Get Ready for Next Stuxnet

Wednesday, March 21, 2012 @ 05:03 PM gHale

By Nicholas Sheble
“I’ll know we’ve arrived when I drive into a chemical plant and there’s an ‘It’s been 1133 days since a cyber security incident at this plant’ sign out front along with the ‘It’s been 229 days since a lost-time accident’ sign that we usually see,” said Rick Kaun, manager of Honeywell’s Industrial IT Solutions.

This observation reflects the lack of gravity and paucity of attention management lends to the hacking of control systems and cyber intrusion by thieves and or saboteurs that grows daily. The situation is evolving in light of the Stuxnet-control-system hack in 2010.

RELATED STORIES
Duqu Still at Work
Duqu Report: Code is Old School
Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Duqu and Rumors of War
A New and Frightening Stuxnet

Kaun spoke during a webcast produced by the Department of Homeland Security, Honeywell, and ChemicalProcessing.com on the challenges of cyber security for the chemical industry, Cyber Security – How to Detect Security Gaps 15 March 2012.

Kaun’s assessment is, for today’s environment, it’s critical plants calculate and determine vulnerabilities, threats, and risks to their control systems and overall plant operations.

The application of information technology to control systems presents challenges that differ from IT in the corporate venue. They are:
1. There are higher accessibility requirements. Open technologies invite accessibility, and individuals and groups within the organization want their access to do their own jobs.
2. There is a tighter linkage between business and process information.
3. Tools are available to address a single issue or group of issues. There are standards and best practices that have grown up around specific areas like security, and industries like power.
4. Cyber threats come in many flavors – from those creating mischief (irritating) to those targeting specific industries with malicious intent (dangerous).
5. There is an increase in industry and government regulations and/or standards. The intentions of the groups generating these regulations/standards are positive; however, the time required to make progress can be long.
6. From a business perspective, most control systems drive to provide increased uptime, availability, and reliability.
7. There is a lack of IT expertise in the plant – with a view more to availability than confidentiality. As well, there are insufficient workers available in many organizations to manage a security program.

“We must realize we are in an environment of increased risk. We can view the risks by type – internal, external, targeted, and non-targeted,” Kaun said.

The most likely risk may be internal, non-targeted such as when an employee inadvertently brings a virus or worm into the control environment using a USB memory stick.

The worst situation is the external, targeted risk that makes flamboyant copy for the media and is certainly the most dangerous. Stuxnet, which attacked a specific brand of industrial control system proving that control systems are not immune to cyber attacks, is the perfect example.

Kaun outlined a three-step approach to securing one’s plant. He also provided a number of resources to assist in the pursuit of cyber security DHS and others have developed and made available to industry free. Click here to view the webinar. You’ll have to register to watch, but it is also gratis.

There is an associated white paper – Cyber Security Special Report – that makes good reading too.

Nicholas Sheble (nsheble@isssource.com) is an engineering writer and technical editor in Raleigh, NC.