1 September 2005
Collaboration key to securing control systems.
By Ellen Fussell Policastro
"Security is a problem that almost everyone wants to solve, but very few want to spend their resources to deal with the arcane issues," said Dick Oyen, consulting R&D engineer at ABB Inc. in Wickliffe, Ohio.
"The process operator is more enthusiastic to treat water or to make steel, and security is yet another distraction," Oyen said. It may be a distraction today, but like it or not, control system security is a growing reality. "The cost of a single security breach in a large manufacturing enterprise can run into the millions or tens of millions of dollars or more, depending on the type of industry and the breach of security," said Rashesh Mody, Wonderware's chief technology officer. "A security breach can affect batch systems, creating loss of control of those systems, resulting in dangerous or deadly situations or environmental disaster," he said.
In manufacturing plants where unplanned downtime could mean the difference between profit and loss, a single virus can stop production if manufacturers don't protect their systems. "This could result in days of reformatting and rebuilding the automation network if the plant is using conventional automation systems," Mody said. In such a case, "we'd want to very quickly get an enterprise running again, perhaps even within the same day due to the power of single-point deployment of applications and objects."
Security experts said collaboration among users, suppliers, and government agencies is the key to alleviating the reticence, apathy, and monetary issues that hold up a control system security solution.
One good launching pad for collaboration is research on security problems and solutions; it's also an area where government can directly contribute, Oyen said. "When disaster strikes, it's wonderful to have been prepared. To date, the disaster has been economic and rarely something that provides pictures on the front page of the evening paper. Because of this growing problem, we're taking measures to put industry in a better position to deal with a blatant public attack when it comes. But of course, it won't be big news unless the preparations are inadequate."
Standards organizations and forums inspire collaboration. ISA-SP99, the committee working on the control system security standard, and the Process Control Systems Forum (PCSF) provide "a collaborative environment for various control system security bodies to work together, including users, suppliers, government, industry bodies, and standards bodies," said Kevin Staggs, control systems solution planner at Honeywell Process Solutions in Phoenix.
While ISA develops standards and guidelines, PCSF allows groups to coalesce and address problems. "It's a venue for companies to get together and identify needs and form working groups and to address those needs," said Joe Weiss, executive consultant with KEMA Inc. in Cupertino, Calif. Weiss and other control system security gurus are putting together an international standards coordination meeting; PCSF is sponsoring the meeting, and ISA will be one of the major players, he said.
While standards committees and forums are a good way to join in the fight, each group has a role to play, and they need to understand what those roles are, said Eric Cosman, engineering solutions architect at Dow Chemical Co. in Midland, Mich. "Sometimes we get into trouble and confuse roles of suppliers and end users." End users' first responsibility is to share their best practices "to the extent they can without losing proprietary information," Cosman said. "Most of these best practices apply across sectors, but they need to be willing to share what they've done and what works. There's a lot of sensitivity about sharing incident information. But we do share best practices and information on what we've done to prevent incidents."
Advocacy is another end-user responsibility, Cosman said. "We've done this quite a bit in the chemical industry. We nudge suppliers and technology providers to take this topic more seriously. We ultimately are the ones who buy this technology, so we should use our influence to advocate with suppliers. We need to bring some balance to the hyperbole that occurs sometimes in discussions about security. We need to promote the concept that security isn't something you can ignore, but we shouldn't say the sky is falling either."
Riding on the concept of competitive advantage allows some suppliers to avoid the issue of addressing security, Cosman said. "Suppliers owe it to their stake holders to state clearly what they believe is competitive advantage and what isn't. Sometimes it's easier to avoid the issue than to sit down and think about it," he said.
Future of legacy systems
Legacy systems are really important "because the bulk of the systems in use are legacy systems and will be for a long time," Weiss said. And there is generally not a lot of computing resources to devote to security. "So whatever you do to secure them has to be something that won't impact their performance, and that's probably going to take quite a bit of effort from vendors as well as end users."
It could be difficult and sometimes impossible to go back and retrofit legacy systems to build security into them, said Staggs. "As a result, the best steps to take are to build a strong security perimeter around the system," he said. "Future developments should have security built into them so there are layers of defense in the control system at every level of control. This includes a perimeter defense around the control system also."
Legacy systems, especially control systems using proprietary networks and software, are much less vulnerable than legacy systems based on Ethernet and more open protocols and software, said Bob Huba, DeltaV marketing manager at Emerson Process Management in Austin, Tex. "Retrofitting a legacy system for security is expensive both for the vendor to develop the security capability for the legacy systems and for a user to install the built-in security capabilities," he said. The most cost effective and less intrusive method to secure legacy systems is by "either staying disconnected from the plant LANs or aggressively employing off-the-shelf edge security devices such as firewalls and intrusion detection systems to prevent access by unauthorized users."
Expense is an issue, but it doesn't have to be, Weiss said, "You can't afford to replace control systems every time there's a new bug. What do you do when you've got 10,000 sensors? You need appropriate policies and procedures and risk assessment to determine what makes economic sense. Maybe some are so critical you have to do something. But all ten thousand won't be."
Conventional wisdom says putting barriers around control systems or external controls protection is the best way "because there's a lot of discussion and debate that the technical detail techniques people are proposing won't work in legacy systems; they don't have the capability to support them," said Cosman. "And that's true. If you can't put newer techniques in older systems, which will be with us for years, then the only option left is a barrier to protect it."
But people who own these systems need to understand their limitations, Cosman said. "One place we can get into trouble with security is trying to do more advanced types of communication and information sharing with systems that don't have the capability of putting state-of-the-art security measures in. If you have a control system, and you want to connect it to external systems for information exchange, and the system can't protect itself, you might want to reconsider or replace the control system in order to do it securely."
What about inside covert break-ins? Cosman said that's more difficult to alarm in legacy systems. "One of the measures there is to just audit," he said.
A standard thing
Industry-developed standards are key because they provide a common architecture, language, and approach to security. "And when adopted, standards can serve as a form of peer pressure on non-compliant players in the industry," said Staggs. But they should be important because they give people a basis for what to accept, Weiss said. "A vendor will give you his standard, and that may not meet the accepted level. It's like getting a UL stamp. If it has a UL stamp, I'm comfortable it's met minimum electric code requirements. But if I get it from a vendor and it doesn't have a UL stamp on it, they can make claims, but I don't know if it's met minimum standards."
Of course the industry needs a benchmark to measure the security robustness of their systems. They need to know what tests and what results define a secure system, said Huba. At the same time, you don't buy a secure system, you have to create it, he said. "Standards aren't just for the equipment and system vendor but for the user to develop security policies and procedures to set up and maintain their system security," he said. "A security standard should require all vendors be capable of changing default user passwords prior to system commissioning. Vendors can provide the capabilities and tools to create a secure system, but it is up to the customer or user to be sure they use the tools."
Writing industry standards is vital to the overall society, and "it's the only way we can ensure we bring everyone to the proper level of security in the shortest time," said William Cotter, senior instrument specialist at 3M Co. in St. Paul, Minn. "I'd like to think some brilliant people will create some wonderful solutions, but that would rely too much on serendipity," he said. "You cannot build a business case on luck. Industry standards will make sure we cover all the details and processes we can, and all the pieces we buy will work together. Otherwise we'll have chaos trying to get all of the systems to work together, and this would lead people to turn off the protections just to get things working."
Build a business case
Collaboration is only one of the tools experts say will help win the case for control system security. Building a business case for taking action before an incident occurs is also imperative they said.
"To be able to do an economic tradeoff between security and other operational and maintenance needs, you need an economic basis to say, 'Do I upgrade my vibration monitoring system, or do I do a vulnerability assessment, or put in a firewall?'" said Joe Weiss, executive consultant with KEMA Inc. in Cupertino, Calif. "To do that, you need a quantitative business case to say, 'What's it worth to me?' So you can make a prudent decision on what to do, not only if you should spend, but how much to spend."
"We need to look at safety as a model and address security much like we would safety," said Eric Cosman, engineering solutions architect at Dow Chemical Co. in Midland, Mich. "We know now you can make a business case for safety before you hurt somebody. Doing this proactively will cost less and be less disruptive than trying to respond after an incident."
Weiss is developing case histories of companies whose control systems have seen impact from cyber. In several cases, the companies did not implement security mitigation because there was no business case to justify the funding. "Hopefully, this will help provide support to obtain funding to prevent cyber events and their associated direct and indirect impacts," Weiss said. What the industry does now is speculate about potential losses after an attack and shutdown. "But people don't believe that will happen because control system cyber events are rarely made public and certainly not with economic impacts. So you need actual histories with economic numbers."
Without a business case people are reticent to spend money, Weiss said. "If it's mandated, you don't have to worry about a business case. Government hearings are occurring right now on this issue. If you're regulated, and you're told you can't operate without this, you'll put it in."
"Since I work for a for-profit company, we have to have a business case to justify why we spend money," said William Cotter, senior instrument specialist at 3M Co. in St. Paul, Minn. "The main reason to do the work before a disaster is to make anything that might have happened a non-disaster. Of course, this will make it impossible to prove that the work was worth it. However, the cost of not doing anything seems very expensive."