Implementing security for industrial automation and control systems requires the identification of areas that have to be protected and the threats to which they might be exposed. The areas that require protection can be viewed from both the macro and micro level. For example, at the macro level, entities such as power plants, pipelines, refineries, communication networks, water treatment plants and transportation systems can be considered targets. At the micro level, subsystems, such as controllers, networks, databases, human-machine interfaces, transducers, smart meters and programmable logic controllers (PLCs) are potentially vulnerable to various types of threats.
Threats to both the macro and micro components include such sources as social engineering, malicious code, equipment failure, user errors, system intrusion, blackmail, sabotage, hacking, system bugs, unauthorized access, and other exploitations of vulnerabilities.
A good example of one type of threat realized is Stuxnet. Stuxnet is a worm that was designed to change control outputs on specific PLCs and conceal its existence from control room observers. It is of such complexity that it is probably the product of a team of programmers working many months to develop, debug, and test. The sophistication of Stuxnet leads many to believe it is the product of one or more nations working together. Specifically, Stuxnet infects Windows PCs and modifies WinCC databases, which provide process visualization HMI functions. Stuxnet is introduced into computer systems through flash drives and was designed to manipulate output bits on Siemens SIMATIC STEP 7 PLCs to disrupt the operation of centrifuges at the Iranian Natanz uranium enrichment facility.
From the information known about Stuxnet, it is not a great leap to imagine it being targeted at elements of a nation’s critical infrastructure, particularly the Smart Grid, in addition to refineries, chemical plants and pipelines. There are a number of guidelines aimed at mitigating the effects of various threats against industrial control systems. One such document is NIST Special Publication 800-82, Guide to Industrial Control Systems Security. Topics in this publication include:
- Maintaining functionality during adverse conditions. This involves designing the industrial control system (ICS) so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause another problem elsewhere, such as a cascading event.
- Protecting individual ICS components from exploitation. This includes deploying security patches in as expeditious a manner as possible, after testing them under field conditions; disabling all unused ports and services; restricting ICS user privileges to only those that are required for each person’s role; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where technically feasible to prevent, deter, detect and mitigate malware.
- Restoring system after an incident. Incidents are inevitable and an incident response plan is essential. A major characteristic of a good security program is how quickly a system can be recovered after an incident has occurred.
- Restricting logical access to the ICS network and network activity. This includes using a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
- Restricting physical access to the ICS network and devices. Unauthorized physical access to components could cause serious disruption of industrial control system functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards.
The formal security controls used to protect an ICS can be categorized in three areas: management, operational and technical controls. Below is a list of controls. Can you match the category for each control? The answers will be reviewed and discussed in Part 2 of this blog post on implementing security for industrial automation systems.
- Access control
- Audit and accountability
- Awareness and training
- Identification and authentication
- Personnel security
- Physical and environmental protection
- Risk assessment
- Security assessments
Ronald L. Krutz has more than 30 years of experience in industrial automation and control systems, distributed computing systems, computer architectures, information assurance methodologies and information security training. Dr. Krutz has co-authored 15 books in the area of cybersecurity, authored the book, Securing SCADA Systems, and three textbooks on microcomputer system design, computer interfacing and computer architecture. He holds seven patents in the area of digital systems, and has published more than 30 technical papers.