ICS, SCADA Boot Camp 2.0

Thursday, August 18, 2011 @ 06:08 PM gHale

Editor’s Note: This is the second in a two-part series on how to get started toward a more secure SCADA security package. For a full account of the story, click on Eric Byres blog.

By Eric Byres
Fears remain out in the industry about where and when the next big cyber incident will occur. But the strange thing is the small incidents can be just as damaging.

So, if you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may want to get the ball rolling in creating more robust cyber security practices.

ICS, SCADA Security Boot Camp
SCADA Hacking via Search Engines
Insider Threat to Utilities
Smart Grid Security a Top Priority

This is where you can get started. Last time, we looked at the first steps to take to get started to improve ICS and SCADA Security in your facility. They included:
Step 1 – Conducting a Security Risk Assessment,
Step 2 – Learning Industrial Cyber Security Fundamentals, and
Step 3 – Understanding the Unique Requirements of ICS and SCADA Cyber Security.

In this installment we will round out the other areas a user should look at.

Step four is a vulnerability analysis. Now that we understand the risks, what are the key vulnerabilities in our processes, equipment and software?

For example:
• Does my company need to worry about the Siemens PLC security flaws that were exposed in early August?
• If my HMIs or programming stations use Adobe Reader software, are all the copies in the plant patched for all the new vulnerabilities that can turn a PDF into a piece of malware?
• If a consultant shows up with an infected laptop, is there a process that will detect it before it is connected to a process network?
• Are there unsecured modems connected to programming stations on the plant for remote support?

This sort of analysis is the most complex portion of a security program. It requires:
1. An understanding of the actual plant network architecture,
2. A detailed inventory of data, equipment and software (assets),
3. A clear grasp of company policy/processes, and
4. A solid knowledge of the current security threats.

Vulnerability analysis tools such as Nessus can help, but they must be used only once the potential risk to the plant floor is assessed and is determined to be negligible. Such an assessment requires a person or people with solid ICS/SCADA security experience.

Another challenge with scanning tools is the amount of data collected can be large and difficult to sort in terms of priority. Modelling tools can help make sense of the information.

I need to stress that performing the Vulnerability Assessment before the Risk Assessment is complete is a bad idea. The Risk Assessment will define priorities and focus efforts when you find vulnerabilities. If you do the Vulnerability Assessment first, or before the Risk Assessment is complete, you are in danger of misallocating your resources and not properly addressing high risk items.

Steps five and six involve the Security Architecture/Mitigation Strategy. This is where you start getting into the details and technologies. You will now design your security architectures and select specific security technologies and practices to achieve your security goals. The ISA99/IEC62443 zone and conduit models for architectures are a great place to start for architectures.

As for security technologies, these might include:
• Patch management processes and products
• Anti-Virus policies and technologies
• Access control policies and technologies
• Industrial firewalls for SCADA/ICS traffic management
• VPN technologies to secure traffic over networks like the enterprise network or the Internet
• Security incident event monitoring (SIEM) tools

This list can get long, but the above covers the main technologies currently used in modern SCADA and ICS systems. Again, prioritize by risk, which is a function of probability and consequence.

If your company uses Safety Integrated Systems (SIS), it is a system with very nasty consequences if things go wrong. The SIS is likely a good place to start your security mitigation strategy, rather than a data historian server. On the other hand, if your vulnerability analysis indicates your plants are filled with unpatched Windows NT computers, perhaps the probability of incident is a driving factor. Only a proper risk analysis can guide this priority setting.

While you are doing all this work, don’t forget to involve your vendors. First, demand secure products from your vendors. Also, ask for guidance and best practice documents.

Always remember strategic assessment and planning is the way to go. While the steps described for “getting started” are not exactly “fast and easy” measures to take, they will lead to better cyber security and will avoid wasting resources on the wrong initiatives or technologies.

If it is not possible for you to drive this process for your organization, then apply these principles within your sphere of responsibility and influence, and be an advocate for a plant or organization level plan.

The bad guys are focusing on ICS and SCADA systems like never before. Make sure your facility does not lose production or create a safety incident by having a solid cyber security program in place.

Eric Byres is the chief technology officer at Byres Security. This is an excerpt from his blog. Click here for the complete version.

Leave a Reply

You must be logged in to post a comment.