Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Are Industrial Control Systems Secure?

 Securing Industrial Control SystemsAre Industrial Control Systems Secure?

 Securing Industrial Control SystemsAre Industrial Control Systems Secure?

In July 2010, Stuxnet, the highly sophisticated designer-malware, targeted five organizations in Iran, spying on and subverting their uranium enrichment infrastructures. The malware targeted and destroyed supposedly secure equipment while evading detection for months.

This is just one of a number of recent cyber attacks that demonstrate the increasing vulnerability of hardened industrial control systems, called Supervisory Controls and Data Acquisition (SCADA) systems. These networks contain the computers and applications that perform the key functions in providing essential services and critical infrastructure which span manufacturing, power generation and refining plants, infrastructure and facility processes in water treatment plants, oil and gas pipelines, electrical power distribution and buildings, airports, ships and space stations.

By allowing the collection and analysis of data and control of such equipment as pumps and valves from remote locations, SCADA networks offer the benefits of performance, reliability and flexibility for mission critical processes. However, Stuxnet demonstrated the extent to which common industrial machines are vulnerable to the threat of electronic attacks. Consider a SCADA breach of a power supply and distribution plant—all business would be impacted and economies could suffer incalculable losses. Failure to adapt SCADA systems to the changing threats and vulnerabilities of the cyber world exposes companies and governments to the very real possibility of a catastrophic event.

Related Reading: The Increasing Importance of Securing The Smart Grid

Industrial Control Systems Operator

Historically, SCADA systems were kept separate from other corporate systems. Even though these networks may not have been effectively secured, they were traditionally difficult to break into because they were isolated for health and safety reasons.

More recently, however, major companies are driving their process control through ERP systems, which not only control their financial data, but link their suppliers and customers. Third parties are now being given direct access to SCADA networks via the Internet to manage them and/or to do diagnosis. These connections to the outside world create a massive challenge from a security perspective.

Other security challenges inherent to today’s SCADA networks include the following:

Ownership. Many wrongly believe that the IT department automatically looks after SCADA as well as enterprise security. This, in fact, is rarely the case. While IT departments may provide security for systems they understand – for example, Windows and SAP – the critical control systems that run the pipelines and refineries on a daily basis are largely foreign to them and have been traditionally managed by the engineering side of the business. These control systems have unusual, engineering-derived operating systems like VxWorks or RSLogix. This means that many of the proven IT security solutions will either not function correctly or, even worse, may interfere with SCADA operations.

Advertisement. Scroll to continue reading.

Exposure. SCADA architectures increasingly involve Commercial Off the Shelf (COTS) software, such as Win servers, TCP/IP protocols, and management tools, many with inherent vulnerabilities. Without clear ownership and responsibility, these products are frequently left unpatched and exposed.

Origin of Attacks. Many managers mistakenly assume that all cyber security problems arise from outside the company premises, generally from hackers. The assumption is that hackers attempt to attack SCADA systems through obvious pathways that can be managed by a single Bastion firewall between the business and SCADA networks. While the more infamous attacks have occurred from outside, the truth is that many problems originate from within the company and in these cases, the firewall affords little protection, leaving the networks exposed. Additionally, many organizations have had to break through the firewall to allow ERP systems to drive the process control by SCADA integration. Third parties connecting to ERP systems can then access SCADA networks.

Common Design Flaws. For many years, simply keeping the systems communicating posed a major challenge for SCADA engineers. The emergence of Ethernet, TCP/IP and Web technologies radically altered the equation. The result? The creation of “control networks” that act as common pathways for all industrial control communications. When a new control application needs a network to transport its data on, too often the answer means connecting it to the control network. Over the last few years, any clear understanding of exactly what devices are attached to most corporate networks, or what traffic is travelling over the network, have become impossible. This results in well-intentioned staff tapping into the control systems to add or access network traffic, causing an unreliable and insecure SCADA network.

The first step for organizations should be to assign responsibility for managing security around the SCADA process control environment. Whether that’s an extension of the Chief Security Officer’s responsibility or someone dedicated within the process control area, there has to be accountability for this area.

To ensure that its SCADA networks are brought under control, an organization needs to follow the standards spelled out by the American National Standards Institute. These are divided into three fundamental categories: Risk Analysis, Addressing Risk with Cyber Security Management System (CSMS) and Monitoring and Improving the CSMS. More specifically, the first category lays out the path a company needs to follow in order to both assess its current security situation and determine the security goals it wants to achieve. The second category outlines the processes needed to define security policy, security organization and security awareness in the company and provide recommendations for countermeasures to improve SCADA security. The final category describes those methods that make sure that a SCADA system not only stays in compliance with CSMS, but follows a continuous improvement program.

The benefits of these recommendations extend beyond the goal of reducing the possibility of an attack. By improving the corporate processes concerning SCADA systems and more effectively managing the actual traffic on the control systems networks, organizations can enhance overall system reliability, justifying the cost of the security program.

The time to take action is now. The effort needed to secure SCADA networks can’t wait any longer.

Related Reading: The Increasing Importance of Securing The Smart Grid

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture