Until now, most industrial control systems (ICSs) were designed mainly for high reliability, safety, and the maximum uptime. While the industry has been focusing for decades on fulfilling these requirements, digital security was historically almost not considered at all. In the 1990s some governmental agencies started examining cyber security for critical infrastructures such as electrical power distribution. These efforts were still confidential. Now with the emergence of Stuxnet and the numerous publications it has triggered, cyber attacks against industrial control and automation systems are a key concern to all stakeholders.
ICS systems at Risk
We admit from the outset that a discussion of all ICS structures susceptible to a security attack would deserve an entire article. It is difficult indeed to limit our discussion to a few important ICSs, but that is what we must do. So for this article we will consider three different types of an ICS.
- Programmable logic controllers (PLCs), which are widely used for manufacturing process automation or control of subsystems. PLCs are often connected as part of a wider infrastructure.
- Supervisory control and data acquisition (SCADA) systems, which monitor and control geographically distributed, critical infrastructures such as water distribution or electrical power distribution systems.
- Distributed control systems (DCSs), which control industrial processes such as chemical manufacturing and power generation; they generally comprise several automated subsystems.
Implementations of these systems can, and will, differ greatly depending on the ultimate industrial application. Some systems will be physically concentrated, limited to a well-defined manufacturing facility, or spread over a very wide geographical area. Nonetheless, all these systems operate under specific performance expectations or, for our discussion, constraints. For instance, a SCADA system must have an extremely high level of uptime, ideally “five 9s” or “six 9s” (“five 9s” means 99.999% availability, which is equivalent to about 5 minutes of downtime per year).For other industrial control and automation systems, the most critical performance constraints might be extremely fast reaction times.
So, ICSs can be similar, yet vastly different. Added to this, we see two trends today. ICSs are becoming more and more connected; and they are using more standard off-the-shelf components like workstations that rely on standard software such as Microsoft Windows O/S or communication over IP. These trends created new vulnerabilities to cyber attacks.
IT Technologies in an Industrial Environment—Not Always a Perfect Fit
ICSs are also now incorporating technologies used in IT, but the ICSs must still operate within their specific performance objectives or constraints. There is an important, immediate consequence of this technology convergence: some threats to standard IT components now also apply to ICSs. However, because of their different performance objectives and working environments, the security remedies used in the IT world are not necessarily applicable to ICSs. Before we go into a deep dive for the specifics, let’s take a simple example.
A SCADA system is monitoring the pressure of cooling water in an industrial installation and is expected to raise an alarm when a loss of pressure is detected. In this potential emergency situation, we want
the operator to take immediate action.
Consider now an operator’s response in a classic IT infrastructure. After some minutes of inactivity the IT workstation has probably locked itself; the operator must type his password to login and, usually after three unsuccessful attempts, the workstation would lock again. Now the IT operator needs to contact an administrator to get the password reset. Time is passing. A similar, reiterative procedure would be devastating in an industrial setting. With an ICS in this emergency, we want an operator to act immediately; any hesitation is a critical loss of time. So this is an example of a very standard IT procedure that is not
applicable, even detrimental to an ICS.