Control Systems and Cyber Security
26 December 2008
Control systems have seen a great deal of change in recent times, including increasing connectivity and the use of open standards and protocols from a previously proprietary and often isolated environment. Karl Williams, Principal Consultant Security for Invensys Process Systems (IPS), explains the issues that control system operators are facing.
Invensys Process Systems
The use of “off the shelf” technology driven by requirements for additional applications, analysis and operational visibility, combined with connectivity to business and other networks brings great benefits, such as interoperability and efficiency, but also creates an on-going challenge for security.
The security threats and vulnerabilities we see today are wide ranging, often complex, and are not always well understood, particularly what impact if any they may have on an individual system, part of a system, or production facility itself.
Threats come from a range of internal sources such as removable media, as well as from external sources such as connections with other devices and networks. Threats can change quickly as new vulnerabilities emerge, meaning that control systems may find their normal operation impacted simply because they share, either directly or indirectly, a technology or connection.
While this impact may not necessarily be immediately or directly disruptive to production, it may reduce efficiency and that in itself is undesirable and without appropriate action it may ultimately impact safety and lead to loss of production.
A cross-discipline skill set is vital to meet the needs of the industrial control systems environment we see today, with its increasing use of IT and networking technologies. IPS has a dedicated team with specialist skills in security, controls systems, IT and networking that works with clients and also internally within IPS to improve security in products.
The greatest threat today comes from doing nothing. By taking steps to assess, address and then understand and manage security by using effective solutions, the level of security risk can be reduced and safe and reliable production maintained.
THREAT AND VULNERABILITY
With such a wide diversity of control systems deployed from the most up to date to those that were installed some time ago, there is a need for security. The risk faced by the newest systems can be quite different to that faced by older (legacy) systems and regardless of the system age its security position needs to be understood and the most effective measures taken while allowing critical functions to be performed when required.
Understanding the most likely threats is vital to developing an approach that provides the necessary protection. Recently there has been a great deal of discussion about threat and vulnerability, and much of this has centred on hacking. The available information does not indicate that hacking activity poses the greatest threat, at least not today.
A much more likely scenario is for a control system to be infected and impacted by some form of malicious code, be it a virus, worm or Trojan.
Security must be seen as a business enabler by providing measures that maintain system availability and an effective vulnerability management process is a vital part in this. A newly discovered vulnerability needs to be assessed and a course of action determined based on likelihood and impact.
Today, countering the threat of malicious code should be a priority. This threat is one that must be mitigated by using well proven defence in depth as well as by separation of critical production assets, but also with internal measures covering policy, procedure and enforcement and ultimately by incident management and recovery based on worst case scenario.
IPS has developed its security approach in line with industry best practice and it own specialist knowledge and based on the following principles:
• View security from both management and technical perspectives
• Ensure security is addressed from both an IT and Control System perspective
• Design and develop multiple layers of network, system and application security
• Ensure industry, regulatory and international standards are taken into account
• Prevention is critical in plant Control Systems, supported by detection
LAYERED SECURITY – DEFENCE IN DEPTH
IPS recommends a “defence in depth” approach to designing and implementing measures to mitigate security vulnerabilities and threats.
Each layer is evaluated for its criticality and corresponding risk and appropriate security measures applied. To proceed through each layer a security threat must compromise each security measure, both management (polices and procedures) and technical, this approach creates a more resilient architecture.
This approach ensures that the most critical assets receive the greatest layers of protection. A threat is more likely to trigger a timely response using this approach. This defence in depth strategy when successfully implemented and managed minimises the likelihood of a threat being successful and can provide intrusion prevention. This approach is considered an effective and proactive security measure.
More secure products that include a host based firewall, hardening of workstations, anti-virus and vulnerability management all contribute to lowering the risk of a security incident. While putting in place appropriate mitigation measures will improve security, the on-going management of security needs to take place for it to remain effective; security must not be fit and forget.
A security program should meet the individual requirements of each system and implementation, but in general the following should be considered:
• Security Assessment
• Security policies, procedures and enforcement
• Protection with appropriate technology
• Security training for knowledge transfer
• Security management
A security assessment is one of the first steps in developing an understanding of the security position. By analysing the current position, vulnerabilities and threat an understanding of the real risk will set the requirements for a security program.
Effective policy, procedures and enforcement is crucial for safe and reliable system operation.
The development of policy and supporting procedures should be user and facility specific and should therefore be developed in close co-operation with system stakeholders to ensure the result is workable and effective.
Management support at all levels in this area is vital to ensure success, while any corporate or business policy and procedure compliance requirements should be taken into consideration.
PROTECTION WITH TECHNOLOGY
Technology plays an important part in an overall security approach. Firewalls are just one example of a technology that provides part of a defence-in-depth design and when implemented and managed correctly can mitigate security vulnerabilities and threats, but security is more than just a firewall.
The design and implementation of an architecture using a DMZ provides more secure access and control and by including additional features such as anti-virus and deep packet inspection for intrusion detection or prevention there is further protection. The on-going management of firewalls and other devices should be carefully considered.
IPS currently provides its control system workstations pre-installed with anti-virus (AV) software and the effectiveness of AV must be maintained with regular updates; an out of date AV product gives no protection against new malicious code.
A suitable update mechanism should be in place for systems both with and without network connectivity; this will give protection against malicious code that may enter the system from a network connection or be brought into a system by removable media such as USB drives or CD.
TRAINING FOR KNOWLEDGE TRANSFER
Those who have access to a Control System, either directly or indirectly, frequently or just occasionally require appropriate security training to ensure a low risk production environment.
This is an important element in ensuring that those who have any interaction with critical systems understand the impact that any of their actions may have.
Training is also needed to enable those involved with control systems to understand the policy, procedures, enforcement and the wider security picture. In addition, training may be required for the more technical aspects, including firewalls, Intrusion Detection/Prevention, AV updates and so on.
There are many activities that come under security management and the resources required for this need to be fully considered, it may mean a high level of commitment.
Like safety programs that are already in place where safety is accepted as way of life and continuously being monitored, validated and understood, security and its management would benefit from a similar approach.
While there are some security elements that may be rarely updated once in place such as policy, there are other parts that will need more frequent or even continuous attention such as AV updates, firewall management, access control, vulnerability management, enforcement, and so on.
Each system will need to be assessed for its own need based on its circumstances, but following a continuous life-cycle model of Assess, Design, Implement and Manage, with supporting elements in each phase provides the flexibility needed for a low security risk environment.
Contact Details and Archive...
Most Viewed Articles...