The “CIA triad” is a widely used benchmark for evaluating information system security effectiveness
By Kim Fenrich, ABB Inc.
The control systems world is changing. Historically, process control systemswhich include all industrial control, process control, supervisory control and data acquisition (SCADA), distributed control (DCS) and industrial automation systems1were typically operated in an isolated or stand-alone environment and did not share information or communicate with other systems. These systems were normally comprised of proprietary hardware, software and protocols designed specifically to control and monitor sensitive processes. Since access to these control systems was greatly limited and knowledge of these protocols was confined to a small population, control system network (also known as process control networks or PCN’s) security efforts were minimal and focused primarily on physical measures.
Today, “security by obscurity” is no longer adequate. Because of the vast amounts of valuable information control systems contain and the need to make rapid, cost-driven decisions, stakeholders are demanding ready access to real-time plant information. This has led many previously stand-alone control systems to become part of the “always connected” world, where real-time data can be accessed by a variety of users via corporate networks or Internet technologies. This increased connectivity has also precipitated new threats along with a renewed focus on control system security.
Risks and Reality
Because of the vital roles control systems play, numerous government agencies, standards bodies, industry organizations and academic organizations have undertaken initiatives to increase the awareness of potential threats. The bulk of these programs, including the National Strategy to Secure Cyberspace, are intended to help establish security priorities, awareness and training programs and threat and vulnerability reduction programs. The message presented by these organizations is that externally initiated incidents are on the rise and facilities are almost certainly more vulnerable than their owner/operators believe.
While these programs have been successful in raising awareness on various levels, many statements being made by security vendors, consultants and government agencies appear to be overly alarmist.
Security incidents, defined as a violation of one or more security objectives, have and will continue to occur. While most organizations are reluctant to report security incidents for fear of embarrassment or financial repercussions, a small number of well-documented incidents have occurred over the past few years. One of the most notorious involves a disgruntled employee at an Australian sewage treatment facility who, through an Internet connection to the company’s control system, caused the release of thousands of gallons of raw sewage into local waterways. In 2006, confidential information (including incident response plans) were leaked from a Japanese power plant on two separate occasions through a virus-infested computer with peer-to-peer file sharing applications. These followed a similar incident at a different plant in 2005.
Some risk is faced by control systems, but how much? There is little information sharing about actual attacks and little conclusive statistical data is available. Consequently, it’s difficult to come up with a realistic picture of the risk posed to control systems today.
Security threats are defined as any circumstance or event with the potential to cause destruction, disclosure, modification of data and/or denial of service. The threats can come from both inside and outside a facility.
Internal threats come from two main sources:
- Accidental incidents caused when an unknowledgeable, untrained or careless employee performs an inadvertent action. Often, these incidents are abetted by complicated policies or procedures, improper authorization or password sharing.
- Intentional incidents caused by disgruntled, dishonest or unstable employees, contractors or guests with knowledge of the control system and authorized access.
External threats to control systems can be grouped three different ways.
- MalwareLike any information system, control systems are potentially vulnerable to viruses, worms, trojans and spyware. Although malware attacks are undirected (that is, they don’t specifically attack control systems), they can affect the system by obstructing communications, corrupting data, installing back doors and causing forced shutdowns.
- HackersBy turns revered and vilified, hackers are outsiders interested in probing, intruding or controlling a given system for the sheer challenge of it or for notoriety. Typically they do not act with overtly criminal intent.
- TerroristsThis threat distinguishes critical infrastructure systems from most other IT systems and is perhaps the most concerning for governments and organizations charged with maintaining critical infrastructure. Whether state-sponsored or independent, terrorists are distinguished by their intent to do harm to people. According to the National Security Agency, some foreign governments already have or are developing computer attack capabilities. Potential adversaries are developing knowledge of U.S. systems and methods to attack them.
While basically all computer systems are exposed to intrusion attempts, the potential consequences of such attempts are vastly different for different types of applications. For power plant control systems, a security incident can have severe consequences such as the endangerment of public safety, damage to the environment, loss of proprietary or confidential information, loss of production, damage to equipment and loss of public confidence. This makes assessing the consequences of an industrial cyber attack more than simply a case of assigning a financial value. Although there are obvious direct financial impacts (for example, loss of production or plant damage), other consequences such as damage to a company’s reputation can be far more significant. Even minor regulatory violations can affect a company’s reputation or jeopardize its license to operate.
Protection measures are necessary, but no single solution or technology fits the needs of all organizations or applications. The primary objective of any security program is to protect system confidentiality, integrity and availability. This modelknown as the “CIA triad”is a widely used benchmark for evaluating the effectiveness of information systems security.
“Confidentiality” refers to the assurance of data privacy. Only the intended authorized people or devices may access the data. “Integrity” refers to the assurance of data non-alteration. Data integrity is the certainty that the information has not been altered in transmission, from origin to reception. “Availability” is the assurance that data and resources are obtainable for people and devices who need it, when they need it.
IT Security Is Different
While modern control systems use many of the same technologies as IT systems and are beginning to resemble them, they also have many distinguishing characteristics. For instance, control systems have different performance and reliability requirements (for example, real-time response) and have longer system lifecycles. Table 1 (see page 46) summarizes the differences between IT and control systems.
While the primary security objectives are the same for each system, the CIA triad is reversed for control systems. Availability and fault tolerance are paramount because the process being controlled is continuous and can be unstable if not supervised. Integrity remains a necessity to ensure end-to-end data accuracy. Confidentialityexcept for the protection of proprietary product recipes and plant security datais of lower importance.
These differences pose multiple challenges. Many companies still assign responsibility for control system security to the IT department. However, most IT departments are generally unfamiliar with process reliability issues, performance requirements and protocols of industrial equipment. This can result in the implementation of policies and procedures that simply don’t work in the control system environment. In other companies, the IT and control system engineering staffs operate independently, with each performing similar functions. In this scenario, there is often little or no interaction between the two groups except where they meet at the plant network.
While it’s clear that control and IT systems require different policies and procedures, IT staffs have far more experience with cyber security measures and with knowing what does and does not work. They understand open systems management, firewalls and intrusion management. Control system staff are, therefore, well advised to work closely with plant IT staff and explain how control system requirements differ from other systems to implement a strategy that makes sense.
The Cost of Security
Like everything else, security comes with a cost. While manufacturing facilities can’t ignore the risks of security incidents, they also can’t afford infinite security measures. Having too much security can restrict access to information and data for authorized users and create unnecessary cost; having too little can put operating profits and people at risk. Since 100 percent security is not feasible, users should focus on critical areas and functions first and apply security measures based on the value of the data or application. As a rule of thumb, plants should apply security measures that are proportional in cost to the value of data, risk and probability associated with a security incident and the potential consequences of a security breach.
In some cases, misapplying technology results in significant overspending. Having skilled, properly trained personnel in place who follow defined practices and can carefully, effectively and efficiently apply technology can help minimize overspending.
Although no “silver bullet” exists for control systems, most can adequately be secured once the risks are understood. Establishing effective safeguards for control systems, the devices with which they interact and the networks on which they reside requires a multi-faceted, multi-level effort. That effort needs to focus not only on technology, but on people as well.
The human factor is the weakest link in any activity and security is no exception. Therefore, a key element in implementing and maintaining computer system security is establishing effective IT security policies and procedures. While many of the same policies used for securing corporate IT systems can be applied to control systems, policies and procedures should also:
- Ensure control system security practices align with business and operational needs.
- Define, document and manage formal policy and standards for process control system security.
- Establish training and awareness programs for control systems, IT and third-party personnel.
- Implement and enforce password policies for all personnel having control system access. These policies should be based on the principle of “least privilege.” Every application, user or subsystem should be restricted to the minimum number of rights necessary to fulfill its purpose.
- Include procedures for assessing and responding to security incidents and alerts, including how to respond to potential disasters.
- Include plans for regular audits of control system network security.
To make the security policy effective, it must be practical and enforceable and it must be possible to comply with the policy. The policy must not significantly affect productivity, be cost prohibitive or lack support. This is best accomplished by providing clear organizational responsibility and by including both management and system administrator personnel in the policy development process.
A fundamental principle that should be part of any network protection strategy is defense-in-depth, also known as the “onion approach”. This uses a security zone concept to secure both the network interior and exterior. The highest value target (typically the control system) sits in the innermost zone where the greatest level of isolation and security measures are applied. (See Figure 1, page 44).
The outer zones contain less valuable targets and are protected by security mechanisms such as firewalls, gateways, and proxiespreferably different types for each zonedesigned to detect and delay an attacker’s movement inside and around each zone. These devices should be configured to pass only data that is absolutely essential for day-to-day operations.
Over the past decade, numerous best practices have been developed by IT departments, control system personnel and industry organizations when deploying technical security measures or implementing procedural controls. When implemented as part of a defense-in-depth strategy, these best practices can provide a solid foundation for an effective security program. Best practices for securing the network boundary and outer network zones include:
- Securing remote and dial-up connections with virtual private networks (VPN’s)
- Installing firewalls and intrusion detection systems (IDS), with regular monitoring review of their logs
- Configuring firewalls and routers to block all inbound network traffic except that which is explicitly required to maintain day-to-day operations
- Regularly scanning all systems for viruses
- Adhering to defined security policies and procedures
- Deploying physical security measures to protect access by outsiders or local unauthorized access.
High security zones, such as the control system network, should be small and independent, form their own domain and follow the principle of least privilege. In addition, they should adhere to best practices such as, but not limited to:
- Prohibiting the use of Internet applications such as web-browsing, email and messenger.
- Hardening of all nodes in the system by disabling removable media, removing or disabling all unnecessary network connections, services and file shares. Ensure that all remaining functions have appropriate security settings.
- Installation of unauthorized software should be prohibited.
- Connection of portable computers should be restricted. If they must be connected, they should be carefully scanned for malicious software before connection.
- The system should be isolated from other zones through properly configured, hardened firewalls.
- All computers should be regularly scanned for viruses and kept up to date with relevant, vendor recommended security updates.
- Physical access to all computers, network equipment, controllers, I/O systems and power supplies, should be restricted.
- Security policies, procedures and practices should be continuously reviewed and strictly enforced.
The Vendor’s Role
Despite the perception that all vendors are behind in addressing security within their control systems, some are making progress. These vendors have acknowledged they have a responsibility to help users secure their systems and have begun “baking” security features into new products while developing partnerships to help expand their expertise and scope of supply. This same group has implemented programs and services such as security patch testing, antivirus software accreditation, secure default settings and security guidance and consulting. Solutions are now needed to help secure these vendors’ existing systems and reduce the amount of time and effort required to maintain plant floor security.
Securing a control system is not only about technology, it’s about people, relationships, processes and organizations. Only through effective collaboration between the IT department, control system engineers and system vendors can control systems be reliably secured. After all, who knows open systems management better than IT or control systems better then the vendor? Since security ultimately is the system owner’s responsibility, it’s important that users understand the risks, acknowledge the situation and implement a security program that meets the needs of the entire organization.
Author: Kim Fenrich is manager of project solutions within the technology group of ABB North America Power Generation. For the last five years he has specialized in control system network security as a member of ABB’s global security team.