ICS, SCADA Security Boot Camp

Thursday, August 11, 2011 @ 05:08 PM gHale

Editor’s Note: This is part I of a two-part series on how to get started toward a more secure SCADA security package. For a full account of the story, click on Eric Byres blog.

By Eric Byres
The furor over the Siemens vulnerabilities and the fear that Son-of-Stuxnet could be around the corner has raised awareness for end users to take cyber security seriously.

If you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may be wondering how your organization can get moving on more robust cyber security practices. This is where you can get started.

SCADA Hacking via Search Engines
Insider Threat to Utilities
Smart Grid Security a Top Priority
Secure Smart Grid Moves Forward

Step 1 in the process is to get a security risk assessment done. The ISA99.02.01 and IEC62443 cyber security standards state your first step should be a Security Risk Assessment. Unless you know the risks you are trying to mitigate, you are just throwing your money away by rushing to solutions.

Unfortunately, I see many companies do exactly that. A salesperson says “buy my security technology and all will be secure” and companies believe him or her. They throw money at a solution for what might be a minor risk, leaving far more serious risks unaddressed.

Now, my company is a vendor of security technology and obviously we don’t like to turn down sales. But, as a responsible professional in your organization, you should be advocating for taking a step back and doing risk assessment work first.

Companies like exida do great work in this area and have sophisticated risk analysis tools and services available. Your investment in a Security Risk Assessment will provide a payback in terms of avoiding errors, highlighting priorities and providing a framework that facilitates discussions between groups.

The second step is to learn industrial cyber security fundamentals. At the same time the Security Risk Assessment is in process, it is a good idea to learn about industrial cyber security fundamentals.

A good place to start is the ANSI/ISA-99 Standards which address the subject of cyber security for industrial automation and control systems. The standards describe the basic concepts and models related to cyber security, as well as the elements contained in a cyber security management system for use in the industrial automation and control systems environment. They also provide guidance on how to meet the requirements described for each element.

The ANSI/ISA99 standards provide the base documents for the ISO/IEC standards in industrial control security, known as IEC-62443. Over the next few years, these standards will become the core standards for SCADA and process control security worldwide.

Visit the ANSI ISA-99 Standards section for more information.

The third step is understanding the unique requirements of ICS and SCADA cyber security. Another part of your education process might be to work with your IT group to inform them why ICS and SCADA security approaches are different from traditional IT security approaches. A ton of information is out there, but a brief synopsis of key points:

• Plant downtime has to be strictly avoided unless scheduled. Thus, technologies that require frequent rebooting of systems are not suitable.
• Industrial cyber security devices, such as firewall appliances, often need to be industrially hardened. That is, be certified to work in extreme operating conditions.
• Plant systems are made by different vendors than typical IT vendors. ICS and SCADA cyber security technologies should be certified and approved by industrial automation vendors and standards groups.
• Ease of configuration and management of technologies is important as configuration errors can negate the protective value of a technology. Industrial cyber security products are often managed by controls engineers who are not firewall specialists. Thus, technology solutions need to be suitable for the skills of the people who operate and manage them.
• Depending on the vendor equipment and networking technologies being used in the plant, cyber security products might need to be effective in securing industrial protocols that do not exist in the enterprise world. Examples are the Modbus TCP and OPC Classic protocols.
• More and more industries are moving toward cyber security regulation. A current example is NERC CIP in the power industry. Thus solutions are needed that meet and exceed relevant industry standards.
• A focused and ongoing effort for cyber security is “normal” for business and enterprise systems. Such effort is “new and unusual” for automation systems. Recognition of the different “state of nation” by the people responsible for the different systems can go a long way toward constructive teamwork.

Now, I know getting the automation side and the IT folks “playing together nicely” is a bit like the quest for the Holy Grail, but the fact is cooperation is necessary. If you can lead or facilitate such cooperation, then you will be a “part of the solution” rather than “part of the problem”.

Next: Part 2 discusses the remaining steps to making your facility cyber secure. Click here to read a full report. Eric Byres is chief technology officer at Byres Security.

Leave a Reply

You must be logged in to post a comment.