The systems most vulnerable to cyberattack aren’t those that house your bank records or credit card information. They’re the control systems for such critical facilities as power and water-treatment plants, oil refineries, and mass transit systems. So says cybersecurity expert Joseph Weiss, author of two IEEE Expert Now eLearning online tutorials on how to protect the systems: “Cyber Security of Industrial Control Systems” and “Cyber Security of Substation Control and Diagnostic Systems” An IEEE member, Weiss is the managing partner at Applied Control Solutions of Cupertino, Calif.
Industrial control systems monitor those mundane, yet critical, processes in nearly all industries. The systems perform real-time control and send data to a central computer (generally a supervisory control and data acquisition or distributed control system) that manages and displays the information. It’s all software-driven, of course, with the user interfaces, controllers, signal hardware, communications equipment, and networks designed to work together.
LOOKING FOR TROUBLE
For years, cyberhackers have given industrial systems a pass. Perhaps that’s because the bad guys have had their fun, and their hands full, targeting systems running Windows-based business applications. Consequently, cybersecurity measures have focused on protecting the computers that run those applications. The relative obscurity of industrial control systems has generally protected them, but not anymore, Weiss says. That’s because the systems are no longer isolated. Intentional and unintentional cyberincidents are bound to increase, according to Weiss, and protecting computers alone is not enough.
“We’re worried about protecting an organization’s mission to make and distribute their products,” he says. “If you are an electric utility and you can’t make, transmit, or distribute electricity for several months, what do you do? Likewise for petroleum companies that can’t pump oil or a pharmaceutical company that can’t manufacture medicines. These systems have to be absolutely safe and reliable.”
Those responsible for substations, refineries, and power plants are more concerned about their maintenance, availability, and safety, Weiss says; their job doesn’t include securing the systems against cyberattack, and they often have neither the budget nor the knowledge to do so. Authenticity (assuming that whatever or whoever is accessing a system has a right to be there) and system integrity (intruders cannot get in) are generally assumed, not assured. And confidentially requirements—which assure the information is accessible only to those authorized to have access—are often unknown or ignored.
“In general, the authentication is ‘check before operate,’ which prompts operators for a last check before issuing a control message, and assumes the data can be trusted. And a number of control systems aren’t authenticated at all,” Weiss says. “What’s even worse is that many control networks depend on outside sources—networks tied to networks tied to networks. These secondary networks cannot be trusted, as they are generally not secure.”
Weiss has documented more than 170 cyberincidents against industrial control systems worldwide. Most of them were unintentional. System operators might not have tested their equipment properly or might have instituted security policies unsuitable for control systems. Such accidentally inflicted incidents led to power outages in Florida and in the northeastern and southwestern United States, as well as the shutdown of several nuclear power plants.
Some events even led to deaths, such as the rupture and fire in 1999 at an Olympic Pipe Line Co. gasoline pipeline in Bellingham, Wash., that killed three people. A U.S. National Transportation Safety Board report indicated that a contributing factor was the company’s practice of performing database development work on the supervisory control and data acquisition system while the system was being used to operate the pipeline. That caused the system to become nonresponsive at a critical time.
“Part of the problem is that there are very good forensics to tell when something ‘normal’ happens—for example, to the voltage, the pressure, or the temperature,” Weiss points out, “but there are almost no forensics that deal with cyberincidents. This should be a scary thought to most people.”
A number of things can be done today to protect control systems, he says. The first involves governance. Senior management, including the chief executive and chief operating officers, must support the company’s security program. “If you don’t have senior management support, your program is dead on arrival,” Weiss warns.
A person or group responsible and held accountable for security must be identified, and the organization’s control system staff made aware of the team’s mission. The security program must undergo periodic review as well, Weiss says.
Policies involving IT systems and control systems should be consistent with each other, he adds. Two approaches can be taken. One produces an overarching set of policies and procedures dealing with the IT systems, with a subset covering the control systems. The other relies on a different set for each system. Either option can work, but Weiss cautions that if policies and procedures aren’t written down, “there’s a pretty good chance they aren’t going to be followed.”
Almost all organizations have awareness and training programs for their employees on computer security that cover, for example, passwords or identifying inappropriate Web sites. Such components should, of course, be part of security programs for control systems, but they also should include components unique to each system, as well as reflect industry standards and guidelines.
Vulnerability assessments must be performed regularly. Each such test is “simply a snapshot in time,” he says. “Whenever the system is modified, upgraded, tested, or reconfigured, the previous vulnerability assessment is no longer relevant, because the system is no longer the same system.”
Weiss points out that there is no silver bullet: “Cybersecurity is a living issue, because there is no single technology—be it a firewall, intrusion detection system, or other technology—that will adequately protect control systems.
“Instituting a change in corporate culture that emphasizes security is just as important as maintaining good operations and maintenance policies,” he says. “The security policies and procedures must be embedded in the minds of the people using the systems, because many believe the threat is still not real.”
Weiss covers the topic and more in his book, Protecting Industrial Control Systems from Electronic Threats, published this month by Momentum Press.