September/October 2012
The Final Say

Securing industrial control systems

By Graham Speake

Over the last 10 years, more security solutions are available, and more industrial end users have implemented them to protect their businesses. Today, nearly all companies use an anti-virus product installed on their industrial control system (ICS), as well as having their ICS segregated from the business network and the Internet by a firewall.

However, the threats against businesses and ICSs, such as Stuxnet and Flame, are increasing and becoming more sophisticated. Thus, end users and the suppliers that serve them need to collaborate to ensure these threats are contained and thwarted.

The potential security risks posed to end users are not limited to new ICSs, but also to the myriad of existing ICSs currently in place, which often pose greater problems. These existing ICSs may be decades old, and often use older operating systems such as Microsoft Windows NT. Unfortunately, these older ICSs and their operating systems often cannot be updated or successfully secured because they are considered obsolete by the manufacturer and are thus no longer supported with bug fixes and patches.

Understanding what security measures will be needed in the short and medium term is critical in order to ensure budgets, people, and processes can be properly and adequately prepared. Every company needs to ensure the ICSs with the highest risk and highest potential impact are mitigated first. Implementing the easiest security solutions may give end users a higher confidence in terms of implementation, but in reality not reduce their security risk profile.

Initial security measures for any company include analyzing their ICS firewall and the interconnections to other networks including their own business network, the Internet, and third-party supplier networks. The type of links to be examined should include Ethernet connections, as well as modems and Virtual Private Networks. Analysis of ICSs frequently reveals multiple connections, at least some of which are not necessary. These multiple connections should be consolidated as much as possible to ensure all interconnections go through a properly installed and configured firewall.

The firewall can also be used to segment older, less secure ICSs. If these older legacy ICSs cannot be replaced, they should be isolated from newer ICSs as much as possible, such that communications among networks are limited in order to reduce the chance of infection. For some older ICSs, an industrial control system-specific firewall appliance can be used to provide a measure of protection.

ICSs deployed over the last 10 years will typically have had anti-virus software included. This software should be checked periodically to ensure the latest updates are in place and active. Regardless of the security measures deployed, end users need to authorize that safe applications are used throughout the ICS, typically with whitelisting software used in the system.

Whitelisting software only allows those applications that are labeled as safe and trusted to be executed. If a virus tries to execute a software program that isn't on the approved list, this unapproved access will be detected and denied execution rights. Whitelisting is a good security measure, but particular care must be applied to the master system that monitors and deploys the whitelisting application to all the other systems to make sure it is functioning properly and securely.

One of the biggest potential attack threats in an ICS is the use of USB flash drives, external hard drives, and CDs/DVDs. These storage devices are often employed by engineers to update ICSs or to physically transfer data. Simple preventative measures can reduce the risk from these devices. USB ports can be disabled, or inexpensive USB locks can be installed. CD and DVD drives can have their autorun features disabled in the operating system as a protective measure.

While a variety of hardware and software security measures can be deployed, they are only effective if the users of the ICSs understand their importance. This requires a workable set of security practices that have been communicated to the user community via regular training sessions. End users can inadvertently or accidentally circumvent or disable security, but this is less likely to happen when they know the purpose and the function of installed security measures and systems.

ABOUT THE AUTHOR

Graham Speake is the Principal Systems Architect at the Yokogawa IA Global Marketing Center. He has spent the last 15 years securing computer systems for IT and control systems. Graham has worked for major end users and vendors, giving him an all-round perspective on the cyber security and other issues facing the industry.