilitarised zone, or perimeter network) that separates the enterprise and manufacturing networks. The operating system and software installations should also be current and validated with the control system hardware and software vendors.

Furthermore, patches for both the operating system and application software should be kept up to date, but these must also be validated and tested on non-production systems to avoid unscheduled stoppages.[Page Break]

Comapny guides

Advice on best practice is available from many sources, including ISA 99, Industrial Automation and Control Systems Security, which is the first standard to cover industrial controls system security.

Vendors such as Siemens, Rockwell Automation, Cisco and Mitsubishi Electric have also produced guides to security and networking. Siemens' white paper Security concept PCS 7 and WinCC - Basic document provides a set of recommendations for creating secure networks for plants, with the aim of facilitating co-operation between IT administrators and control engineers.

Cisco provides an overview of threats to manufacturing networks and a solution based on the ISA 99 standard in a white paper Cisco Ethernet to the Factory Solution: Securing Today's Global Networks in Industrial Environments. This is expanded upon in the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide published jointly by Cisco and Rockwell Automation.

More recently, Mitsubishi has published a white paper Security - Tackling Emerging Threats to Manufacturing and Process Control, in which it argues that there are security benefits in using control systems based on PLCs rather than PCs.

Portable memory

One of the infection routes used by Stuxnet was USB memory sticks, and these devices have also been known to spread other malware.

An interesting solution to this problem, aimed at OEMs requiring secure transfer of data, is the Ruggedrive memory tokens and receptacles from Datakey Electronics (Fig. 2). These are physically daifferent from consumer USB memory sticks to provide a base level of protection.

From a customer perspective, an alternative approach might be to issue company USB memory and control its usage, while ensuring that each device is scanned for malware prior to use on control systems.

With Windows Group Policies, it is possible to prohibit USB memory use, or permit the use of just a particular brand and type.

Applications are also available to disable the Windows auto-run feature on DVDs and USB memory. More sophisticated applications such as Endpoint Protector from Cososys enable centralised control and include reporting functionality, the ability to enable/disable specific USB devices and to force encryption of data to prevent its loss.

Norman Data Defense Systems offers a number of means by which organisations can protect against potential threats. Norman Network Protection (NNP) is a network gateway appliance that is simply added to the network and to perform real-time malware scanning, malware isolation, outbreak prevention and damage control.

With Norman Device Control, organisations can enforce USB security for removable devices, and also provide encryption and port protection.[Page Break]

Zero day vulnerabilities

Part of the Phoenix Contact group, Innominate offers its mGuard technology to protect against zero day vulnerabilities that would not be detected immediately by antivirus software due to being previously unknown - as was the situation with Stuxnet (Fig. 3).

Innominate's mGuard is available as an OEM product that provides monitoring of configurable sets of files on PCs for unexpected modifications of executables.

When it initialises, mGuard computes a baseline of signatures for monitored objects, then it periodically checks for any deviations; potential threats can therefore be identified without having to rely on a library of known virus signatures. Independent research showed this method would have provided zero day detection of Stuxnet.

Byres Security has developed the Tofino Security Appliance that can be considered as a firewall tailored to protect industrial end point devices such as programmable logic controllers, distributed control systems (DCSs), remote terminals, human-machine interfaces and diverse microprocessor-based devices.

To meet the requirements of critical infrastructure protection, Nitrosecurity offers specialised systems for comprehensive monitoring of SCADA and distributed control systems networks, protocols, applications and databases.

Protection of critical systems is achieved by the use of intrusion protection and prevention systems to provide perimeter protection, which can adapt to threats during an incident in order to maintain security. Nitroview reporting software automates the notification and reporting of security events and exceptions/violations.

Risk against costs

Managing industrial control system security is always a question of balancing risk against costs, bearing in mind that 100 per cent protection is usually unrealistic and prohibitively expensive. Therefore the new challenge has to be one of accepting that a security breach is inevitable, and planning for that event.

Not only must resilient systems be designed, incorporating best-of-breed layered defences, but there also needs to be a contingency plan and a disaster recovery plan.

The relentless development of malware, together with the ever-changing threat, also requires a sustained approach to control system security.

Recent Issues