Focus: Security threats

Ten Control Systemsecurity threats"THE Top 10 Vulnerabilities of Control Systemsand their Associated Mitigations - 2006, is the thirdrevision of the list," says Scott R. Mix, CISSP, man-ager of situation awareness & infrastructuresecurity. "The document is maintained by the Con-trol System Security Working Group (CSSWC) ofNERC's Critical Infrastructure Protection Commit-tee (CIPC), and is updated each year to reflectchanges in vulnerabilities, as well as to documentimproved mitigation strategies," he says. It hasgrown from a simple listing of vulnerabilities in2004, to include three levels of mitigations for eachof the documented vulnerabilities.

Here are the 10, with advice from industry sup-pliers and consultants on the importance of each tooverall system strength.

1. Inadequate policies, procedures, and culturegoverning control system security.

Security begins with a culture and mindset of allthose involved. "There is a tendency to think ofsecurity in terms of a technical solution: firewalls,passwords, etc.," says Bob Huba, Delta V productmanager for Emerson Process Management. "Whilethose elements may cover 20% of the overall solu-tion, common sense approaches to security imple-mented by plant personnel should make up theremaining 80%. To quote one industry practitioner,'just stop doing dumb things.' Ask the question,'Does your facility have a security policy?' It can beas simple as asking a stranger why he is in a controlroom, or making sure yourusers know not to bring inportable media from the out-side to play music or installnon-approved programs."

Kim Eenrich, project solutions manager, powergeneration, ABB Inc., observes, "Without an effec-tive security policy that addresses procedures, miti-gation strategies, and periodic training, all othersecurity programs will be less successful. To be suc-cessful, security must be viewed as an ongoingprocess, not a one-time investment into firewalls,intrusion prevention or detection, encryption tech-nologies, etc."

Operators believe, says Bryan Geraldo, lead prin-cipal, power and energy vertical, Symantec Consult-ing Services, that "control systems are relatively safefrom opportunistic attacks or inadvertent disruptionbecause they are 'indirectly' connected to the Inter-net, or composed of different software and hard-ware components, some of which have the vendors''own built-in security features." While most IT pro-ducts have built-in security measures, such as pass-words and encryption options, or basic firewall/fil-ter-type mechanisms, Geraldo says, "many of thesefeatures are deactivated - or worse - left in defaultor incorrect configurations, which lends a false senseof security."

The general migration away from proprietary sys-tem architectures requires change, suggests MarilynGuhr, senior marketing manager for lifecycle ser-vices, Honeywell Process Solutions. "As the controlsystem environment moves to open systems," shesays, "new policies and procedures are required andoften control systems people are not of aware ofthese requirements or they believe someone else is

Security begins with a culture and

mindset of all those involved

taking care of it. The IT organisations within theircompanies are very aware of these things but thatawareness hasn't necessarily filtered down to theprocess control area."

Lack of knowledge produces errors. "Over andover 1 see mistakes occur on industrial sites that cancompletely invalidate the entire security effort," saysEric Byres, CEO, Byres Security. "For example, dur-ing one particular site audit I ran, network cableswere discovered that circumvented the SCADA fire-walls. The reason later given was that there was norisk analysis showing that the firewalls were impor-tant, nor was there a policy stating that bypassingthem was unacceptable."

2. Inadequately designed networks with insuffi-cient defence-in-depth.

Defence requires more than just a strong perime-ter. "To secure a control system successfully requirestaking a systematic and comprehensive approach,"advises Todd Stauffer, PCS 7 marketing manager,Siemens Energy & Automation. "One of the mostcommon (and dangerous) misunderstandings is thatby simply installing a control system firewall, thesystem is protected. This is far from correct. Instead,a layered approach called defence-in-depth is rec-ommended by security practitioners and agencies,such as the U.S. Dept. of Homeland Security.Defence-in-depth advocates the creation of a nestedsecurity architecture whereby the plant is dividedinto multiple secure and closed cells (zones). Each

cell must have clearly definedand monitored access pointsto control access and commu-nication in and out."

Control systems must havehierarchical levels of protection, says Kevin Staggs,global security architect, Honeywell Process Solu-tions. "The more critical the access, like controlsand HMI, the deeper it needs to be defended. Con-trol systems at a minimum should be firewalled offfrom the business network, and they should neverbe allowed to access the Internet. The IT realmunderstands how to use defence-in-depth networks,but that expertise hasn't necessarily been broughtdown to the control system level."

Byrnes says, "No IT department in its right mindwould just install a firewall and then say 'we'resecure.' IT departments install antivirus software,personal firewalls, automatic patches, etc., on everysingle server, desktop, and laptop, so that these com-puters are tough enough to defend themselves withor without the firewall. Yet in the SCADA and con-trol systems world, companies install one firewallbetween the business network and the control net-work (if that) and completely ignore the security ofmission critical devices like the PLC, RTU or DCS.The whole control security paradigm is 'crunchy onthe outside and chewy in the middle' but thatdoesn't work. Like good safety design, a good secu-rity design has to offer layers of defence so thatwhen one layer fails another will stand in its place.That means making every device on the control net-work secure enough that it can defend itself whenthe bad guys or bugs eventually get through the fire-wall. It isn't easy, but it can be done."

(Continued on page 20)

THE BESTCONNECTIONS3 to 5-pin Standard Cordsets \,• eurotasf-, picofasr minifast*. microfast",

multifast'. and Vlasf interconnects

Continuously Flexible Cable• Rated to over 10 million cycles• Ideal for robotic appiications

4 to 16-poftJunctions• With or

withoutLEDs

• One or two signals per port• Isolated power supply

M8-StyleMiniature 4.8 and

10-part Junctions

Snap Lock orthreaded connections

Quick disconnect orintegral home run cable

Terminal Chamber Junctions• Convert hard wiring

into multiple portQuick Disconnect

• Waler tightIP67/NEMA 6P

4-20 mA Analog Junctions• Compatible with HART

transmitters

Super Rugged M12 Cordsets• Longer, heavier metal

coupling nut• Rugged CPE rubber

cable

• »N, ^ ^ Junctions for

AC Sensors' 4, 6, or 8-port

> Standard/custom wiring' With or without LEDs

Rugged Molded Junctions• PUR overmolded

design• Heavy machined

brass portcouplings

• Fully encapsulated• Water tight IP 67/NEMA 6P

M12• 6 , 8 , 10 & 12-pin models• Straight cr right angle• 2 A - 24 AWG

| | |

M16 & MZ3• 12, 14, 16 or 19-pin

models• Straight & right angle« 4 A - 22 AWG

2,3 & 4-wavSplitters• Consolidate

multiplesensors/devices

• Up to 4 cables intoone connector

Armored Corflsets• Rugged, metal-clad

cable (NEC type MC)• Replace conduit,

equipment ground

Fixcon Snap Lock Junctions• Fast, no thread

installation• Dependable

water-tight seal• 4 or 8-ports• Snap lock or ihread-on connectors

WWW.MICRDMAX.CQM.AU

I 3OO 36 26 26Email us for more information at:

micromax@fnicromax.com.au

PACE June 2007 19

Focus: Security threats

(Continued from page 19)

Security can have its downside, as Adam Stein, VPof marketing Mu Security cautions: "With SCADA-based control systems, defence-in-depth really onlyhardens the edges of the network. Users won't toler-ate the kind of latency that internal defence mechan-isms create in a system. When the operator sends asignal to close a valve or stop a dangerous process,he doesn't want to wait the extra time needed forthat to get through multiple firewalls."

Emerson's Huba has seen the effects of mixedplatforms common to most plants. "Many oftoday's control networks are made up of looselyintegrated controllers from different companies,with a common HMI interface and common off theshelf hardware for communications. Most oftenthese are engineered by system integrators on an adhoc basis and security may or may not have beenconsidered. As these systems proliferate, it is impor-tant that end-users insist that proper restrictions tothe control network be engineered as part of thesolution."

3. Remote access without appropriate access con-trol.

"Controlling which persons and programs haveaccess to the control system is critical to maintainingsecurity," Stauffer advises. "In general, useraccounts should be set up to grant access and per-mission based on the defined role of the user (engi-neer, operator, maintenance technician, remoteview-only connection, etc.). This follows the princi-ple of minimal rights whereby users and computersare configured with the minimum set of access rightsnecessary to perform their role."

But denying any remote access hampers end-users'ability to work with control system vendors for

remote services that could really be advantageous tothem, including more "intellectual firepower" dur-ing a customer situation, says Guhr.

Bryan Singer, CISM, CISSP, principal consultant,industrial security, FluidlQs Inc., and chairman ofISA SP99, Manufacturing and Control SystemsSecurity committee, says, "Terminal services, wire-less networks, radio telemetry equipment, modems,and unsecured computers abound. Where electronicsecurity is not feasible, we should have good physi-cal security. This also extends into our ability todetect rogue or additional devices. Most networksare not managed or configured to stop unauthoriseddevices, so additional control systems, PCs, or even

Controlling which persons and programshave access to the control systems iscriticai to maintaining security

attackers' workstations can often be joined to thenetwork and never detected."

4. Separate auditable administration mechanisms.This includes system updates, user metrics, and

the like that are not part of the control systemimplementation. "This vulnerability goes back tothe people who are running the control systems,"says Guhr. "Their core competencies may not be inthe IT area and the vulnerabilities that are discov-ered in these systems are IT-related. You need acapability in place that indicates 'what's the latestthing you added to the system or what's changedsince the last time you had a properly running sys-tem?' If something goes wrong, you need to knowwhat's changed."

Stauffer seconds that advice: Since backers arecontinuously working to find new vulnerabilities, hesays, processes should monitor the control systemcontinuously to ensure that its software is kept up-to-date.

Auditing systems and software doesn't alwayscome naturally to process operators, and they mayneed to learn new techniques. "Most process controlsystems and related programs are designed withalarms and event generation capability, but tbey areprocess-focused," Singer explains. "It is very diffi-cult to detect an attack or compromise from suchlogs, and computer forensic methods are also quitecomplicated on control devices. Some online audit-ing and monitoring solutions, such as intrusiondetection systems, are woefully inadequate whendealing with controls protocols, and many timeseven if tbese systems and firewalls are in place, thelogs are not monitored." ,

5. Inadequately secured wireless communication."Wireless security isn't just a big issue for control

systems, but for all uses, mainly because wireless isbecoming so pervasive," says Staggs. "It's very easyto plug wireless in almost anywhere. But you haveto be able to find the signals and know if someonebas put in a rogue point.

"Before installing wireless, it's important to do acomplete assessment to identify the best areas forwireless use and ensure that leakage out of the plantis minimised. Wireless leakage occurs when youhave transmitters or wireless-enabled workers walk-ing around with tablet PCs or handheld devices.Those devices may be transmitting in an area out-side a plant."

Singer encourages studying wireless propagation:"On the wireless network side, technologies such as

New practices, products and technologies are transforming theway you do business. Your future relies on keeping up-to-date,focusing on new ideas. Manufacturing Technology InFocus isthe one event where industry and technology converge.

what's new in robotics & automation, instrumentation &control, electronics and electrical components and accessories

at free keynotes and seminars to discover how youcan capture your slice of the $160 billion opportunitiesavailable to Australian businesses in New Orleans

your business by adopting wtiat you see and learnAustralia's leading hi-tech manufacturing

exhibitions Austronics, Automate and Electrix

ManufacturingTechnology

The 19th Australian Intemational Manufacturing Technology Exhibitionfor the Automation. Process. Electronics and Electrical Industries

Sydney Convention & Exhibition CentreDarling Harbour 24-26 July 2007

anzneca

Diversified Exhibitions Auslralia let:+61 3 9261 45G0

BOS6055 / I

20 June 2007 PACE

User accounts should be set up to grant access and permission based on the defined role ot the user.

802.11b and g are often in place, operating in the2.4 GHz spectrum. Often they have heen deployedwithout a suitable site survey to determine if cover-age is adequate and to evaluate if spurious emissionsare limited so that people external to the facilitymust work hard to find these networks."

Problems with open emission technologies fallinto four basic areas, says Ken Steinberg, CEO ofSavant Protection: unauthorised use, on-air inter-ception, frequency interference, and unauthorisedextension. "Security professionals need to make sureto cover all areas in order to remain secure andeffective," he adds.

Hesh Kagan, Invensys director of technology andpresident of the Wireless Industrial Network Asso-ciation (WINA), says dangers stem from a "poorlyor incorrectly managed network, as well as poorunderlying technology. An insecure network willoften be a fragile network as well. The lack ofrobustness is as troublesome to operations as thelack of security is to IT."

Sometimes separation is the best approach, advis-es Symantec's Geraldo: "If possible, segment thewireless networks from the rest of the control net-

work. Additionally, it is strongly advisable to securewireless access methods to include requiring authen-tication and enforcing strict access controls for com-munications leading from the wireless network intothe rest of the control network."

6. Use of a non-dedicated communications chan-nel for command and control.

This would be the case with Internet-basedSCADA. This vulnerability also could include inap-propriate use of control system network bandwidthfor non-control purposes, such as VoIP (voice overInternet).

"Many IT folks have bought the 'converged net-work' line and think it's OK," says Singer. "We haveseen cameras, VoIP, business systems processingpayroll, and a whole host of other issues, causedenial of service conditions on control networks. ITprofessionals t>-pically look at application perform-ance, and near real time for control is a foreignconcept. Taking 300-500 ms extra to receive e-mailor a Webpage is largely unnoticeable; 300-500 mil-liseconds for control messages or safety messages

(Continued on page 22)

The best value in vision.No matter how you look at it.High performance af low cosf!

• OEM friendly—compact, self-conlalned sensor for360° inspectioi.

• Powerf Jl performance at speeds up to 1500 partsper miiute,

• Easy to cost-justify for multiple applications andmanjtactjrirg lines.

Easiest sensor to set up.• Easy, point 5 click software for initial setip

common to all PresencePWS products.

• Remote TEACH allows simple pish-bjttoninspectioi changeoms on-the-linewithojt a PC.

Fuii 360* fixture-free inspection.

• Locates inspection detail regardlessof product orientation

• Perform latsei inspection,identification of parts, andassembly verification.

Dedicated to 100% qualityinsfiection.

• More than 15,000photoelectric, ultrasonicand vision productsavaiiabie now.

WWW. bannerenmnee ring. comMaeo

PACE June 2007 21

Focus: Security threats

iPD Vision Appliances

RittKJ' 2 cameras 2 camerasspeed 4x speed 4x

monc monoiNspect Sherlock 7

VA40 VA41i 4 cameras 6 camerasspeed 10x speed 25x

colour colourSherlock 7 Sherlock 7

VA50 VA511 cameras 2 cameras

colour colourSherlock 7 Sherlock 7

• Area/Line scan * Digital Input/Outpi• Opto-isolation « 60 fps

^ Ethernet / GigE • Firewire • USB2.(

Software = Sherlock 7 or iNspect

Exclusive Distributors inAustralia & New ZealandAdept Electronic Solutions

specialists in machine vision & image analysis^

Cameras

AcquisitionHardware

Quality Product.Expert Support.

a.e.s adeptelectronic solutions

www.adept.net.auadept@adept.net.auPerth: 08 9242 5411Sydney: 02 9979 2599

(Continued from page 21)

could be disastrous. Often, what is an acceptablelevel of saturation or utilisation from an IT perspec-tive can spell disaster for controls."

Staggs warns that well-meaning individuals canmake mistakes about infrastructure since "it costsquite a bit of money to add additional channels, andit's hard to add infrastructure wiring after the fact.But you really need to understand where the infor-mation is and where it needs to flow, and lay outyour networks accordingly. Keep the control trafficoff the business network and vice versa. Don't usethe same channels. It's really a bad practice."

Using the control system for non-control commu-nications, says Huba, "regardless of how much'extra' bandwidth appears to be available, can onlylead to problems getting the mission-critical controlinformation distributed as quickly as possible."

7. Lack of easy tools to detect/report anomalousactivity.

This includes inadequate or non-existent forensicand audit methods. "Developing a preventionapproach to plant control systems will require a newapproach to network security between the plant net-work layer and business/external systems. It's onlylogical that we implement the tightest layer of con-trol on our systems as technically possible in orderto maintain the continuity of our business," saysErnest Rakaczky, business development manager,control system security, Invensys.

The range of tools is extensive, adds Todd Nichol-son, chief marketing officer, Verano Inc.: "Riskmitigation tools include perimeter protection (fire-wall, anti-virus, intrusion protection, content filter-ing, etc.), network intrusion detection (scanning thenetwork fot intrusions, rogue devices, changes intraffic levels, etc.), host intrusion detection (detect-ing file/process/socket changes, monitoring messagequeues, login failures, removable media Insertion,abnormal exits, etc.), and performance monitoring.

"The utiique aspects of control system designsalso impact the requirements for cyber security riskmitigation. For Instance, control system cyber secur-ity soiutions must be totally passive, extract infor-mation from the actual control applications, moni-tor system performance, and operate effectively onolder systems/networks."

Inadequate methods are the problem, says Staggs."The tools are available and are commonlydeployed in business networks and IT networks, butthey realty are not understood or deployed on con-trol systems. Right now, the control systems that areout there really don't have enough of the accountingsecurity capabilities to provide forensic trails whenthings do go wrong."

Singer agrees, but isn't sure he likes what he sees:"There are some tools starting to emerge, but theyoften have the flavour of 'IT-related tools,' createdby IT professionals, for IT professionals, and onlyfor traditional IT systems, not necessarily for con-trols."

8. Installation of inappropriate applications oncritical host computers.

Most importantly, Stauffer says, the control sys-tem needs to safely and effectively control theprocess. "The only necessary applications are thosethat are directly involved with the control of theprocess. Additional software programs such as e-mail, games, and media players are not necessaryand can make the system vulnerable. To harden thesystem, it is necessary to remove all unnecessaryapplications and to prevent new ones from beingintroduced. Unwanted programs or malware can beintroduced any time data is exchanged with theworld outside of the control system."

The solutions: 20% technical, 60% common sense and behaviours

Guhr recall, "A customer was experiencing slowdowns on certain operator stations and theycouldn't figure out what was wrong. The 'problem'was tracked down to a TV hook-up on the operatorstation."

9. Inadequately scrutinised control system soft-ware.

"Some of the most common ways to compromisea system involve problems with poor coding prac-tices, such as using static buffers, or libraries thatclearly have vulnerabilities," Singer notes. "Often,developers rely on some sort of 'tool' to analysesource code once written, which means vulnerabili-ty detection is limited to the capabilities and patchlevel of the tool. Coding standards and writingsecure code are available disciplines today, andshould be followed. End-users, system integrators,and consultants should all insist upon rigorousapplication testing, viewing coding standards forvendors, etc."

Steinberg warns that some flaws will always

22 June 2007 PACE

remain: "There is no way to remove aii of tiie codeflaws from these systems, nor create all known goodand bad test cases. The best way to mitigate thepotential for problems is to minimise the appiicationset complexity, perform a rigorous review of operat-ing system and appiication code, and avoid inter-preted solutions when possible. Depending uponcost and time, it also makes sense to generate twoapplication sets using two different deveiopmentteams to minimise the potential for injecting thesame logic flaws."

10. Unauthenticated command and control data."Not all controllers out there today authenticate

who's making tiie change and authorise that thechange is allowed for tiiat user through the con-troller," Staggs notes. "This security step on mostcontrol systems is performed at a layer in the controlsystem above the controllers. This leaves the con-trollers vulnerable, and that's why defence-in-depthis absolutely required. You've got to make sure thecontrollers are deep down in the security infrastruc-

ture, with multiple layers of defence above them. Ifyou're not doing that, then your controllers are basi-cally wide open on the Web."

Steinberg stresses people management: "When itcomes to authenticating command and control, theonly choice that providers have is to augment thehuman aspect, specificaiiy with respect to problemanalysis, chain of command, and communicationflow. Proper policy, practice, and procedure wiU buydme for older command infrastructures to be re-thought and repiaced."

The next stepThere are mitigation strategies for all these vul-

nerabilities, and they range from software packagesto changing corporate culture. Returning to theopening comment of vulnerabiiity no. 1, rememberthat technical solutions only cover 20% of the issue.The other 80% involves common sense and chang-ing people's behaviour. That is generaiiy the iargerchallenge.

Peter Welander, Control Engineering

Connect your entire plantwith TURCK!For critical process control improvement,connect witin a dependabie suppiier thatcan provide reliable, high-quality products,exceptional service and fast deiivery.

Connectivity

Sensing

Interface

Cordsets & Receptades' Junctions & Spiitters' Bus Stations' 350+ Cabie Options• Hi-flex Cabie/NAMUR

• Inductive & Capacitive• Uitrasonic• Pressure & Flow• Levei & Temperature• Linear Displacement• Valve & Cyiinder

Isolated BarriersZener BarriersField-hardened I/OiS Fieldbus i/0 Systems

PACE June 2007 23