1 July 2005
Cyber security meets plant politics
Don't neglect your control system.
By Joseph M. Weiss
Control systems are the backbone and mission critical components of global industrial infrastructures, such as electric power, oil and gas, chemical, pharmaceutical, water, paper, metal refining, auto manufacturing, transportation, and food processing. However, these open systems have come with a cost: cyber vulnerability. Proprietary systems are included in those cyber vulnerabilities. We have either ignored them or assumed they fall into the category of security by obscurity.
Nearly every country in the world sells a limited number of operational control systems. The wide geographical distribution of a relatively small global market, compounded with the growing threat of intentional and unintentional cyber incidents, could result in wide-spread impact to the reliable operations of control systems.
In theory and practice
Security studies from the U.S. Department of Energy (DOE) and commercial security consultants, including KEMA, have demonstrated the cyber vulnerabilities of control systems. More than 60 identified (though not publicly documented) real-world cases have occurred where electronic means have impacted the control systems' reliable operations. The expectation was a cyber event involving a control system would be obvious and publicly known. That assumption has turned out to be wrong.
Companies whose control systems are impacted by cyber are not willing to publicly acknowledge the intrusions or impacts. Cyber events have occurred in control systems within electric power transmission, distribution, and generation (including fossil, gas turbine, and nuclear) and also within control systems for water, oil and gas, chemical, paper, and agri-businesses.
We can hope as industry and governments become more aware of and active in the issues surrounding control system security, Internet monitoring organizations will recognize and analyze related incidents in collaboration with vendors. They would promulgate the results to the infrastructure owners and operators. As the risk environment continues to evolve, the security community can no longer afford to focus solely on enterprise business applications, and incident analysis must now include control systems and the associated impact on critical infrastructures.
Control systems could offer some of the most attractive targets to malicious actors since they contain critical data and often are the least electronically protected assets. Control systems have been designed with specific reliability and availability requirements but not specific cyber security requirements. Adapting cyber security to these requirements is another challenge, and one we must meet.
If malicious actors could access these systems, they would have access to operational data critical to the operation of the system. Also, a knowledgeable attacker could modify the data used for operational decisions, the programs that control critical industry equipment, or the data reported to control centers. The impact could be destructive.
Such attacks could exceed equipment design and safety limits and potentially result in damage, premature system shutdown, and interference with safety system operations. Or they could immobilize control equipment. Consequences could include endangerment of public health and safety, environmental damage, or significant financial impacts due to loss of power production, transmission, or distribution.
Control system researchers at the DOE's national laboratories have gone so far as to demonstrate the feasibility of cyber attacks on control systems similar to those installed at electric power generation facilities. Using tools readily available on the Internet, researchers have bypassed the protection features of firewalls to take over direct control of substation LANs as a means to change settings and create new output that could incapacitate or even damage power plant equipment.
Control systems are susceptible to attack because they weren't designed to meet cyber threats. As control systems move from traditional closed networks into highly interconnected heterogeneous networks, containing both standardized and legacy technology, the threat environment has changed. In light of these heterogeneous networks, we cannot directly apply security technologies designed for common business IT systems to control systems and still provide adequate protection. Designers of control systems did not design them with operational requirements for reliability and availability. Hence, the integration of security into those systems must account for these requirements, which can differ drastically from those of business IT systems.
Most control systems in use perform specific tasks and contain only limited processing power and memory. Consequently, they don't have the computing resources needed to leverage the authorization, authentication, encryption, intrusion detection, and filtering capabilities of modern security technology. To date, these constraints preclude the use of technologies like National Institute of Standards and Technology (NIST)-approved block encryption and public key infrastructure (PKI) without seriously degrading control system performance. This is mainly because these technologies are too resource-intensive for many legacy control systems and may actually cause the systems to fail as they attempt to keep up with the demands on their limited resources. Although modern control systems are based on standard operating systems, they are typically customized to support control system applications. Consequently, vendor-provided software patches may either be incompatible with the customized version of the operating system or be difficult to implement without compromising service.
Several governments and private organizations, as well as industry associations, have developed cyber security courses, guidelines, and standards aimed at promoting awareness of control system vulnerabilities and mitigation measures.
Traditional control system vendors are usually not supplying secure control systems, and customers (utilities) are not requesting them. This could be due in part to vendors not seeing a market demand for security since customers are not demanding it. Another aspect could be the extensive system lifecycle for control systems and the perception of "if it isn't broken, don't fix it." This perceived gap between vendors and customers could further link to the lack of existing specifications, potentially due to the absence of a government mandate for control systems security. ISA's SP99 Com-mittee and the NIST-established Process Controls Security Requirements Forum (PCSRF) are working to define a common set of information security requirements for control systems that users and vendors alike can reference, and several groups are developing standards that increase the security of control systems.
Justifying security investments is not unique to industrial operations. They constantly question implementing security for return on investment. Cyber incident statistics for enterprise business applications is readily available, such as CERT/CC and tracked, as is the associated economic impact.
However, economic justification for industrial security, including electric power, is difficult. Operational managers are required to perform economic trade-offs between O&M expenditures and control system cyber security mitigation. A quantitative business case documenting cyber incident impacts could help others develop an economic justification for industrial security. Consequently, a study is in progress to develop representative case histories of companies in which cyber intrusions have impacted control systems. Some of these are power plant cases.
Some results to date include that companies are reticent to report control system cyber security incidents and expenses result even if power is not interrupted. Penetration testing and scanning control systems is another issue. Most of the cases could have been prevented or at least substantially mitigated with adequate security policies and procedures.
Although there are quite a few hurdles impeding control system security, continued collaborative efforts between industry, standards organizations, vendors, and governments will advance and promulgate security for these systems to customers. Education, standards, and guidelines for control systems will lead to enhanced security and maintained reliability for the industry as a whole and to enhanced economic viability and public safety.
Behind the Byline
Joseph M. Weiss is an executive consultant at KEMA, Inc. in Cupertino, Calif.
As a result of the 14 August, 2003, Northeast Blackout, the U.S.-Canada Power System Outage Task Force issued a report with 46 recommendations, of which, 13 specifically applied to cyber security. At least three of the recommendations go beyond the current NERC Standard 1200 and even the Permanent Standard.
- Recommendation 33-Develop and deploy IT management procedures
"... vendors should ensure that system upgrades, service packs, and bug fixes are made available to grid operators in a timely manner." Although this recommendation is not reflected in the Permanent Standard, industry is working to address this under the leadership of NERC.
- Recommendation 37-Improve IT forensic and diagnostic capabilities
"... and make certain that IT support personnel, who support EMS automation systems, are trained in using appropriate tools for diagnostic and forensic analysis and remediation." Again, this is an area that will benefit from further work as this recommendation is addressed and will help bridge the gap between IT and operational personnel.
- Recommendation 39-Develop capability to detect wireless and remote wireline intrusion and surveillance
"Both the public and private sector should promote the development of the capability to reasonably detect intrusion and surveillance of wireless and remote wireline access points and transmissions. ... should also conduct periodic reviews to ensure that their base is in compliance with existing wireless and remote wireline access rules and policies."
We can interpret this recommendation to include network communications and telecommunication, not currently addressed by the Permanent Standard, but work related to this recommendation could be beneficial for the ties between telecommunications and the electric power industry.
Confirmed damage from documented cyber impacts
- Discharge of millions of liters of sewage due to intentionally and remotely opened valves
- Loss of megawatts from opening of circuit breakers
- Loss of generation from tampering with boiler control settings
- Loss of SCADA function from outside hacking
- Significant performance degradation of control system workstations from traditional IT scanning
- Shutdown of industrial facilities resulting in loss of production
To date, none of these events or statistics takes into consideration control systems, their environments, or their requirements. With the industry move toward using off-the-shelf hardware, software, operating systems, and networking technologies, control systems are at greater risk to unintended consequences from traditional Internet worms and viruses.