One of the very largest problems facing the automation professional is that the control systems in plants and the SCADA systems that tie together decentralized facilities such as power, oil, and gas pipelines and water distribution and wastewater collection systems were designed to be open, robust, and easily operated and repaired, but not necessarily secure. 1. The security problem For example, in August 2008, Dr. Nate Kube and Bryan Singer of Wurldtech demonstrated at the ACS Cyber Security Conference that a properly designed safety instrumented system that had received TÜV certification could very easily be hacked. The unidentified system failed unsafely in less than 26 seconds after the attack commenced. Note that "properly designed" meant that the controller was designed to be robust and safe and to operate properly. operating cyber-securely was not one of the design elements. For quite some time, Schweitzer Engineering Laboratories has had a utility on its website, www.selinc.com, that allowed SEL internet-enabled relays to be programmed via a Telnet client by any authorized user. Recently, several security researchers found and acted on exploits against Telnet; SEL has now taken the utility down to protect the users. It isn't the power industry alone that faces these issues, although the critical infrastructure in the power industry is certainly one of the largest targets. These cyber incidents have happened in many process industry verticals, whether they've been admitted to or not. History shows that it’s much more likely to be an internal accident or error that produces the problem. In 1999, an operator for the Olympic Pipeline Company in Bellingham, Washington, was installing a patch on his pipeline SCADA system. Unknown to him, the scan rate of the SCADA system slowed to the point where a leak alarm failed to reach the SCADA HMI until after the ignition of the leak and the deaths of three people as well as numerous injuries. This is a classic cyber accident. On January 26, 2000, the Hatch Nuclear Power Station experienced a cyber event. A Wonderware HMI workstation running on the plant local area network (LAN) was patched, experienced instability because of the patch, and rebooted. It was connected via a firewall directly into the OSI PI database that Hatch used as the plant historian. So was an Allen-Bradley PLC, which was caused to reboot. When it rebooted, it reinitialized all the valve positioners, and with all the valves closed the main feedwater pumps shut down, exactly as they were supposed to do, scramming the reactor. At Brown's Ferry Nuclear Station in August 2006, a broadcast storm apparently caused by the plant's IT department "pinging" the network in a standard network quality control procedure caused a similar PLC to fail, shutting off the feedwater pumps and … you guessed it, scramming the reactor. it’s troubling that Hatch and Brown's Ferry had similar incidents six years apart. Lest one conclude that this is all about the power industry and the oil and gas industry, there is the case of Maroochy Shire in Western Australia. From the official MITRE report of the incident, coauthored by Joe Weiss, here is what happened: Vitek Boden worked for Hunter Watertech, an Australian firm that installed a SCADA system for the Maroochy Shire Council in Queensland, Australia. Boden applied for a job with the Maroochy Shire Council. The Council decided not to hire him. Consequently, Boden decided to get even with both the Council and his former employer. He packed his car with stolen radio equipment attached to a (possibly stolen) computer. He drove around the area on at least 46 occasions from February 28 to April 23, 2000, issuing radio commands to the sewage equipment he (probably) helped install. Boden caused 800,000 liters of raw sewage to spill out into local parks, rivers, and even the grounds of a Hyatt Regency hotel. Boden coincidentally got caught when a policeman pulled him over for a traffic violation after one of his attacks. A judge sentenced him to two years in jail and ordered him to reimburse the Council for cleanup. There is evidence of more than 100 cyber incidents, whether intentional, malicious, or accidental, in the real time ACS database maintained by Joe Weiss. These include the Northeast power outage and the Florida power outage in 2008. it’s worth noting that neither event has been described as a cyber event by the owners of the power companies and transmission companies involved. 2. An Analysis of the Security needs of Industrial Automation Industrial automation systems (or industrial control systems, abbreviated ICS) are an integral part of the industrial infra structure supporting the nation's livelihood and economy. They aren't going away, and starting over from scratch isn't an option. UCSs are "systems of systems" and need to be operated in a safe, efficient, and secure manner. The sometimes competing goals of reliability and security are not just a North American issue, they are truly a global issue. A number of North American control system suppliers have development activities in countries with dubious credentials; for example, a major North American control system supplier has a major code-writing office in China, and a European RTU manufacturer uses code written in Iran. Though sharing basic constructs with enterprise IT business systems, ICSs are technically, administratively, and functionally different systems. Vulnerability disclosure philosophies are different and can have devastating consequences to critical infrastructure. A major concern is the dearth of an educated workforce; there are very few control system cyber security experts (probably fewer than 100) and currently no university curricula or ICS cyber security personnel certifications. Efforts to secure these critical systems are too diffuse and don’t specifically target the unique ICS aspects. The lack of ICS security expertise extends into the government arena, which has focused on repackaging IT solutions. The successful convergence of IT and ICS systems and organizations is expected to enable the promised secure productivity benefits with technologies such as the smart grid. However, the convergence of mainstream IT and ICS systems requires both mainstream and control system expertise, acknowledging the operating differences and accepting the similarities. one can view current ICS cyber security as being where mainstream IT security was 15 years ago; it’s in the formative stage and needs support to leapfrog the previous IT learning curve. Regulatory incentives and industry self-interest are necessary to create an atmosphere for adequately securing critical infrastructures. However, regulation will also be required. 3. Some Recommendations for Industrial Automation Security The following recommendations, taken from a report to the bipartisan commission producing position papers for the Obama administration, can provide steps to improve the security and reliability of these very critical systems, and most of them are adoptable by any process industry business unit:
Leverage appropriate IT technologies and best practices for securing workstations using commercial off-the-shelf (COTS) operating systems. Establish standard certification metrics for ICS processes, systems, personnel, and cyber security. Promote/mandate adoption of the NIST Risk Management Framework for all critical infrastructures, or at least the industrial infrastructure subset. Establish a global, nongovernmental Cyber Incident Response Team (CIRT) for control systems, staffed with control system expertise for vulnerability disclosure and information sharing. Establish a means for vetting ICS experts rather than using traditional security clearances. Provide regulation and incentives for cyber security of critical infrastructure industries. Establish, promote, and support an open demonstration facility dedicated to best practices for ICS systems. Include subject matter experts with control system experience at high-level cyber security planning sessions. Change the culture of manufacturing in critical industries so that security is considered as important as performance and safety. Develop guidelines similar to that of the Sarbanes-Oxley Act for adequately securing ICS environments. Like process safety, process security is itself a process and must become part of a culture of inherent safety and security. PREV. | NEXT Related Articles -- Top of Page -- Home |
Updated: Saturday, February 4, 2017 13:01 PST