Cyber defence: A layered strategy to secure your control systems
By Jonathan Gross
By Jonathan Gross
On July 14, Siemens reported that its Simatic WinCC PCS7 control system had become the latest victim of a high-profile cyber attack. The Trojan worm – known as Stuxnet – targets Siemens’ PCS7 control systems through certain vulnerabilities in Microsoft Windows operating systems. The worm spreads through mobile data carriers, such as USB sticks and networks. Once Windows becomes infected, the worm launches malware that searches for the WinCC software. If found, the virus then tries to steal industrial trade secrets from the infected host with the intent to deliver those secrets to the hackers via the Internet. This vulnerability exists in all Windows versions back to and including Windows 2000.
Process manufacturing, utility and infrastructure organizations using the Siemens PCS7 control systems are all potential Stuxnet targets. Though the virus is detectable and exposure is preventable, Symantec Corp – a software security vendor – reports a staggering number of infections. According to a company representative, as of August 4, some 90,000 to 100,000 computers had already been compromised. Perhaps more troubling is the fact that Stuxnet is a global issue. According to Symantec, its "latest count puts the number of infected countries at 115," with Iran, India and Indonesia having the highest number of infected computers.
Trade secret theft isn’t the only purpose of industrial automation and control systems (IACS) targeted attacks. Expropriation of process control is another – and arguably more dangerous – purpose. In these types of attacks, a hacker tries to obtain control of systems that, among other things, regulate equipment pressures, flows, currents, voltage, switches and safety alarms. By taking control of these systems, a hacker could theoretically alter oil and gas flows, water processing, and chemical and nuclear plant operations. These types of cyber attacks – which are not unprecedented – have the potential to cause catastrophic damage to health, compromise safety and destroy the environment. In 2003, for example, a hacker used the so-called Slammer worm to disable safety monitoring systems at the Davis-Besse nuclear facility in Ohio. Luckily, no one was harmed.
IACS security threats continue to grow, thanks to a shift to wireless technology over the last 15 years. From the 1960s until the mid-1990s, IACS architecture was largely delivered across closed-loop, LAN-based networks. These systems were cut off from the rest of the enterprise and the world-at-large. As a result, IACS faced limited outside threats. As of the mid-1990s, however, enterprises started using wireless, Ethernet, TCP/IP and web-based technologies, and began integrating IACS into enterprise-wide ERP systems. These changes helped organizations achieve business efficiencies, including those relating to administrative centralization, cost and convenience (think remote access).
Organizations are quickly learning, however, that IACS ubiquity comes at a cost. Companies now have to protect themselves against significant and pervasive risks with which they generally have very little experience. For most, cyber security issues require urgent attention. The learning curve is steep. Further complicating matters is the fact that the IACS security management industry is itself emerging from its infancy, though it is growing up quickly.
The International Society of Automation (ISA) Security Compliance Institute – a non-profit global institute made up of suppliers, customers and professionals – has undertaken the responsibility to develop universal compliance standards for IACS. When complete, these standards will be collectively housed in the ISA99 brand. To date, ISA99 has completed and published two standards. The first standard defines relevant concepts, terminologies and models. The second standard provides organizations with a step-by-step methodology to develop a customized security action plan, or in ISA’s terminology, a cyber security management system (CSMS). The second standard explains the following:
• How to identify, analyse and classify cyber security risks;
• How to develop awareness of security issues;
• How to develop appropriate security policies;
• How to select and implement appropriate security counter-measures; and
• How to review CSMS performance and improve on that performance.
Future ISA99 standards are intended to apply to the entire IACS ecosystem, including: hardware and software, electronic sensors, monitoring systems, diagnostic systems, human machine interfaces (HMIs), programmable logic controllers (PLCs), remote terminal units (RTUs) and networks.
Organizations, though, should not wait for the ISA to publish its complete library of standards. Rather, they are well advised to start developing and implementing an IACS security strategy according to the ISA99 second standard.
A layered approach
Brian Ahern, president and CEO of automation system security vendor Industrial Defender, recommends a layered, "defence-in-depth" approach to cyber security.
"Defence-in-depth presumes that no single mode of security mitigation is impenetrable or sufficient, and that a security solution must be comprised of several layers of mitigation technology that address prevention, detection and response to various attack types," Ahern explains.
The layered approach can be thought of as a series of concentric circles, all protecting the control system, which resides at the epicenter. These concentric circles are mutually reinforcing, adding robustness to the security structure. The first series of layers are preventive in nature. They are intended to deny entry to security threats. Firewalls, virus detection and remote access authentication form part of the outermost preventive perimeter. The next preventive layer defends individual system components, including servers, HMIs, PLCs, RTUs and computers. Ahern advocates a whitelisting approach, which "permits only a predetermined list of authorized applications to launch on each automation system computer. By ensuring that only approved, trusted applications can execute, the whitelisting application automatically blocks all unauthorized applications, including unknown malware and rogue applications installed by users."
The next series of layers includes detection and monitoring controls. At the detection layer, sensors and collectors gather performance and security event information. For example, sensors are capable of detecting unauthorized wireless access via laptops or other devices. They also gather key data relating to traffic patterns, failed login attempts and password usage. A further layer includes alert controls, which notify and log suspicious traffic activities. Finally, executive dashboards present real-time and/or batch analytics according to pre-defined security rules.
Ahern recommends a centralized approach to the administration of detection and monitoring controls as follows: "These technologies must be unified under an integrated monitor and response discipline, providing overall security situation awareness, including the ability to correlate and associate events and responses in different areas of the systems environment."
The last series of security layers relates to event response. The point at which a response is required depends on the nature of the threat. In some cases, active responses will be required when threats are identified at the first line of preventive defence. In other cases, detection may not occur until all preventive layers have been breached, in which case rapid override actions may be required.
The best defence
Effective, sustainable automation system security for IACS requires a mutually reinforcing and supportive defensive corps made up of prevention, detection, monitoring and response controls. Organizations are well advised to base their specific security-related decisions on a strategic plan developed in accordance with the second ISA99 standard. This will help organizations develop and implement security controls that adequately reflect their unique security and business needs. As greater numbers of organizations implement appropriate security strategies, a further outer defence ring will emerge – on the macro inter-organizational level.
Jonathan Gross is vice-president of Pemeco, Inc., a consulting firm specializing in ERP implementation. He can be reached at firstname.lastname@example.org.