HACKERS see control systems, with their lack of firewalls and other defences, as relatively soft targets. Utilities across the world are hit by an estimated 100 to 500 hacker attacks and malicious worms every year at each plant, disrupting the ability of companies to control critical manufacturing plants, with potentially devastating consequences.
The number of attacks will accelerate sharply as more manufacturers link their plant control systems to the corporate network, the Internet or wireless networks.
An Australian hacker was sentenced to two years imprisonment in 2001 after his attack on sewage control computers at a Brisbane council led to the release of one million litres of raw sewage into the grounds of the Hyatt Regency Resort.
The former employee, who worked for the company that installed the computers, launched the attack in revenge after being turned down for a job at the council. He used a laptop, a two-way radio and hacking programs to break into the sewage control computers and reprogram the pumps. In addition to this attack where he was finally caught, he was also found guilty of 46 other counts of computer hacking.
THE process computer in a US nuclear power station was put out of action by an infection of the SQL Slammer worm in 2002.
The worm infected the Davis-Besse nuclear power plant, overloading the site network, and preventing the computers in the plant from communicating with each other. The attack disrupted the plant’s safety parameter display systems, which were unavailable for nearly five hours, and the process computer, which was unusable for more than six hours.
An investigation revealed that the worm entered through a network link that managed to bypass the firewall. Engineering staff were unaware of the existence of a security patch that could have prevented the incident.
The main concern lies in the fact that more and more manufacturers are replacing specialist control systems with networked, online (often Windows, Linux or Unix based) devices. Control devices, which can be accessed online over the Internet, through wireless links, internal communication networks or dedicated telephone lines, leave plants much more vulnerable to electronic attack.
Manufacturers and control systems suppliers have not been as quick to develop technologies such as firewalls, anti-virus systems and intrusion detection systems as other parts of the IT industry, because until now the risks for control systems have been less clear.
IT and process control networks
BUSINESSES operating in the process manufacturing, energy and utility markets typically utilise two types of computer networks - a network that supports enterprise information systems functions and a network that controls operations in real time. This second type of network is referred to as a technical information system (or real-time control system) and is used by SCADA, DCS or MES applications.
In the past, these two networks were isolated from each other and used different equipment, operating systems and communication protocols.
While this is still true to some extent, the control network has adopted IT technologies because of the cost advantages. Also, companies have realised that valuable information is contained in their SCADA, DCS or MES systems and so have integrated the two networks to make the detailed operational data accessible throughout the corporation.
So, if IT is responsible for computer security and control systems are interconnected with enterprise systems, utilising much the same technology, should not IT determine what security equipment is installed on the control system too? Unfortunately, the answer is not obvious.
Operations staff and plant engineers also have an interest in the security of control networks. They are responsible for the reliability, availability, safety and integrity of the manufacturing process. Their facilities are the ones producing products and earning revenues, so their concerns, priorities and knowledge must also be considered when determining security options.
The focus for IT in planning security can be summarised as CIA - standing for Confidentiality, Integrity and Availability. For enterprise systems the priorities are:
Confidentiality: information on the server must be protected from loss or disclosure at all times.
Integrity: maintenance of accuracy and validity of the company’s information assets.
Availability: an outage of a web server, email server of desktop PC can be tolerated for short periods of time. Some applications are routinely taken out of service in off-peak hours for maintenance or back-up purposes.
For real-time systems the priorities, however, are reversed:
Availability: the process being controlled is often continuous in nature and may be unstable if not supervised. It may involve potentially dangerous high current or high pressure conditions. Batch processes can run for many days and are often extremely valuable. The top priority for the control system is therefore availability.
Integrity: most information in a control system is gathered automatically from sensors and is transitory in nature. Data will be replaced by another measurement on the next scan. The key requirement is to ensure its accuracy and validity as it travels from the sensor to the control computer and back out to an actuator. In SCADA systems, this may include transmission over slow speed serial links.
Confidentiality: in general, information in a control system is not considered proprietary. There are exceptions, such as a recipe for a patented process or defence related industries such as aerospace or marine.
The biggest difference between enterprise systems and control systems is that control systems are directly connected to process equipment. A security breach can have severe consequences including loss of revenue, environmental damage, blackouts and threats to human safety. For this reason, it is imperative that operations staff and IT security experts coordinate with each other to protect the control network. Both groups need to communicate and make an effort to understand both the similarities and differences between their two worlds.
The IT view
IT security staff get involved with control system security either because they are consulted by operations or because they learn that a plant is planning to install a control system security product. In either case, the first reaction is to look at the problem as an extension of the enterprise security problem.
Due to the scale and complexity of the many networks they manage, IT departments select a few vendors, qualify their products and then apply them as corporate standards. They do not have the time or resources to consider unique circumstances.
IT tends to look at control computers as yet another computer and is often surprised when investigating further. Treating the two types of systems as equivalent can lead to unexpected and perhaps even catastrophic results. For example, initiating a port scan on a control network can have the same impact as a denial-of-service (DOS) attack.
Installing the latest patch to fix a security hole may cause the control application to fail and force a line to shut down. Applying a patch may also force a password timeout, and policies may prevent the control system from properly responding to signals from its control device.
Once control systems are tested and commissioned, there is a high level of reluctance amongst engineers to change anything in the configuration in case it causes the system to malfunction. Control software that operates continuously in a real-time environment places more stress on the operating system and requires more extensive testing then other types of software.
As a result, control system vendors may not support every release of the operating system.
Out of fear for damages to production of goods, vendors have also been reluctant to allow customers to apply patches to control systems without accreditation testing. In other words, suppliers do not support patching and anti-virus systems.
In this kind of environment, even simple IT expectations such as having all computers updated with the latest patches within a few days of a vulnerability being discovered are difficult or impossible to comply with.
Anti-virus scanning is another example. Running Anti-virus software slows down a computer. If the impact causes interference with control system functionality or slows down display call up times on HMI stations, it will not be tolerated.
The next surprise for IT is that there are various strange devices hooked to the control network. Whether they are PLCs, RTUs or distributed controllers - they are not the type of equipment typically found on the enterprise network. They may run unusual operating systems, utilise unique communication protocols, have limited computing resources and perhaps have unknown vulnerabilities.
The newer devices all use TCP/IP communication stacks and often support telnet, FTP, login shells and web servers. Passwords, where used, are often set to factory defaults.
It is at this point that IT people begin to wonder how they can secure this type of environment and whether they should isolate it from the enterprise network.
The control view
FROM an operations perspective, security is a subset of the larger problem of maintaining the availability and integrity of the control system - in simple terms, keeping the network equipment, control computers and control software operating at peak efficiency.
Operations have limited staff and budget to meet this goal. While security is an increasingly important issue, the solution needs to fit into the broader context of maintaining the availability and reliability of the control system.
Adding Intrusion Detection Software (IDS) to the control network, for example, is becoming an accepted part of a defence in-depth strategy. But IDS sensors that produce an excess of incident logs will swamp operations technical staff.
If the data from the control network is sent to IT or a managed service provider, they will not have the understanding about the real-time network in order to know how to respond. They have neither the skills nor the authority to intervene on the control network. All they can do is refer the incident back to operations.
Fortunately, control networks tend to be smaller and more stable than enterprise networks. A control system intrusion sensor can be configured to detect the known, good traffic and signal an alarm on anything else.
Enterprise level intrusion sensors operate in a larger and more dynamic environment, making their policy rules more complex to administer. On the control network, it is possible to baseline normal network traffic and generate alerts only when anomalies occur. The operations technical staff can then deal with them.
Since mission-critical control systems are directly connected to process equipment, they need to be protected from internal as well as external threats. Knowledgeable insiders have been responsible for the majority of reported cyber-incidents impacting control systems. But as the control and enterprise networks are becoming interconnected, even unintentional or accidental acts can threaten operations.
Ideally, operations would like to instrument the control network, its computers and the control applications software with a variety of metrics. Tracking performance of computers, monitoring critical files, checking DCS or SCADA log files and detecting host intrusion attempts are all indicators of the overall health and security of the control system. Monitoring this information 24/7, consolidating it with network intrusion incident alarms and alerting operations technical staff only when significant events occur is the best way to deal with the evolving cyber security threat.
Adding these sensors, especially in legacy control systems, requires careful design so that they consume minimal CPU and network bandwidth to avoid disrupting time-critical operations. Yet they are essential to monitoring and detecting the state of the network - otherwise, how do you know if you are being attacked?
Security solutions designed for the enterprise have no knowledge of the control systems or the protocols they use. They can be applied down to the level of network equipment, like switches or routers, but are blind to the rest of the control systems.
So, when IT implements a standard security approach - say a firewall or corporate IDS sensor - operations are often unhappy with the result. Typically, operations are not given administrative access to the security equipment, so they cannot control its response to threat conditions.
Yet they are accountable for the reliability, availability, safety and integrity of the plant.
Many organisations have not made a conscious decision about who owns security of operational systems. Either no one wants the responsibility, or both operations and IT claim ownership of it.
Neither approach is efficient or effective. Given the specialised nature and potentially severe consequences of a breach, ultimate responsibility for security of operational systems must reside at a senior level in the company.
IT and operations need to jointly define a demarcation boundary between the enterprise network and the mission-critical control network. This will protect the enterprise network from vulnerabilities in the control devises without requiring the imposition of strict IT security policies that are inappropriate for control networks.
On the control network side of the boundary, operations should be given the freedom and budget to select the security products most appropriate to their needs.
The Instrumentation, Systems and Automation Society (ISA) is drafting a security standard specifically for manufacturing and control systems that take a holistic approach to health, integrity and security at the control network, control computer and control applications levels.
Different vendors are rapidly developing software that is designed to protect a control network. One technology being used is Host Intrusion and Prevention Software (HIPS), which restrict an application from performing unfamiliar tasks.
Software is installed which guards the application according to fixed rules and policies. If the system is about to execute an unfamiliar task, the software will notify the operator / administrator through an administrator’s access point (called a console) with a message, which can then be acknowledged, approved or terminated by an authorised person.
Ideally, the interface between the enterprise security zone and control system security zone should be a gateway device that under normal conditions allows real-time information to be exchanged to meet business needs. But when the threat level increases, operations need to have a simple method of restricting traffic or completely locking down the control system.
This needs to be pre-planned and defined by operations to ensure the availability of the control system under various threat conditions. Thus, operations require administrative control over the gateway device.
Finally, it is important that IT and control system engineers establish a dialogue about security issues. Security is an on-going process because threats and vulnerabilities are constantly evolving.
* Commentary by Hans Damman, director, ATS International BV