The volumes of information written about cybersecurity can be mind-boggling. The subject has important implications for everyone, especially for those of us involved with industrial control systems and software-based automation of water, sewer and electric systems.
Legacy control systems have always been vulnerable because they weren’t designed with cyber attacks in mind. They were designed to perform specific, automated functions, such as regulating valve operations, and nothing else. But that was well before the onslaught of malware – that malicious software code intended to harm controllers or otherwise penetrate the automation infrastructure. The world has changed around us though and now municipal plant managers must respond — or must they?
Many of the municipal automation system managers we talk with are hoping that they don’t have to respond or that they have already responded adequately. Here, however, are some of the more common assumptions that may put them and their communities at risk.
We have the situation under control
Ask your IT managers or third-party computer service provider about Internet security and chances are good that they will tell you they have the situation under control. They are confident that their network is secure, that they are conforming to good cybersecurity practices like not leaving ports open that their firewall is strong and their VPN is secure. And they may be right, but because most of their computers connect also to the Internet, they would also agree that they can never know for sure that a virus wouldn’t slip through and cause damage, downtime or steal valuable information.
Likewise with your control systems, which are even more vulnerable because they haven’t had the benefit of protection technology focused directly on process controllers themselves. With all due respect to the hardworking IT folks who are doing all they can with what they have, though, if protection extended deeper into the control system electronics, their jobs would be much easier.
Our antivirus software is up to date. Why do I need anything more?
While anti-virus software and firewalls are all certainly valuable, the process controllers tucked into plant control panels or sitting at remote pump stations or tanks were designed at time when cyber security was not an issue. Those controllers typically have Ethernet or other communications ports, which must remain open to allow an HMI (human machine interface) to show the operating status of the equipment under control. New communication protocols allow for security encryption that protects a controller even while it is on an Ethernet network do complement virus protection software, but even there, the persistent hacker might find vulnerability.
We are too small to be a target
Plant managers in smaller cities usually react to the thought of adding or upgrading to more cyber secure controllers saying something like “Yeah I’m sure the cyber secure controllers would be nice, but is a small town like mine really vulnerable? I mean, nobody cares about Smallville, USA do they?”
If these folks looked at the number of malicious login attempts on the log files of their firewalls and servers, they might think differently. Foreign nationals and local hackers are hammering on networks of all sizes. They use port scanning equipment to find open ports and do damage or steal information wherever they can. It’s just a game to many of them but increasing connectivity between control networks and business systems is making everyone into sitting ducks. It’s not just New York and Los Angeles that are vulnerable; it is anyone interconnected by IP addresses.
The need for embedded control system cyber security
I believe that no matter whether you are a small town or a large metropolis, cybersecurity is something you should be taking seriously. Firewalls, cyber protection software, implementing good practices, keeping anti-virus software up to date and data encryption strategies are all necessary in today’s threat landscape, but they may not be sufficient to provide full protection to critical plant control systems.
Maximum cybersecurity protection is possible only when cybersecurity protection is embedded deeply into the control system electronics from birth. At least one new company in the automation industry has responded and is now offering such a system and I am sure more will soon follow. Any municipality considering adding new control technology would be wise to consider such an option.