Just how secure are US industrial control systems? It seems the answer is a resounding "Not very."
There are several reasons. Joe Weiss, an industrial control system expert, wrote in a recent Control Global blog post that the IT security industry attempts to provide industrial control security by modifying current products, giving rise to the notion that the industry has no concept of the technology it is attempting to secure. He stresses that, before IT vendors implement technology at the real-time control layer, they need to have substantial domain experience -- actual control system experience at the type of industrial facility or environment to which they are selling.
Security is different. It's not a matter of implementing systems that work fine in an office or corporate facility. If the same means are used to see if hardware is running appropriately, the result might be a total shutdown of a controller in an industrial control situation. If you are in charge of implementing such a system, choose someone who has hands-on experience within your industry first and is a technology guru as a close second.
In his research work for a recent Trend Micro whitepaper on critical infrastructure dangers, Kyle Wilhoit created a test connecting two dummy control systems and a real one to the Internet to see if they would be hacked and how long it would take. Want to guess? Eighteen hours.
Here's what was used:
- A honeypot architecture emulating several industrial control/SCADA devices that are consistently used
- A mix of high- and low-interaction devices that mimicked the setup of a water pressure station in a small town
- Honeypots with common vulnerabilities and misconfigurations
Over 28 days, the three devices were attacked 39 times. Thirty-five percent of the attacks came from China, and 19 percent came from the US. Twelve were unique targeted attacks, and 13 were repeat attacks by the same entities over multiple days.
The attacks resulted in modified settings to change water pressure and stop water flow. Some involved sending administrators emails with malicious software attachments that could take over a commonly used controller.
Some of these hackers were bent on specifically attacking and controlling the system, but several had no reason at all for attacking -- the "because it's there" mentality.
Siemens has announced that it will deliver managed services for defense-in-depth control security. Responding to the Stuxnet virus of a few years ago, Siemens has been innovative in the ICS security arena and was the first company to advise users to rely on air gaps. In this strategy, a secure network is physically isolated from insecure networks (again, those where IT reigns), such as the Internet or an insecure LAN. As a result, computers on either side of the gap cannot communicate with one another.
Now Siemens is taking its expertise to the street by creating a managed service with three layers of defense-in-depth support:
- Industrial security services
- Security management
- Products and systems
The service has not been rolled out yet, but it will cover assessment and analysis, implementation, operation, and management. Watching the offerings evolve will be interesting.
Who else is involved? The US Department of Homeland Security has a Control System Security Program with an Industrial Control Systems Joint Working Group to mitigate risk to the country's industrial control systems and to share information. This group concentrates not only on the obvious waterways and pipelines of the country, but also on private asset owners/operators of industrial control systems.
So far, there are six subgroups specifically addressing cybersecurity challenges within this large and complex community.
- International Subgroup: This group handles international collaboration and information sharing, incident response, and the challenges involved in sharing sensitive information between governments.
- R&D Subgroup: It identifies current and future needs, priorities, and desired areas of research.
- Roadmap to Secure Industrial Control Systems: This group maintains a Cross Sector Roadmap to address cyberrisk management within control system environments, and it coordinate the roadmap's use.
- Vendor Subgroup: Members of this group identify ways to improve information sharing.
- Workforce Development Subgroup: It identifies security curricula and recommends enhanced or new ones. It also evaluates certification programs and works to develop an outreach plan for the workforce.
- Standards Subgroup: This group identifies security standards, assesses and evaluates a relevant set of baseline control systems standard requirements, and updates and maintains a catalogue of timely and practical control systems cybersecurity requirements for use by standards development organizations.
I know that, in the interest of the security of your own system, you can't disclose much in the way of information, but please share what steps are necessary from a theoretical point of view, or your experiences in any manner you are free to do so. This is a really critical subject that should be front and center, not on page 30 with the obituaries.