1 May 2006

Look to Standards for Secure Plants

By Robert P. Evans

Cyber sabotage is a real danger with grave consequences. As the U.S. has become increasingly dependent on cyber-controlled manufacturing and control systems, it has also become more vulnerable to attacks on the infrastructure that supports these systems. That's where industry standards come in, offering organizations strategies to respond to weaknesses by identifying appropriate countermeasures, defining procedures for implementing electronically secure manufacturing and control systems and security practices, and increasing the security awareness among users.

The use of standards can help identify vulnerabilities in control systems and provide solutions to combat them. This effort should also include industry adopting a cyber security policy using standards in nearly every step of a proactive cyber security process.

Most standards with security components are sector specific, such as American Gas Association for the Oil and Gas sector, North American Electric Reliability Council's Critical Infrastructure Protection for the electrical sector, and ISA-SP99 for the manufacturing sector.

Through the U.S. Department of Homeland Security's Control Systems security program, a team comprised of four national laboratories (Idaho National Laboratory, Sandia National Laboratories, Argonne National Laboratory, and Pacific Northwest National Laboratory) compared several standards to each other and to the security requirements of critical components in control systems, revealing not all standards are equal and there is potential for improvement.

Control system vulnerabilities

Intelligent manufacturing equipment and increased connectivity to software have led manufacturers to seek control system protection. The probability of attack and an increase in threats are the results of enhanced external connectivity as well as skilled hackers and more frequent network intrusion.

Through electronic access to the control system, cyber terrorists can disable or disrupt facility operations, causing potential loss of production, environmental damage, loss of intellectual property, and unsafe working conditions, endangering facilities, public safety, and economic stability.

In the last few years, companies have provided access into facility control systems to allow sharing of operating information throughout the company. Control system cyber security becomes vital as control systems tie into other networks. Users of the system, not understanding the dangers of this openness, may unknowingly introduce vulnerabilities into the control system. Although vendors are now becoming aware of the potential for cyber attacks and are considering these risks in their new systems, legacy systems, which still comprise the vast majority of the systems in use, do not have the necessary safeguards and are vulnerable to attack.

Providing cyber security

We can reduce the likelihood and severity of cyber attacks, from inside and outside, by applying the security measures and safeguards from standards. A system's security is dependent on the information available to the organization responsible for that system. Organizations have a limited amount of information simply because their people have limited experience. To compensate for this limited experience, people with years of experience in different phases of a given area develop standards, so they have a wider view and understanding of the potential problems associated with that area. This combined experience can help identify risks through assessments of perimeters, interfaces, and electronic security performance.

The model of the proactive cyber security process comprises five basic steps: define architecture, perform risk assessment, identify and remove vulnerabilities, standardize policies, and provide training. Standards could see use in each step of the process.

To determine the security needs of a system, you need to define and understand the underlying architecture supporting the needed functions.

Securing a system should be a process you can change as threats get more sophisticated. It is not a matter of analyzing a system once and implementing a solution, but rather of continuing the analysis and the threat reduction. So you need to continue repeating the cyber security process to assure standards continue to address near-term problems and technology as well as allow for potential future technology.

Implementing this cyclical process could mean you have to make changes or additions to your cyber control system. But standards can help you identify the steps you need to put these changes into practice. Some include: preparing specifications and procuring components; testing to verify proposed changes will not affect the operation of the control system while providing the necessary security upgrades; system backup considerations when installing the modifications; returning the system to operation; and developing recovery plans if a system undergoes attack.

About the Author

Robert P. Evans, Ph.D., is a member of the ISA-SP99 committee on control system security. He is Idaho National Laboratory's control system standards lead for the Department of Homeland Security's Control Systems Security Program and the Department of Energy's National SCADA Test Bed program in Idaho Falls, Idaho.