Securing industrial control systems against threat of cyber infection

Paul Boughton

We are all aware of the need to protect desktop computers from viruses and other malware, but what about industrial systems? Alistair Rae explains that these are generally less well protected, yet a malicious attack or an infection with malware can have devastating results. Fortunately there are ways to reduce the risks.

Machines and processes are often equipped with PC-based technologies today, which lays to rest the scepticism of 10 or 15 years ago when most engineers believed that Microsoft Windows would never be sufficiently stable or deterministic for industrial applications. Following in the wake of Windows is Ethernet, with the advantages offered by complete 'shop floor to top floor' connectivity making it very attractive. Of course, a number of protocols based on Ethernet have had to be developed for machine- and process-related communications to provide the determinism, speed and, in some cases, safety required, but end users are demanding 'Ethernet for everything' and suppliers are responding accordingly.

However, the ubiquity of the PC platform and Windows operating system also brings with it risks to plant and businesses. Hardware is frequently presented as offering the benefit of internet connectivity, enabling machine builders to monitor equipment and respond to diagnostic message remotely, for example. But this ease with which data can flow also means that there is a significant risk of the plant or equipment being infected with malware.

Depending on the nature of the worm, Trojan horse, virus or other malware, the equipment might run slowly, stop operating, infect other machines on the network or become potentially hazardous. There is a short video on the Youtube website that shows how researchers staged a cyber attack on a generator that caused it to self-destruct, thereby exposing a vulnerability in the USA power grid.

This example may be an extreme one, but cyber attacks of one form or another are a reality. Norman Data Defense Systems, which specialises in cyber security, reports that a few years ago the safety monitoring system of the Davis-Besse nuclear power plant in America was infected with the Slammer worm, which bypassed the plant's firewall via a contractor's laptop. More recently a CIA official revealed at the SANS (SysAdmin, Audit, Network, Security) conference in New Orleans that hackers have penetrated power systems in several regions outside the USA and, in at least one case, caused a power outage affecting multiple cities. Statistics for attacks are hard to compile, as few organisations are prepared to admit they have had a problem, but the potential for damage is so high that the issue deserves attention even if the likelihood of an attack is very low - which it is probably not.

Legacy systems

Within an office environment it is relatively straightforward to ensure that access to the Internet is via an adequate firewall and all machines are kept up to date with security patches, anti-virus software and so on. On the factory floor, the problem is much harder to manage. For a start, some of the equipment may be comparatively old; Windows NT is still being used on some machines, despite its known flaws, vulnerabilities and the fact that Microsoft no longer provides security updates for this operating system. Such machines, if left unprotected, represent a significant risk.

But even newer machines can pose a risk. It is not uncommon for a maintenance engineer or contractor to connect a laptop PC to a machine to download diagnostic data, modify operating parameters or carry out work. If the PC is infected with malware this can easily be passed to the machine. Likewise, USB memory sticks present a risk, and the extensive networking used in production plants today means that numerous machines can be infected once security has been breached on one machine. If a machine is connected to the Internet, it is not unknown for machine operators to visit websites that they should not, which can lead to malware being downloaded. Even websites that can be accessed legitimately can become infected, resulting in the user's machine having malware installed. If a machine runs an email client, this presents another possible means of infection.

A further threat comes from hacking, though IPS (Invensys Process Systems), which is active in the field of cyber security for industrial systems, says that the available information does not indicate that hacking poses the greatest threat - at least not today. A much more likely scenario is for a control system to be infected and impacted by some form of malicious code, be it a virus, worm or Trojan.

Preventative measures

Fortunately there are measures that can be taken to reduce the risks. Norman Data Defense Systems, mentioned earlier, launched Norman Smartsuite for Manufacturing in July 2008, describing it as a comprehensive software-based system to protect manufacturers' plant and process systems against new and unknown malware and spyware attacks.

David Robinson, country manager for Norman UK, states: "The consequences of a security breach - such as the plant floor becoming infected by a worm or Trojan, for example - can be far-reaching and extremely costly. This could include production disruptions, loss of data, health and safety issues, and damage to the company's reputation. Norman Smartsuite for Manufacturing has been designed to offer maximum protection against malware threats without adversely affecting the real-time systems operating in production sites across the globe."

Norman Smartsuite for Manufacturing comprises four modules: Norman Network Protection (NNP); Norman Sandbox Analyzer; Norman Virus Control; and Norman Malware Cleaner. NNP is a real-time anti-malware scanner that can be installed at various points through the network or between network segments. Incorporated within NNP, Norman Sandbox Analyzer allows users to analyse automatically the file behaviour and actual actions performed by suspicious files. As part of the Smartsuite for Manufacturing licence, Norman Virus Control can be installed on desktops, laptops, servers and terminal servers. In addition to covering the majority of current operating systems, Norman Virus Control is compatible with older operating systems still commonly deployed in manufacturing plants, including Windows 98, 2000 and NT (Fig. 1). Finally, the Norman Malware Cleaner utility can detect and clean specific malicious code. The program will effectively clean an infected system completely by killing infected running processes, removing infections from disks (including ActiveX components and browser helper objects), reveal and remove rootkits, restore correct registry values, remove references created by malware and remove Windows firewall rules for malicious programs.

Appropriate measures

Rather than attempting to produce a set of software tools that users can install, IPS has formed a dedicated team with specialist skills in security, control systems, IT and networking. The company believes that cross-discipline skills are vital to meet the needs of the modern industrial control systems environment, with its increasing use of IT and networking technologies. IPS says its security team works with clients and also internally within IPS to improve security in products while maintaining the required functionality.

IPS is involved in numerous security-related activities across the control systems industry. It is an active participant in industry security standards groups and information-sharing initiatives, such as ISA S99, ISCI (ISA Security Compliance Institute) and the Process Control Systems Forum (PCSF), as well as other groups. These provide the opportunity for greater understanding, knowledge transfer and sharing of expertise and information. Many countries now have Critical National Infrastructure initiatives and IPS plays its part by working with Governments. Nevertheless, IPS recognises the value of teamwork and has partnered with Integralis, a leading global security management provider. Using Integralis' expertise and global view provides direct benefits to help with quickly changing threats and vulnerabilities.

IPS has developed its security approach in line with industry best practice and its own specialist knowledge, basing it on five principles:

- View security from both management and technical perspectives.

- Ensure security is addressed from both an IT and control system perspective.

- Design and develop multiple layers of network, system and application security.

- Ensure industry, regulatory and international standards are taken into account.

- Prevention is critical in plant control systems, supported by detection.

For the third point above, the company recommends a 'defence in depth' approach to designing and implementing measures to mitigate security vulnerabilities and threats. In this layered approach, different strategies are adopted for addressing security risks in the data centre, plant network, controls network and field I/O zones. This includes a perimeter firewall between the data centre zone and the Internet, an Internet firewall to protect the plant network zone, and a controls network firewall to protect the controls network zone.

Importantly, the IPS team performs a thorough assessment of the customer's requirements in each zone so that appropriate security measures can be applied. Furthermore, security should not be viewed as something that is installed once and then left alone; ongoing management is vital to ensure that the security measures remain effective and appropriate.

Local protection

Now owned by Phoenix Contact, Innominate Security Technologies specialises in embedded security devices for industrial applications, focusing on Industrial Ethernet security and secure remote maintenance for machines and equipment. Through its mGuard product line, supplemented by its Device Manager configuration management software utility, Innominate offers hardware firewall, VPN (virtual private network) and virus protection that is said to be easy to install and maintain.

Innominate's mGuard technology has been in use for secure communications in industrial applications since 2004. Winner of the 2008 Frost & Sullivan award as Global Leader in Industrial Ethernet Security, Innominate mGuard industrial RS (remote services) equipment has been used successfully by industrial customers around the world. Examples include manufacturers of machinery and equipment in the fields of pulp and paper, printing, glass, packaging, machine tools and lasers, as well as operators of production facilities in the manufacturing and process industries. Clients include Audi, BASF, BMW, Bosch, Daimler, Emhart Glass, Ferromatik Milacron, KBA, Trumpf, Voith, Volkswagen and W+D.

The mGuard concept is based on small, local hardware devices that control network traffic and provide for efficient networking and flexible routing for the integration of machinery and equipment into operators' networks. In addition, mGuard delivers economically scalable remote diagnostics and maintenance over the Internet and VPNs. One of the advantages of mGuard is that it is suitable for both new-build projects and for retrofitting to existing equipment. And because the mGuard can be configured with software - and configured or reconfigured remotely - there is no risk that the protection will be out of date by the time a machine with a long lead time has been assembled, tested and commissioned.

Innominate offers its mGuard technology in a number of formats, including the mGuard industrial RS firewall with VPN functionality (Fig.2), the portable Innominate mGuard smart device, a low-profile PCI network card, the mGuard blade for mounting in 19 inch racks, and the mGuard delta four-port LAN switch. Innominate has also worked with Hirschmann Automation and Control to develop the Eagle mGuard that mounts on DIN rail and is equipped with a redundant power supply and two 10/100 Base-TX Ethernet ports, as well as a signalling switch (Fig. 3).

Once the mGuard units are installed and operating, the virus database on each one is updated fully automatically. Any other configuration changes can be managed centrally via the Ethernet network, or remotely via the Internet, which makes it very simple and cost-effective to manage the security across a single plant or multiple sites.

Modern IT and networking technologies certainly offer advantages to machine builders, system integrators and plant operators, but the associated risks are not always immediately apparent.

Cyber attacks tend to be something that organisations think only happen to other people, whereas the potential for damage is so great that the threat needs to be taken very seriously. There is no single approach that is right for every organisation; as we have seen above, there are various software and hardware products, as well as suppliers that offer services to ensure the optimum set of measures is implemented. Care must be taken with choosing which route to take, but remember also that cyber security requires continuous management after the initial implementation.

Recent Issues