SCADA Security: What Is an Industrial Control System?Scada_pcs, Dcs Security

8/12/2019 SCADA Security: What Is an Industrial Control System?Scada_pcs, Dcs Security

1/3

New Books

SCADA Security: What Is an Industrial ControlSystem?

Tyson Macaulay and Bryan L. Singer

Tweet Like 0

Process control system (PCS), distributed control system (DCS), and supervisory control and data acquisition(SCADA) are names frequently applied to the systems that control, monitor, and manage large productionsystems. The systems are often in critical infrastructures industries, such as electric power generators,transportation systems, dams, chemical facilities, petrochemical operations, pipelines, and others, giving thesecurity of PCS, DCS, and SCADA systems evaluated importance in the increasingly networked world we livein.

SCADA especially is a term that has fairly recently been deprecated. In 2002 the International Society ofAutomation (ISA) started work on security standards for what it called industrial automation and controlsystems (IACS), under the aegis of its 99 standard. IACS included SCADA services and reflected the widerand broader industrial infrastructures that were based on IP and interfaced with IT systems. IACS was furthershortened in 2006 when the Department of Homeland Security (DHS) published Mitigations for Vulnerabilities

Found in Control System (CS) Networks.Finally, in 2008, the National Institute of Standards and Technology

applied the current compromise name, industry control systems (ICS), in its landmark publication of NIST

800-82: Guide to Industrial Control System Security.

In this chapter we distinguish between PCS, DCS, and SCADA systems as a matter of formal detail, but for themost part we intend all three systems when using the term industrial control systems (ICS). As a preliminarysummary, ICS gathers information from a variety of endpoint devices about the current status of a productionprocess, which may be fully or partially automated. Historians, typical IT systems within process controlenvironments, gather information concerning the production process. PCS, DCS, SCADA, and so forth, readvalues and interact based upon automated logic alarms and events requiring operators interaction, or reportautomated system state changes.

A process control system allows operators to make control decisions, which might then be relayed upstream,downstream, or to parallel processes for execution by the same system. These systems could be within thefour walls of one building, or could be spread throughout a potentially massive geographical region (in the casefor items such as pipelines, power distribution, water and wastewater management.) For example, an ICSmight gather information from endpoint devices that allow operators to assess that a leak may have opened ina pipeline. The system aggregates this information at a central site, which contains intelligence and analyticsalerting a control station and operators that the leak has occurred. Operators then carry out necessary analysisto determine if and how the leak may impact operations, safety, and regulations (environmental, health, andsafety).

ICS displays the information gathered from endpoint devices in a logical and organized fashion, and keeps ahistory of the parameters received from the endpoint device. If the leak under investigation required thatpressure in the pipeline be reduced or even that the pipeline be shut down, then these operational instructionsmay be issued from the control station through the ICS. Another possibility is that the ICS is intended formonitoring but not active intervention, in which case the operators would dispatch maintenance teams accordingto the coordinates provided by the process control system.

This example starts to reveal the fact that control systems can be relatively simple or incredibly complex. Moreoften than not, the systems are more complex than is readily apparent on the surface, which in partdistinguishes them from IT systems. For instance, where the traditional IT space deals with a fairly limited setof operating systems, communications protocols, and Open System Interconnection (OSI) model layer 1(physical) and layer 2 (data link) device vendors (as illustrated in Figure 1.3), a typical process environment canrepresent hundreds of devices from different vendors with different specifications, protocols, and physicaldeployment requirements.

Share This

Article

ShareThis

http://www.infosectoday.com/Articles/SCADA_Security.htm?utm

10/9/2013


2/3

Figure 1.3.OSI layers versus TCP model. (From Gilbert Held, A Practical Guide to Content Delivery Networks,Auerbach, New York, 2006.)

Systems may be solely intended for the purpose of collecting, displaying, and archiving information fromendpoint devices. For instance, urban traffic flow information from various intersections around a large city isused for both day-to-day governance and long-term urban planning. Alternately, ICS in a nuclear power plant ora municipal water system may have the ability to apply either automatic, semiautomatic, or operator-controlledchanges. It is important to note at this point that ICS are not necessarily the same as safety systems, and insome cases are completely distinct. More on the difference between ICS and safety systems will follow in thissection.

Is Industrial Control System Security Different Than Regular IT Security?

Comparing techniques, tools, and terminology, ICS security is not entirely different from current IT security.There are differences, however. These differences largely center around the following principles:

Almost all ICS security failures have physical consequences, impacts that are frequently more severeand immediate.

ICS security issues often manifest initially as traditional maintenance failures or other nuisance trips andprocess stoppages, making them difficult to diagnose and remedy. Anomalies are more prevalent.ICS security can be more difficult to manage: old systems that can't be patched or upgraded, no luxuryof development and test environments, massively dispersed assets with mandatory requirements forfrequent remote access, and conventional protections such as antivirus or firewall that may not be ableto be utilized.Cyber threats to an ICS include myriad additional threat vectors, including non-typical network protocols,commands that cannot be blocked due to safety or production issues (alarm and event traffic, forexample), and otherwise valid communications used by an attacker in invalid ways.

What is more, most legacy and even many contemporary ICS assets were not planned and budgeted withIT-like security as part of cost of goods calculations; therefore the business margins simply do not supportadditional security, especially in regulated industries where tariffs are approved by regulators. Many of theseindustries are already heavily regulated, and operators are naturally reluctant to add any additional complexityinto a process if it complicates compliance. Given that convergence between IT and ICS networks is a relativelynew discipline, ICS security as a domain has much it may productively learn from the far more mature, larger ITsecurity domain.

Threat and risk assessment and management are far more developed as are the language and tools foraddressing threats and risks is a systemic fashion using standardized terminology. Conversely, off-the-shelf ITsecurity controls and safeguards are not ready to be applied wholesale to ICS: there needs to be areconciliation and understanding of the potential for kinetic impact and lasting physical damage to productquality, operations assets, and potentially irrecoverable downstream and upstream impacts to customers,partners, and suppliers.

Last, because of overlapping but not necessarily apparent impacts shared between IT and ICS, people may bereluctant to take action. For instance, if an industry has explicit safety regulations to apply and has built to thesemandatory safety standards, then security may not even be on the table! It can take a lot in some cases toconvince someone that a security issue is not addressed by a safety design that has been accepted by aregulator.

What Has Changed in ICS That Raises New Concerns?

ICS technology has been evolving since the earliest systems for remote monitoring and controlling of industrialprocesses were put in place in the 1960s. Prior to this period, manual operator observations and interventionwere the norm, aided by networks of pipes with gauges that allowed very simple forms of process monitoring.(Think of the steam pressure gauge on a boiler, which might be available on the bridge of a ship.) The advent oftransistors and modern electronics made the process control systems as we know them today possible,allowing industrial processes to be made both more efficient and more pervasive.

Of course, ICS also improved the ability to detect and respond to dangerous situations, and thereby mitigatesome of the risks associated with massively scaling up industrial production processes in order to gaineconomies of scale. As we will discuss soon, while ICSs are not safety systems, they allow processes to bemanaged with a significantly greater degree of assurance that could be attained by applying pre-ICStechniques, such as manual observations by larger staffs of industrial workers.

As might be expected with any new technology, in the earlier days of ICS there were many different suppliers,each with a proprietary technology. Standards for process control communication did not exist at the birth of theprocess control market, so each vendor tended to develop the necessary technology to connect remoteendpoint devices to the networks and transport the data to central data historians and management consoles.Gradually, the ICS market consolidated through attrition, mergers, and acquisitions to the point we are at today,with perhaps half a dozen dominant process control vendors from an original field of probably hundreds.


10/9/2013


3/3

In addition to market consolidation, a wide variety of new requirements have emerged for process controlsystems relative to their initial foundations. For instance, the period in which ICS has been evolving hasparalleled the evolution of business information systems, which moved from carbon paper and dictation toe-mail and Internet commerce during the same period. Similarly, a host of new regulatory requirements, fromfinancial reporting to environmental monitoring, have come into effect while process control systems evolved.These factors mean that process control systems had an increasing need to interface with other informationand reporting systems in the business.

Recent industrial history has demonstrated that the life cycle of a control system is now between 15 and 30years. As little as even 15 years ago, network and software security was not a top priority in the controlsystems environment, and ICS networks were not using the same underlying protocols as the other businessnetworks within organizations. Recall that 15 years ago technologies such as Novell and Banyan dominated theLAN market, while IEEE 802.3 Ethernet was just evolving. Internet protocol was available, but typically only asa fiddly third-party software extension.

The IT and ICS networks were conventionally and technically isolated. Control systems were stand-aloneassets not connected to business networks or the outside world except perhaps for very slow modems thatwould be used for remote management and maintenance. Competition among process control vendors and adrive for simpler to manage networks and cost savings have driven ICS from highly proprietary, custom-built,stand-alone systems to those that use commercial off-the-shelf (COTS) hardware and software components.

With the convergence of ICS onto the same IP and operating system platforms as other generic business toolsand applications comes increased risk. In the last 6 months of 2010, Symantec stated in its Internet security

threat report10

that it "recorded more vulnerabilities in 2010 than in any previous year since starting this report.Furthermore, the new vendors affected by a vulnerability rose to 1,914, a 161% increase over the prior year."

The Symantec evidence makes it plain that malicious code and cyber threats continue to grow as the Internetexpands and penetrates further and further into both business and personal applications, but how does thistranslate to threat levels related to ICS assets?

Some analysts estimated that 10% of all IP-enabled devices in existence today are ICS devices.11

This number

of connected devices (versus people via PC and laptops) is expected to grow dramatically with a compoundgrowth rate of 30% from 2012 to 2020-reaching as much 7 billion devices by that time and completely

outnumbering people-oriented connections.12

Much of this connectivity will be through wireless cellular technology, but also through more traditional EthernetLANs; but all of it will be IP-based and especially IPv6 (see the last chapter for a discussion of IPv6).Connected devices are all around us, yet their profiles and exposure to IP-based threats are hardly knownrelative to the discussion and effort associated with IT controls and safeguards. Granted, any IT controls andsafeguards can be directly applied to ICS, but the way they are applied is always based on a risk calculation,and ICS risks are distinct from IT risks, as discussed previously.

More encouraging is that awareness of ICS security has risen dramatically in the last few years. The U.S.Department of Homeland Security recognizes the importance of ICS security education and awareness andoffers funding for industrial control security research and tools for managing and even procuring secure processcontrol systems. For instance, DHS has published the cyber security procurement language document as ameans to help asset owners integrate security into their control system's security life cycle. There is also theIdaho National Labs Recommended Practices Commission, and the Control Systems Security Program (CSSP)

at the U.S. Computer Emergency Readiness Team (US-CERT13

).

About the Author

From Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SISby

Tyson Macaulay and Bryan L. Singer, ISBN 978-1-4398-0196-3. New York: AuerbachPublications, 2012.


10/9/2013

SCADA Security: What Is an Industrial Control System?Scada_pcs, Dcs Security

Documents

Transcript of SCADA Security: What Is an Industrial Control System?Scada_pcs, Dcs Security