I have said it before and I will say it again. There are simple steps that must be taken now to make your automation systems more resilient to the inevitable cyberattack.
Attackers have now breached the next bastion of the safety envelope of a plant environment and influenced the operation of a safety system. It is important to state upfront that in this case the system detected the fault and went to a failsafe state just as it is supposed to do. But it will not be very long until attackers successfully modify the logic in these systems to accomplish their nefarious objectives. When it comes to safety instrumented systems (SIS), the most important part of the cybersecurity puzzle is understanding and securing access to the system, both from a physical and a cyber perspective.
Ask yourself: Who potentially could gain access to the system? (For good or for evil)
The recent attack intended to manipulate the safety system of an unidentified plant, and the attackers leveraged two significant access control weaknesses in the system. These are implementation or design weaknesses, not vulnerabilities in hardware or software components – so don’t expect the vendor to fix these, that is your job and your job alone!
- The physical key-switch on the SIS controller was left in the PROGRAM mode. I can’t say much more: If you leave the keys in the car someone will steal it. Place controllers in RUN mode as soon as configuration logic is changed, and regularly verify their position via walkdown.
- The attacker gained remote access to the SIS engineering workstation to deploy the attack tool. This means that the workstation was not only connected to the SIS controller network, but was also able to communicate to the outside world via another network. The SIS environment should be appropriately isolated and operate independently from the basic process control system (BCPS).
By leveraging safety design principles articulated in international safety standards such as IEC 61508/IEC 61511/ISA84, automation engineers can make informed decisions about the appropriate methods to isolate the safety functions from the BCPS functions. They also must ensure that separation exists in all phases of plant design, operation and maintenance. A common engineering system or a SIS engineering workstation that is interconnected to the plant network may violate these fundamental principles.
The cybersecurity standards created by ISA99 and now recognized globally as IEC 62443 lay out the process to safely segment and isolate key control system components through methods such as “zones and conduits.” Use defense in depth principles from ICS-CERT and utilize unidirectional gateway devices where required.
Some vendors will maintain they have proven that their integration of the BCPS and SIS, especially at the engineering workstation, conforms to and is consistent with these safety and cybersecurity standards. I urge you to ask hard questions, such as what if an attacker gains complete control of the engineering environment? How does the system ensure that unauthorized changes to SIS logic cannot be made?