Breaking down industrial security

08 October 2014

Mark Daniels and Richard Piggin discuss the issues surrounding cyber security for Industrial control systems and look at different approaches to ensure the best protection for critical business enablers.

The definition of industrial security is broad and implies more than just Industrial Control Systems (ICS), SCADA or process control.  It is also about organisational security, whereas [Industrial] operational technology security focuses on control systems.

Organisational security has, traditionally, been, split between physical and informational assurance, and not necessarily linked. Those responsible often have quite different backgrounds and perspectives. The organisation’s cyber focus is often on IT security, with the approach not being wholly compatible with control systems.  Engineers will have embraced IT security training, yet it is unlikely they have undertaken specialist security training for their domain.

Organisations have sought to optimise processes and reduce cost, utilising the technology trends of convergence of control systems or operational technology (OT) on common IT technologies, such as TCP/IP networking, computer operating systems and wireless.  However, this opportunity also potentially carries an increased security risk as formerly isolated control and safety systems are opened to the enterprise for business users and also potentially exposed to the Internet.  

At first glance securing ICS might look like a similar process to that of securing enterprise systems, albeit, the ICS systems are probably using older operating systems on servers and workstations. However, look more closely and the complexity manifests itself. The equipment is performing real-time control of a physical process with a multitude of controllers, sensors and actuators – these are unrecognisable ‘endpoints’ or ‘hosts’ to IT.  Having a complex system, where unplanned downtime will have an immediate financial impact; means that engineers are reluctant to make changes. Control systems may run for 20 years or more – lifecycles well beyond IT refreshes. 

The stakeholders for an ICS are diverse and obtaining common understanding and agreement is not straightforward.  They include plant operators, system engineers (who maintain the control systems), corporate IT, ‘customers’ in the enterprise who use data from the ICS and, of course, management.  In addition, there are stakeholders outside the enterprise itself, such as control systems vendors, system integrators, government (including regulators) and consumers.

It can be difficult to build a business case for ICS security.  Businesses calculate the cost of lost production; short interruptions will often have a business impact far larger than the security budget required to avoid the original loss.  However, the probability of events occurring is difficult to calculate, in the absence of reliable data.  ICS security incidents are often not reported, publicly released figures are likely to be under reported and there is little compelling evidence in the public domain. 

Realising that cyber security events are almost inevitable, an organisation should increase systems resilience to adverse events, whether cyber or otherwise and reduce their potential business impact.  Appropriate planning and incident response will minimise disruption and facilitate a rapid return to business as usual.

For specific technical guidance on ICS and SCADA security in the UK, organisations are directed to the Centre for the Protection of National Infrastructure (CPNI) series of Good Practice Guides.  These provide a high-level approach to securing control systems, using the best of industry practices, which have been shown to be effective through research and evaluation.  It is recommended to use these in conjunction with the new IEC 62443 series of standards for industrial cyber security as appropriate.

The foundation of the CPNI good practice is three guiding principles:
1. Protect, detect and respond – It is important to be able to detect possible attacks and respond in an appropriate manner, in order to minimise the impacts.
2. Defence in depth – No single security measure itself is totally secure, as vulnerabilities and weaknesses could be identified at any point in time.  In order to reduce these risks, implementing multiple protection measures in series avoids single points of failure.
3. Technical, procedural and managerial protection measures – Technology is insufficient on its own to provide robust protection.  Appropriate procedural measures and managerial controls, such as change control, monitoring, review and compliance, enhance protection.

The CPNI Process Control security framework recognises that, despite systems or some components being based upon common IT technologies, operational environments differ from corporate IT.When securing ICS specifically, there are five key security considerations, along with potential recommendations:

1. Remote Access  – It is often a requirement for an employee, or third party, to access the control system, or a particular machine, from a network outside the production zone to assist in troubleshooting and maintenance. A good solution here would be establishing a secure zone encapsulating any areas needing to be connected to the external world. 
In particular, within the secure zone operating system hardening principles, antivirus solutions, and firewalls should all be deployed. This solution could be enhanced by adding software security services that authenticate and control access to configuration tools used across the remote connection. Risk can be further reduced by the deployment of remote access gateways within an industrial de-militarised Zone (iDMZ).

2. Unauthorised access – Controlling who has access to automation products, networks and control system equipment, dashboards and reports is critical in maintaining a secure enterprise.

A good solution is to establish rigorous policies and procedures to limit access to computers and other devices. This is best done by using passwords and restricting physical access where possible. This solution can be further improved through the use of automation software that includes authentication capability and ideally that integrates with the Microsoft Active Directory system allowing security access to be deployed systematically across multiple functions.

3. Intellectual Property Protection (IP) – The proliferation of the internet of things and the thirst for harnessing big data have made IP theft easier to accomplish and harder to trace. For example, as a machine builder your competitor starts making machines similar to yours, or your customers start making suspicious warranty claims. These are potential indicators that you might have suffered IP theft. So, how do you protect yourself?
At the automation level a good solution is to use a control system approach that has the ability to track changes to code and logging of activity. Who did what, when?
In addition, the ability to block access to specific code blocks and Source Protection within the controller, preventing third parties from accessing code-containing key Intellectual Property. 

4. Outside hacker – A hacker is potentially able to change the firmware running in a controller with a non-authorised version which takes a machine down and out of production. 
A good way to minimise this risk is to use managed switches to segment the architecture with Virtual Local Area Networks (VLANs). This approach can be improved by deploying Access Control Lists to block suspicious traffic. We can further enhance by implementation of an iDMZ to limit direct exposure to ‘untrusted’ networks.

5. Unauthorised changes – A systems integrator visits a plant. The engineer was planning to add new code to a specific part of line 6, but unintentionally connected to the wrong system and caused unexpected downtime. They didn’t know what happened and blamed the control system.
To prevent this kind of occurrence adopt the approach outlined above for the outside hacker. In addition look for control systems that incorporate security services. Key areas here are enforcing an authentication process when connecting to a controller and tracking code changes made in the controller so that incorrect modifications can be removed quickly and effectively.

Research undertaken by Atkins demonstrated that even exclusively for ICS systems, remediation cut across the organisation and extended to third-parties. A holistic methodology will provide a better understanding of overall organisational security risk, by applying converged governance and risk management across all business assets and operations. A managed holistic security programme will enable organisations to identify gaps in security and:
• Understand where gaps exist between security ‘layers’;
• Bridge the gap between the ‘hard’ side of security (technical/physical) and the  ‘soft’(information/policy/processes/people);
• Identify where security measures are being duplicated and are therefore wasteful;
• Ensure investment is in proportion to risk levels;
• Make security a strategic differentiator rather than a tax on the business;
• Target resources where they deliver maximum benefit for the organisation;
• Planning for Incident response, Business Continuity and Disaster Recovery is important.  When should such plans be put into action, who has what responsibilities? Who makes the decision?  These need to be kept up to date and exercised.

Combined with appropriate expertise, this approach will ensure better protection for critical business enablers.  
In collaboration with Rockwell Automation, Atkins has developed an ICS demonstrator to illustrate some of the issues involved in protecting control systems as used in three types of infrastructure - rail, power and water.  Follow the QR code or link to see the introductory film.

About the authors:
Mark Daniels is field business leader architecture & software for Rockwell Automation UK and Ireland. 
Richard Piggin is a security sector manager for engineering consultant, Atkins.

A definition of Industrial security… 
The portion of internal security which refers to the protection of industrial installations, resources, utilities, materials, and classified information essential to protection from loss or damage.( McGraw-Hill Dictionary of Scientific & Technical Terms, 6E, Copyright © 2003 by The McGraw-Hill Companies, Inc.)

A definition of Operational Technology Security…
Gartner defines OT in industrial areas as ‘hardware and software that detects or causes a change, through the direct monitoring and/or control of physical devices, processes and events.’ (

Contact Details and Archive...

Print this page | E-mail this page