Building a Cyber Secure Plant
Despite what many automation professionals believe, the Stuxnet malware attacks on Siemens Simatic WinCC SCADA and PCS7 DCS systems that came to light this past July were not the first time industrial control systems have been targeted by hackers. A quick scan through the RISI database (Repository of Industrial Security Incidents) turns up several such attacks that have not garnered the same kind of attention earned by Stuxnet.
For example, with Venezuela devastated by a politically motivated general strike that lasted three months during the winter of 2002/2003, numerous acts of sabotage targeted the SCADA system responsible for loading oil tankers at a major marine terminal. In one such attack, PLC code was erased, causing an eight hour delay loading tankers. The lack of profile earned by incidents like this one isn’t surprising, says Eric Byers, security expert and CTO of Byres Security. People who have been hacked don’t exactly like to talk about it. After all, why would you want to give hackers more information than they already have?
Unlike the Venezuelan attacks, Stuxnet was not designed to immediately disrupt operations. Stuxnet infiltrated industrial plants on a USB memory stick, physically bypassing the firewall, and once deployed attacked a previously unknown vulnerability in the Windows operating system. It then sent detailed production information through the Internet to a set of servers in Malaysia. It also provided the attackers with the ability to remotely control the infected process and hide the existence of their changes to the system.
“This was what I call an Advanced Persistent Threat,” says Byres. “It was a stealth attack and wasn’t designed to instantly cause trouble. It was about long-term industrial espionage or system destruction. As long as the worm remained undetected, the attackers could steal information, halt production, compromise safety systems or even cause equipment to be damaged or people injured whenever they choose.”
Siemens and Microsoft responded rapidly to the Stuxnet threat and provided a patch to close the vulnerability the virus took advantage of, but any security expert will tell you it’s better to prevent a threat than to react to one. So how do you protect yourself from the next Stuxnet? Is it as simple as refusing to connect your production systems to the office servers that are, in turn, connected to the Internet? Some companies have taken this approach, completely isolating sensitive systems, but John Cusimano, Director of Security Services at Exida points out there are other and often better alternatives to this approach.
There has been a tremendous rush of technological innovation with industrial applications over the past decade or so as companies have come up with ways to use production data to optimize processes and increase efficiency and productivity. However, in the rush to extend and connect the office network to the shop floor security has not always been prioritised. This has created gaps through which threats can pass, but it doesn’t make sense to just separate those networks.
“In today’s competitive business environment, completely isolating control systems from business systems (e.g. MES and ERP) is often not an option if the manufacturer wishes to remain in business”, adds Cusimano. How can your ERP system make a delivery promise to a customer if it doesn’t know what’s happening on the shop floor? Secondly, it doesn’t actually work. “I know of one case where an employee connected two switches with a patch cable so he could connect to the Internet at night and play games. The company didn’t know anything about it. They didn’t know they had been compromised. In another case, a contractor established a connection so he could support the system he was installing without telling the client. It was completely innocent, but the company didn’t have any idea this rogue connection was violating security. I’ve even heard stories of people bringing in their own wireless router from home into the plant.”
“I liken that approach, what I call the Bastion Model, to the Maginot Line,” says Byres. The Maginot Line was a strip of fixed defensive fortifications built in Belgium after the end of the First World War. Allied politicians felt that such emplacements would serve as an effective defensive barrier against an invasion from Germany. “However, they were defending against a 20-year-old threat. Advanced German Panzers just drove around the Maginot Line, just like Stuxnet bypassed the corporate firewall in the plants it attacked.”
Says Cusimano, “Most of the places we have gone to there has not been a good separation between the control network and the office. However the good news is there are secure ways to establish that connection and generally speaking the changes required to be more secure are not that significant.”
Cusimano suggests people start with ISA-99, the International Standards Organization standard for Manufacturing and Control System Security.
“ISA-99 outlines almost everything you need to know to start implementing a best-practices-based cyber security program at your facility. It covers identifying risk to establishing business cases to writing policies and procedures; then gets into how to maintain a good level of security. From our perspective, if you are going to read one standard, read that one. It will also refer you to a number of other resources.”
Byres suggests a five-stage approach to ensuring your plant is cyber secure.
Start by getting upper management buy-in. You won’t accomplish anything without it. This can be more complicated than it should be, as cyber security is a little like pest control – sometimes it’s hard to get management on board unless you’ve already suffered from an ‘infestation.’
“Thinking back to the Bastion model and the Maginot Line, the French generals knew it was obsolete and that it wasn’t going to work,” said Byres. “They asked for a series of defensive lines to provide this defence-in-depth but the politicians said ‘No.’ As far as they were concerned the project was complete. And that’s what a lot of people are doing with cyber security firewalls. They are installing them and then deciding they are done. Hackers, Stuxnet, and other malware has proven them wrong. And in some cases this lesson has come with a great deal of expense.”
With management on board, you need to assess the current state of your control systems and your security policies and procedures. The first step is to perform an assessment to establish your benchmarks. If you don’t know where you are you won’t have a clue about how to get where you want to go. Cusimano calls this part of the process a control system security assessment or a security gap analysis.
“I just got back from South Africa where a client had a virus get into their control system and cause some real concern. We looked at their security policies, practices, how the system is laid out, designed, configured and gave them an assessment of where they are relative to best practices and against what the industry is doing in general. These kinds of analyses are very beneficial. They take less than a week and provide a benchmark of where they are in relation to where they may want to be. Where are the gaps and how can they close them?”
Having identified your gaps, close them. One of the key concepts in ISA-99 is to employ a defence-in-depth strategy in which the system is divided into zones with similar security requirements then deploy appropriate security measures to each of those zones so that even if a threat gets through the firewall it’s not going to run riot throughout the network.
Says Cusimano, “Generally speaking the effort required to close the gaps is not overwhelming for most places. Things can usually be done in a few months time. Changing the culture is actually the thing that requires the most effort.”
“Make security work for the user and not make the users work for security,” adds Byres. “Often there is too much complexity required. Passwords are a case in point. An overly complex password will end up on a post-it note stuck to the side of the machine. Unless we make it simple people won’t do it properly.”
Finally, circle back and make sure your systems are up to date and work with new upgrades. Every time a system is upgraded to the latest generation you have to revisit security to see if any vulnerabilities have been introduced. “Make sure you have the latest anti-virus technology because today’s security just might not cut it as the threats change and become more sophisticated.”
Sidebar: The 10 most common plant cyber-security mistakes
1. Assuming that someone else (like the IT department) is looking after the security of control systems. It often turns out that everyone thinks it’s someone else’s job. (Upper management is especially prone to the mistake.)
2. No risk analysis for cyber incidents. Without a proper risk analysis that looks at vulnerabilities and consequences of cyber events, companies can’t be sure they are spending their security dollars effectively.
3. A lack of policies and procedures to govern control system security. Security needs to be motivated from the top down by good corporate policies that are supported by upper management.
4. Assuming that IT security solutions will work on the plant floor. Security solutions need to fit the environment that they’re to be used in or they either will get ignored or bypassed. Many IT solution work well but some don’t; it’s important to recognize those that don’t work and come up with alternatives.
5. Addressing security on a piecemeal basis. For security to be effective, it has to be deployed in a coordinated fashion across the whole plant or organization.
6. Forgetting the human aspects of security. Good security starts with ensuring that staff, management and contractors understand and follow appropriate practices.
7. Designing control system networks without sufficient defense-in-depth architectures. Depending on a single firewall between business and control systems is asking for trouble — security needs to be layered to be effective.
8. Poor patch management for applications on the plant floor. Many companies have good patching systems for the operating system but then forget to patch the software applications (like HMIs), which typically are far more vulnerable to software bugs.
9. Either no tools to detect inappropriate activity on the control system or no procedure to ensure that the tools are used regularly. I see many firewalls in plants whose logs never have been checked. This is like installing a burglar alarm but not turning it on.
10. Allowing remote access to the control system without creating and enforcing an appropriate access control system. Need I say more?
*By Eric Byres. Originally published by ChemicalProcessing.com.Have an Inquiry for Siemens about this article? Click Here >>