Manufacturers and utilities that incorporate widely-available, low-cost internet protocol devices into their industrial control systems are at an increased risk for cyber-attacks. The National Institute of Standards and Technology (NIST), which is responsible for developing information security standards and guidelines to protect the nation’s critical infrastructures, recently published the Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82, Revision 2, released May 2015. This publication provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements.
Who’s at risk?
The industries that have incorporated widely available, low-cost internet protocol (IP) devices into their industrial controls systems include electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing, e.g., automotive, aerospace, and durable goods. It is important to note that approximately 90% of the nation’s critical infrastructures are privately owned and operated, which makes ensuring their security from cyber-attacks vitally important.
What’s the issue?
Industrial control systems initially had little resemblance to traditional information technology (IT) systems because the ICS were isolated from the company’s network and ran proprietary control protocols using specialized hardware and software. Many ICS components were in physically-secured areas and the components were not connected to IT networks or systems. Widely available, low-cost Ethernet and internet protocol devices are now replacing proprietary solutions, which increases the possibility of cybersecurity vulnerabilities and incidents. As described by the Guide, as ICS adopt IT solutions to promote corporate business systems connectivity and remote access capabilities, they start to resemble internet-connected and wireless-accessible IT systems resulting in greater vulnerability to cyber-attacks.
Give me an example where an ICS was attacked.
Over a two-month period, a disgruntled applicant for employment used a radio transmitter to remotely break into the controls of a sewage treatment plant system in Australia, altering the operations of the pumping stations, and causing over 260,000 gallons of raw sewage to enter into nearby rivers and parks. In 2005, hackers used an internet worm infection to knock 13 of DaimlerChyrsler’s U.S. automobile manufacturing plants (in Illinois, Indiana, Wisconsin, Ohio, Delaware, and Michigan) offline for almost an hour. The ICS also required multiple and time-consuming restarts. This same worm and its variations caused computer outages at heavy equipment manufacturer Caterpillar, aircraft-manufacturer Boeing, and several large U.S. news organizations. In 2014, hackers disrupted the control systems of a blast furnace of a German steel mill preventing it from shutting down and resulting in massive damage. These are just a few examples of cyber-attacks to industrial control systems.
In 2007, the U.S. Department of Homeland Security staged how a cyber-attack could affect the power grid, a la Stuxnet, by demonstrating how a hacker could send instructions to a SCADA-operated generator to cause it to operate at such a high speed that it self-destructed. (You can watch the video as displayed by CNN here.)
Just recently, Reuters reported a story that the University of Cambridge Centre for Risk Studies and the Lloyd’s of London insurance market had outlined a scenario where a cyber-attack on the U.S. power grid could cost as much as $1 trillion and leave 93 million people without power. The same day, Newsweek reported a story that a German-owned Patriot Missile System stationed in Turkey was briefly taken over by hackers. So the threat of a cyber-attack to manufacturers and utilities is real and credible.
What information does the NIST Guide provide?
The Guide provides an overview of industrial control systems in comparison to IT systems. It discusses the process to perform ICS risk management and assessment. The Guide presents an overview of how to develop and deploy an ICS security program to mitigate the risk of cyber vulnerabilities, including advice on how to make a business case to upper management for funding an ICS security program. It provides recommendations for integrating security into network architectures, including an emphasis on network segregation practices. Finally, it gives a summary of the management, operational, and technical controls identified in other NIST guides and how those security controls apply to ICS. While the Guide is technical in nature, it provides the necessary background to understand the topics discussed. The intended audience includes senior management trying to understand the implications and consequences of ICS security as they justify and apply an ICS cybersecurity program to help mitigate impacts to business functionality.
What are some of the major security objectives discussed in the Guide?
Of the three Federal Information Security Modernization Act (FISMA)-defined security objectives, ICS security objectives typically follow the priority of availability (i.e., ensuring timely and reliable access to and use of information), integrity (i.e., guarding against improper information modification or destruction), followed by confidentiality (i.e., preserving authorized restrictions on information access and disclosure). The major security objectives include:
- Restricting logical access to the ICS network and network activity;
- Restricting physical access to the ICS network and devices;
- Protecting individual ICS components from exploitation;
- Restricting unauthorized modification of data;
- Detecting security events and incidents;
- Maintaining functionality during adverse conditions; and
- Restoring the system after an incident.
What steps can I take to protect my ICS?
Like all NIST publications, the Guide recommends applying a “defense-in-depth” strategy, which involves employing multiple layered security mechanisms so that the impact of a failure in any one mechanism is minimized. This includes the use of firewalls, the creation of demilitarized zones, and the use of intrusion detection capabilities along with effective security policies, training programs, incident response mechanisms, and physical security.
What does a defense-in-depth strategy mean for a typical ICS?
- Developing security policies, procedures, training, and education material that apply specifically to the ICS.
- Considering ICS security policies and procedures based on the Homeland Security Advisory System Threat Level, deploying increasingly heightened security postures as the Threat Level increases.
- Addressing security throughout the lifecycle of the ICS from architecture design to procurement to installation to maintenance to decommissioning.
- Implementing a network topology for the ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
- Providing logical separation between the corporate and ICS networks (e.g., stateful inspection firewalls between the networks, unidirectional gateways).
- Employing a demilitarized zone network architecture (i.e., prevent direct traffic between the corporate and ICS networks).
- Ensuring that critical components are redundant and are on redundant networks.
- Designing critical systems for graceful degradation (fault tolerant) to prevent catastrophic cascading events.
- Disabling unused ports and services on ICS devices after testing to assure this will not impact ICS operation.
- Restricting physical access to the ICS network and devices.
- Restricting ICS user privileges to only those that are required to perform each person’s job (i.e., establishing role-based access control and configuring each role based on the principle of least privilege).
- Using separate authentication mechanisms and credentials for users of the ICS network and the corporate network (i.e., ICS network accounts do not use corporate network user accounts).
- Using modern technology, such as smart cards for Personal Identity Verification (PIV).
- Implementing securing controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS.
- Applying security techniques such as encryption and/or cryptographic hashes to ICS data storage and communications where determined appropriate.
- Expeditiously deploying security patches after testing all patches under field conditions on a test system if possible, before installation on the ICS.
- Tracking and monitoring audit trails on critical areas of the ICS.
- Employing reliable and secure network protocols and services where feasible.
Who should carry out the defense-in-depth strategy?
The Guide calls for a cross-functional cybersecurity team to carry out the defense-in-depth strategy. Members can share their varied domain knowledge and experience to evaluate and mitigate risk to the ICS. The Guide recommends that the cybersecurity team include a member of the organization’s IT staff, a control engineer, a control system operator, network and system security experts, a member of the physical security department, and members of management, including a member of the company’s risk management staff. The cybersecurity team should coordinate closely with site or facility management and the company’s Chief Information Officer (CIO) or Chief Security Officer (CSO). Finally, although not specified by the Guide, the company’s CEO, CFO, and Board will want to make sure that the company’s cybersecurity team is properly funded, trained, and operating on a continued basis.
A copy of the Guide is available here.
The author, Bill Wagner, JD, CPCU, CIPP/US, CIPP/G, is a member of the Sedona Conference Working Groups on Data Security and Privacy Liability, and Electronic Document Retention and Production. He also serves as a Steering Committee Member to DRI’s Government Enforcement and Corporate Compliance Committee.