Print this article

Comment

01 October 2002

Get control system security inside the standards

By Ellen Fussell

How concerned is your plant with cybersecurity for your operational control system? If you're not worried, you should be, said Joe Weiss, control system and cybersecurity expert at KEMA Consulting in Cupertino, Calif.

In a testimony he presented to the U.S. House of Representatives this past July, Weiss explained the need for government funding in developing cybersecurity for control systems. Among the needs listed were standards to address security in an information sharing environment. "Most of our standards are industry specific. Security is not industry specific," Weiss said.

The big push is to develop requirements for securing control systems, as well as to develop new technology. In the meantime, Weiss is plugging away with the National Institute of Standards and Technology and Idaho National Engineering Labs to help establish test beds for cybersecurity.

Here's the problem, Weiss said in his testimony: Regulatory agencies and governments are taking "dramatic steps . . . to ensure security against physical attacks and . . . securing the Internet and networking systems for traditional IT business systems."

Yet operational control systems — distributed control systems, programmable logic controllers, and supervisory control and data acquisition systems (SCADA) — aren't getting the same attention. And these systems constitute the "backbone of the global industrial infrastructure."

WHERE'S THE THREAT?

"Whether security breaches come from organized terrorist attacks, hackers, or even unintentional break-ins," the consequences can be devastating, causing malfunctions and shutdowns, Weiss said. "Cyberattacks on control systems can be targeted at specific systems or subsystems and can target multiple locations simultaneously from a remote location," he said. "Electronic attacks can even impact restoration efforts by manipulating procedures or dynamically changing equipment conditions."

To detect any kind of intrusion in these control systems, Weiss said, "there needs to be a vehicle such as a firewall or intrusion detection system. In general, industrial facilities don't have firewalls or intrusion detection, so it's not possible to know if there has been an intrusion. Additionally, control systems do not have a capability to log electronic intrusion attempts."

One example of such an intrusion is in Australia, where a disgruntled employee hacked into a wastewater SCADA system, Weiss said. Officials nabbed the employee after his forty-sixth time dumping sewage. He used wireless technology to hack into the wastewater SCADA system. In effect, "he spoofed the system, enabling the intruder to get access to control a valve," Weiss said. "The bottom line is, the controls industry knows control systems, and the security industry knows security. A control system cannot simply have existing security technology backfit without potential significant performance degradation."

Weiss said the government has allocated approximately $800 million for cybersecurity technology education and research and development. However, this funding is devoted to traditional information technology applications. "The industrial community needs to have some of that funding devoted to developing control system applications," he said.

And if that doesn't happen? The worst-case scenario is that our systems are vulnerable. "You can close a valve and shut a plant down or cause an explosion," Weiss said. "Open a breaker and shut down electricity. You close a valve and cause great distress in a refinery-with releases-like what happened in Australia."

WHERE DO WE GO FROM HERE?

"We need to address standards. We have to catch up and be there so that end users have something to specify, and vendors have a means of designing to," Weiss said. Right now there's discussion on developing security standards and incorporating security into existing standards. An end user needs to be able to point to a document and ask a vendor to develop those control systems to meet those specific requirements, Weiss said. Whatever standard he uses, he needs to include security issues as well. "Rather than having discussion at the industry level, they should be at the technology level," he added.

Weiss is now heading up a task force within the Institute of Electrical and Electronics Engineers to address standards issues, and a group is also forming under the guidance of Keith Unger of Entegreat Inc. in Birmingham, Ala., as part of an ISA Standards and Practices Board request.

The federal energy regulatory commission issued a notice of public rule requiring a minimum level of cybersecurity to participate in the grid, where companies generate and close electricity, Weiss said. "That's the first real push to mandate and force something to happen because you'll have the force of federal law. And I imagine that oil and gas will follow and probably chemicals," he said. "Others will have to make a business decision because they're not mandated by the federal government. The FDA might get in the loop, too." IT