Karl Williams, a Principal Consultant Security with IPS, explains why industrial control systems need to be protected from cyber threats and offers one approach to this.
Control systems have seen a great deal of change in recent times, including increasing connectivity and the use of open standards and protocols from a previously proprietary and often isolated environment. The use of off-the-shelf technology - which is driven by requirements for additional applications, analysis and operational visibility - combined with connectivity to business and other networks brings great benefits, such as interoperability and efficiency. But it also creates an on-going challenge for security.
The security threats and vulnerabilities we see today are wide-ranging, often complex, and are not always well understood, particularly in terms of what impact, if any, they may have on an individual system, part of a system or the production facility itself. Threats come from a range of internal sources such as removable media, as well as from external sources such as connections with other devices and networks. Threats can change quickly as new vulnerabilities emerge, meaning that control systems may find their normal operation impacted simply because they share, either directly or indirectly, a technology or connection. While this impact may not necessarily be immediately or directly disruptive to production, it may reduce efficiency and that, in itself, is undesirable. Without appropriate action, it may ultimately impact safety and lead to loss of production.
To meet these challenges IPS (Invensys Process Systems) has a dedicated team with specialist skills in security, controls systems, IT and networking. A cross-discipline skill set is vital to meet the needs of the industrial control systems environment we see today, with its increasing use of IT and networking technologies. The IPS security team works with clients and also internally within IPS to improve security in products while maintaining the required functionality.
The greatest threat today comes from doing nothing. By taking steps to assess, address and then understand and manage security by using effective systems, the level of security risk can be reduced and safe and reliable production maintained.
Meeting the challenges
At IPS we are involved in many security activities across the control systems industry. We are active participants in industry security standards groups and information-sharing activities, such as ISA S99, ISCI (ISA Security Compliance Institute) founding member and Process Control Systems Forum (PCSF), as well as many other groups. These groups provide the opportunity for greater understanding, knowledge transfer and sharing of expertise and information. Many countries now have Critical National Infrastructure initiatives and IPS plays its part by working with Governments.
With such a wide diversity of control systems deployed from the most up-to-date to those that were installed some time ago, there is a need for security. The risk faced by the newest systems can be quite different to that faced by older (legacy) systems and, regardless of the system age, its security position needs to be understood and the most effective measures taken while allowing critical functions to be performed when required.
Understanding the most likely threats is vital to developing an approach that provides the necessary protection. Recently there has been a great deal of discussion about threat and vulnerability, and much of this has centred on hacking. The available information does not indicate that hacking activity poses the greatest threat - at least not today. A much more likely scenario is for a control system to be infected and impacted by some form of malicious code, be it a virus, worm or Trojan.
Security must be seen as a business enabler by providing measures that maintain system availability, and an effective vulnerability management process is a vital part in this. A newly discovered vulnerability needs to be assessed and a course of action determined, based on likelihood and impact.
Even when there is internal expertise within an organisation there is much to be gained from seeking external advice in developing and maintaining security. IPS has addressed one important element of the security challenge by partnering with Integralis, a leading global security management provider. Using Integralis' expertise and global view provides direct benefits to help with quickly changing threats and vulnerabilities.
Today, countering the threat of malicious code should be a priority. This threat is one that must be mitigated by using well proven defence methods as well as by separation of critical production assets. Internal measures should also be in place, covering policy, procedure, enforcement and, ultimately, incident management and recovery based on the worst-case scenario.
IPS has developed its security approach in line with industry best practice and its own specialist knowledge, based on the following principles:
- View security from both management and technical perspectives
- Ensure security is addressed from both an IT and control system perspective
- Design and develop multiple layers of network, system and application security
- Ensure industry, regulatory and international standards are taken into account
- Prevention is critical in plant control systems, supported by detection
IPS recommends a defence in depth approach to designing and implementing measures to mitigate security vulnerabilities and threats. The diagram below shows an example of a typical architecture used to address a range of security risks.
Each layer is evaluated for its criticality, then corresponding risk and appropriate security measures are applied. To proceed through each layer a security threat must compromise each security measure, both management (polices and procedures) and technical; this approach creates a more resilient architecture.
Moreover, this approach ensures that the most critical assets receive the greatest layers of protection, and a threat is more likely to trigger a timely response. This defence in depth strategy, when successfully implemented and managed, minimises the likelihood of a threat being successful and can also provide intrusion prevention. This approach is considered an effective and proactive security measure.
More secure products that include a host-based firewall, hardened workstations, anti-virus and vulnerability management contribute to lowering the risk of a security incident. While putting in place appropriate mitigation measures will improve security, the on-going management of security needs to take place for it to remain effective; security must not be viewed as a 'fit and forget' exercise.
A security program should meet the individual requirements of each system and implementation but, in general, the following should be considered:
- Security assessment
- Security policies, procedures and enforcement
- Protection with appropriate technology
- Security training for knowledge transfer
- Security management
1 - Security assessment
A security assessment is one of the first steps in developing an understanding of the security position. By analysing the current position, vulnerabilities and threat an understanding of the real risk will set the requirements for a security program.
2 - Security policy, procedures and enforcement
Effective policy, procedures and enforcement (assessment/audit/monitoring) is crucial for safe and reliable system operation. The development of policy and supporting procedures should be user- and facility-specific and should therefore be developed in close co=operation with system stakeholders to ensure the result is workable and effective. Management support at all levels in this area is vital to ensure success, while any corporate or business policy and procedure compliance requirements should be taken into consideration.
3 - Protection with technology
Technology plays an important part in an overall security approach. Firewalls are just one example of a technology that provides part of a defence in depth design and, when implemented and managed correctly, can mitigate security vulnerabilities and threats. But security is more than just a firewall.
The design and implementation of an architecture using a DMZ provides more secure access and control; further protection is provided by including additional features such as anti-virus and deep packet inspection for intrusion detection or prevention. The on-going management of firewalls and other devices should be carefully considered.
IPS currently provides its control system workstations pre-installed with anti-virus (AV) software and the effectiveness of AV must be maintained with regular updates; an out of date AV product gives no protection against new malicious code. A suitable update mechanism should be in place for systems both with and without network connectivity; this will give protection against malicious code that may enter the system from a network connection or be brought into a system by removable media such as USB drives or CD.
4 - Security training for knowledge transfer
Those who have access to a control system, either directly or indirectly, and frequently or just occasionally, require appropriate security training to ensure a low-risk production environment. This is an important element in ensuring that those who have any interaction with critical systems understand the impact that any of their actions may have. Training is also needed to enable those involved with control systems to understand the policy, procedures, enforcement and the wider security picture. In addition, training may be required for the more technical aspects, including firewalls, intrusion detection/prevention, anti-virus updates and so on.
5 - Security management
There are many activities that are covered by security management and the resources required for this need to be fully considered; it may mean a high level of commitment. Like safety programmes that are already in place where safety is accepted as way of life and continuously being monitored, validated and understood, security and its management would benefit from a similar approach.
While there are some security elements that may be rarely updated once in place - such as policy - there are other parts that will need more frequent or even continuous attention - such as AV updates, firewall management, access control, vulnerability management and enforcement. Each system will need to be assessed for its own need based on its circumstances, but following a continuous life-cycle model of Assess, Design, Implement and Manage, with supporting elements in each phase provides the flexibility needed for a low security risk environment.
For more information go to www.ips.invensys.com.