Protecting Critical Process Control Systems
From the Editors of CIOSC
How vulnerable are today's computerized control systems to cyber attack? According to the General Accounting Office, in a report released in March 2004, "there has been a growing recognition that control systems are now vulnerable to cyber attacks from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and other malicious intruders." This article will look first at the key risks to power and energy companies' control systems, and then at a number of practices that can enhance their overall cyber security posture.
Today's challenges
The most important requirements for process control systems are availability and reliability -- after all, these systems are responsible for maintaining critical infrastructure. Process control systems have been achieving high levels of reliability for some time now. But with deregulation, the implementation of revenue-enabling business initiatives (such as Web enablement), and cost-savings initiatives (such as the transition to open systems and networks), the requirements for maintaining reliability have evolved. Once-isolated networks containing specialized applications, servers, and protocols are now being connected to other networks, companies, and often indirectly to the Internet.
Four main factors have contributed to the escalation of risk to control systems: the adoption of standardized technologies with known vulnerabilities, the connectivity of control systems to other networks, insecure remote connections, and the widespread availability of technical information about control systems.
Increasingly, organizations have been transitioning from proprietary systems to less expensive, standardized technologies such as Microsoft's Windows, Unix-like operating systems, and the common networking protocols used by the Internet. These widely used, standardized technologies have commonly known vulnerabilities, and sophisticated exploitation tools are widely available and relatively easy to use.
Vulnerabilities in control systems and communications protocols are exacerbated by insecure connections. Often organizations don't realize what types of connections they have, the level of security risks they pose, and how to secure them. Power and energy companies may think that their process control network is "physically" separated from the rest of the world because they have installed a firewall. But while a firewall is an important first step, it typically doesn't protect against application-level exploits (and a recent study shows that these attacks account for more than 70 percent of all exploits). Also, firewalls typically do not protect the ICCP (Inter-Control Center Communication Protocol) connections widely used in control centers.
Often there are open access links -- dial-up modems to equipment and data -- for remote diagnostics, maintenance, and examination of system status. If such links are not protected with authentication or encryption, the risk increases that hackers could use these insecure connections to break into remotely controlled systems.
Case study
As mentioned above, control systems and networks use specific protocols and applications. They also have specific requirements that are different from other industries. For example, a 5-second delay caused by an "off-the-shelf" technology may disrupt real-time data flow and have disastrous consequences. Such a delay may be caused by a security application that adds processor cycles - cycles that would be perfectly acceptable in other industries. Additionally, custom protocols and applications require special security measures, such as customized configurations and products.
Applying untested and non-validated security measures may not address the security need and, even worse, may disrupt availability. To appreciate the impact that insufficient security measures may have, consider the circumstances surrounding one worm outbreak.
The Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm -- otherwise known as Slammer -- infected a private computer network at the Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours. In addition, the plant's process computer failed, and it took about 6 hours for it to become available again. Slammer reportedly also affected communications on the control networks of at least five other utilities by propagating so quickly that control system traffic was blocked.
Securing the enterprise
Today most power and energy companies are taking a piece-meal approach to cyber security. What does that mean? It means that different factions within the enterprise are "doing their own thing" without knowledge of what other factions are working on. As a result, these independent projects fall short of addressing security-related business problems. That can be wasteful as well as ineffective. Meanwhile, the real risks remain unknown.
Increasingly, industry analysts have recognized that utilities need to move from a "point-product" approach to an enterprise security process. That process entails not only antivirus and firewalls, but also a comprehensive enterprise security management program that can address all key areas of security-related business problems -- and that can pay for itself in the process.
A comprehensive security management program addresses technologies, personnel, and processes. For power and energy companies, that means being prepared to answer four key questions: Am I at risk? Am I in compliance? Am I prepared? Am I working as a team?
Even companies with a full set of protection products in place -- such as antivirus, firewall, and intrusion detection -- may not be in a position to answer those questions. Why? Because merely deploying security protection technologies on a departmental basis won't provide the answers. All that is gained with that type of approach to information security is additional complexity and more unknowns. The August 2003 blackout brought a backlash of new concerns and requirements. For power and energy companies, it comes down to this: information security must be tightly connected to business practices. So let's look at those four questions in that light:
- Be aware of risks. This means mapping vulnerabilities and assets and measuring risk. It also means protecting critical SCADA systems. And it requires advance warning and prioritization of impending cyber threats.
- Comply with stricter regulations. This means having policies in place for complying with the NERC standard for cyber security, plans to address the Sarbanes-Oxley Act, and an awareness of Coast Guard regulations.
- Report immediately and effectively. The NERC cyber security standard requires all electric market and grid participants to report security incidents to the Electricity Sector -- Information Sharing and Analysis Center (ES-ISAC). Doing so requires effective monitoring, perimeter protection, and incident handling.
- Plan across the board. In most cases, most utilities require a deliberate cross-functional effort to address business-level risks. This requires several groups to work outside of their traditional boundaries, meaning that the IT group, the regulatory group, the risk management group, the network owners, the operations group, physical security, and IT security owners must combine forces.
Conclusion
The days when power and energy companies could take a fragmented, departmental approach to protect their control systems and other information assets are over. Today, as business initiatives spell the end of isolated networks and new regulations are profoundly affecting risk management, information security must be tightly connected to business practices. That's why a comprehensive security management program -- one that is capable of providing honest answers to those four key questions -- is the best way for power and energy companies to secure their control systems in today's challenging threat environment.
|