March/April 2011

ISA99 examines standards' strength against Stuxnet-like attacks

By Ellen Fussell Policastro

If you have been following news on the threats to control systems and how to prevent them, you are probably familiar with Stuxnet, a sophisticated computer worm first revealed in the summer of 2010. It is the first known malware written specifically to compromise a control system and sabotage an industrial process. Stuxnet's capabilities are seeing more coverage in the press these days, and some of these capabilities may migrate into new threats. Going forward, automation systems must be able to detect and either block or be able to recover from advanced Stuxnet-like threats.

In response to these threats, the ISA99 standards committee on Industrial Automation and Control Systems Security has formed a task group to conduct a gap analysis of the current ANSI/ISA-99 series of standards. The purpose is to determine if companies following the ISA-99 standards would have been protected from such sophisticated attacks and to identify needed changes, if any, to standards the ISA99 committee is developing.

"The ISA-99 series of standards and technical reports is rooted in a set of principles and concepts for industrial systems security that have been vetted over a period of several years," said ISA99 co-chairman Eric Cosman, engineering solutions consultant at Michigan Operations in Midland, Mich. "It is important to remain consistent with these principles while responding to a rapidly changing threat environment. This is how we achieve standards that can stand the test of time."

The new task group intends to produce a technical report summarizing the results of its analysis by mid-2011.

Stuxnet threat

"Stuxnet used the same approach as the man-in-the-middle (MITM) attack that's been around since 2002," said Joe Weiss, executive consultant at Applied Control Solutions LLC in Cupertino, Calif. "It took control of the operator screens, preventing the operator from knowing that not only was the PLC compromised, but the process was being compromised, and he didn't see it."

"The MITM type of attack was demonstrated back in 2004 by the U.S. Department of Homeland Security's Control Systems Security Program, whereby a MITM attack using a classic flaw in IP networking is combined with an application level attack using the control system's own communications protocol," said Bryan Singer, principal investigator of industrial security at Kenexis Security Corporation in Helena, Ala., and co-chair of ISA99.

"It is this type of attack that we have long since been most concerned about," Singer said. "Most of the attacks and compromises of control systems to date are comprised primarily of ancillary impact to the control system or non-targeted attacks that resulted in nuisance trips. It is the combination of these three factors that presents the most opportunity for a serious and long-lasting impact to control systems. What is even more unique about Stuxnet is that it appears to be a comprehensive malware framework with many nuances to it that are still being understood today. I don't think we've seen the last of Stuxnet, and we certainly have seen a new playing field for malware writers opened up."

"Every new worm, virus or hack is an evolution on a previous one," said ISA99 member Eric Byres, chief technology officer at Byres Security Inc., in British Columbia, Canada. "The bad guys learn from their successes and mistakes so they can build scarier, more effective attacks," he said.

"The ICS community also has to learn from the past, or we will be left far behind in the malware arms race," Byres said. "Stuxnet gives us the perfect opportunity to learn how the ANSI/ISA-99 standards will stand up to the advanced persistent threats that will appear in the future and how the standards can be improved."

ISA99 key ingredient

The ANSI/ISA-99 standards address the vital issue of cybersecurity for industrial automation and control systems. The standards describe the basic concepts and models related to cybersecurity, as well as the elements contained in a cybersecurity management system for use in the industrial automation and control systems environment. They also provide guidance on how to meet the requirements described for each element.

The ANSI/ISA-99 standards form the base documents for the IEC 62443 series of industrial automation (sometimes generically labeled "SCADA," or supervisory control and data acquisition) security standards. Over the next few years, these standards will become core international standards for protecting critical industrial infrastructures that directly impact human safety, health, and the environment. They might be extended to other areas of application, even broader than those generically labeled "SCADA." Based on this, it is essential industrial companies following IEC 62443 standards know they will be able to stop the next Stuxnet. The work of the new ISA99 task group will have a significant impact on ensuring automation facilities are secure in the future.

The new task group, designated ISA99 WG5 TG2, is open to all cybersecurity subject matter experts. Interested parties should contact Eric Byres (eric@byressecurity.com). Cybersecurity experts interested in joining the ISA99 committee are asked to visit http://isa99.isa.org and contact Charley Robinson (crobinson@isa.org).

ABOUT THE AUTHOR

Ellen Fussell Policastro (efussell@isa.org) is an ISA Standards administrator.