March 28, 2024

You can't get there from here. Ya gotta be born there!
SECURITY SESSIONS

by William T. (Tim) Shaw, PhD, CISSP / CIEH / CPT

William T. (Tim) Shaw
PhD, CISSP / CIEH / CPT

In the past few months I have had the opportunity to meet with several different plant managers from different industry segments, ranging from refining and petrochemical to nuclear power generation, and in almost every case they were still struggling with how to go about establishing acceptable cyber security for their facilities. Depending on their industry they have regulatory pressures from NERC, DHS, NRC, DOT or some other agency or industry group. This late in the game I was surprised to see that anyone would still be trying to figure out how to start. Personally, I always like to start at the beginning and proceed to the end.

There has been a LOT of guidance published, by many experts and organizations, about all sorts of ways to approach cyber security. Yes, the majority of them are aimed at conventional business ‘IT’ cyber security, but a sufficient number have been oriented towards industrial automation and process automation systems. In many cases the real problem with getting started is the on-going warfare between corporate IT and the plant instrumentation and control (I&C) organization. In this column I have often spoken of the critical differences between ‘IT’ best practices and ‘I&C’ best practices and about how they often clash; mainly over the issue of safety. But forgetting those differences for the moment there are a set of generic activities that need to be performed in order to establish adequate cyber security for a plant facility. The ISA (International Society for Automation) has pretty good guidance about how to get a cyber security program up and rolling. The NRC has published ‘Regulatory Guide’ [RG 5.71] with a lot of similar guidance, although it is focused on protecting nuclear facilities and may be a bit much for other industry segments. But, it does contain a lot of good ideas and suggestions about how to move forward with setting up a program.

The starting point of any discussion about cyber security (or any kind of security) is the identification of the things you need to protect. You can choose to protect everything, but protection costs money and takes time and effort. You need to recognize that all assets are not created equal and that the consequences of a cyber attack on a PC in the accounting department are not the same as the consequences of a cyber attack on a DCS system controlling an explosive and unstable process. (But we don’t want to let that accounting PC provide a platform for launching an attack on that DCS system either!) You can also choose not to protect anything and live with the risk and potential consequences. Of course your insurance underwriters and board of directors might frown on that decision, and government regulations might take that option off the table. So it is probably a better business decision to make an inventory of computer-based automation systems and devices and then perform a consequence analysis to determine which ones you really can’t afford to have compromised.

Many people use a combination of con$equence$ and likelihood to determine if a given asset should be protected. [Ri$k = con$equence$ x likelihood.] The problem is that they have little or no data on which to base the likelihood value. Often the end result is that they determine that it is highly unlikely that an asset could be compromised and thus the risk is minimal even though the con$equence$ of compromise would be very serious. Personally, I like to use connectivity and complexity as the basis for establishing a likelihood factor. The more wired/wireless communication connections a critical system or digital device has with other systems and devices (both permanent and temporary) the greater the likelihood of an exploitable pathway of attack. If a system is truly ‘air gapped’ then SneakerNet (manual access) is the only pathway that has to be considered and attack likelihood is reduced. If a system is on an isolated and physically-secured (hard-wired) LAN segment with a few other systems/devices then attack likelihood is slightly greater. If a system is connected on a LAN or WAN with lots of other systems and maybe even with wireless connectivity then attack likelihood is much greater.

On the other hand, if a device cannot be easily field-reprogrammed – and I am not talking about configuration parameters and settings, I mean making software changes to the device in the field that add, modify, degrade or remove functionality (e.g. a smart transmitter or digital panel indicator) then it is of low complexity and again the likelihood of cyber attack is minimal. Whereas a computer system with a Linux/ Windows operating system and Ethernet-TCP/IP networking is of high complexity and far more susceptible to cyber attack because its software can easily be modified, even quite extensively, ‘in the field’. So it may be possible to make a better guesstimate of ‘likelihood’ by looking at complexity and available communication pathways when evaluating a critical system or digital device.

Today, any senior manager who believes that the ‘bad guys’ wouldn’t bother targeting their plant or systems is making a serious and potentially expensive mistake. Recent investigations have shown a pervasive pattern of system compromises across almost every industrial sector for the purpose of obtaining intellectual property, trade secrets and competitive information, as well as establishing a ‘back door’ in systems that can be used in the future to cause problems if that is deemed to be necessary. I won’t name names but this activity is being perpetrated by a major nation state and a couple of not-so-major ones. The days of security through obscurity are long gone. You really must take steps to protect your vital assets against cyber threats. Another reason for concern is that most industrial facilities have connections to their corporate network which has connections to the Internet. This so-called vertical integration provides a potential communication pathway from across the Internet potentially all the way down to the instruments and control elements, if your plant is now using the Ethernet-TCP/IP versions of some fieldbus or PLC data highway. Something to consider in your security planning is the creation of a DMZ (demilitarized zone) between the plant and the corporate WAN. Another thing to consider is the liberal use of internal firewalls to segment your various systems and sub-systems and to control and monitor the communications permitted between and among those systems and sub-systems.

Once you have identified the assets you need to protect (based on con$equence$ and likelihood), and the potential attack pathways that could be used for such an attack, the next step is to look at ways to block those attack pathways. This may involve using technical ‘controls’ such as firewalls and data diodes, or physical controls such as locked rooms and cabinets, or the use of administrative controls such as personnel training and policies and procedures. You probably will end up needing a judicious mix of all three. Don’t presume that the best solutions are always the high-tech ones. The application of security controls has a cost, and not just a one-time cost, there will be on-going support costs as well. These controls need to provide a good return on investment. Some of these controls will be aimed at defending against cyber attacks and making your systems less vulnerable. Some will be used to detect cyber attacks, whether successful or not. Others will be used to mitigate the impact of an attack that was partially to fully successful and to restore plant operations. I like to point out that attackers are constantly changing their methods and that it is therefore impossible to be 100 percent effective in providing cyber security. Thus the ability to detect that you have been (are being) attacked is as important as putting defenses in place to block attacks.

One of the ways in which industrial automation cyber security get more interesting and complicated than IT cyber security is the use of all kinds of ‘smart’ devices. In a large plant facility it is likely that you will find distributed controllers, remote terminal units (RTUs) and programmable logic controllers (PLCs) as well as smart transmitters, smart control elements, computer-based subsystems such as tank inventory systems, analytical and laboratory systems, emission monitoring systems, and even digital protective relays and motor control centers (MCC.) Most of these things will be foreign to an IT person, and just because they contain a microprocessor and stored programming doesn’t mean that they can be treated in the same manner as an actual ‘computer.’ You will need to identify any such systems/devices whose compromise would lead to unacceptable con$equence$ and consider how best to provide them with cyber security protections. Again, it may be that non-technical controls (such as physical protective means) can achieve the goal.

I want to point out that I keep talking about the ‘compromise’ of a critical system or device, not their failure or shutting them down. That is because in the cyber world it is usually more desirable to use a system or device of which you have gained control than it is to merely shut them down. When considering consequences you need to think about all of the possible ways in which a bad guy could mess with a critical system. I like to tell plant managers to think about what could happen if a smart, evil person took over their control room and started using the operator and engineering consoles to mess with the plant equipment and control strategies.

So now that you have identified the assets, you need to protect and select the controls and measures you will use to protect them. You can’t do everything at once and you may not be able to fund everything in one fiscal year’s budget. So you will need to prioritize and take care of the most critical assets first. Look for the security enhancements that give you the greatest reduction in risk and give them priority. You will also need to think about the on-going support of your cyber security. Many technical security mechanisms require periodic updating to keep current with new threats. Technology changes and what kept you safe last year may not be adequate this year. You are not making a one-shot commitment to cyber security; you are making it a business process and committing budget dollars and manpower to establish an on-going cyber security program.

You also need to keep in mind that untrained people can be the weakest link in your cyber security. Spear phishing attacks and malicious email and web sites are becoming the leading means for launching a cyber attack. Personnel need training in basic cyber security and social engineering methods in order to prevent them from inadvertently compromising your cyber security. There are many simple and inexpensive ways to keep personnel aware of the need for cyber security and sensitive to the threat. But that will have to be the subject matter for a future column.

About the Author

Dr. Shaw is a Certified Information Systems Security Professional (CISSP), a Certified Ethical Hacker (C|EH) a Certified Penetration Tester (CPT) and has been active in designing and installing industrial automation for more than 35 years. He is the author of Computer Control of BATCH Processes and CYBERSECURITY for SCADA Systems. Shaw is a prolific writer of papers and articles on a wide range of technical topics and has also contributed to several other books. Shaw has also developed, and is also an instructor for, a number of ISA courses. He is currently Principal & Senior Consultant for Cyber SECurity Consulting, a consultancy practice focused on industrial automation security and technologies. Inquiries, comments or questions regarding the contents of this column and/or other security-related topics can be emailed to timshaw4@verizon.net.