After the Stuxnet worm exploited a zero-day vulnerability in a popular industrial controller, it's clear that operators of large-scale infrastructure management systems need to work with the IT security community to better safeguard these critical systems.
Industrial Control Systems (ICS) are used by utility companies and manufacturers to manage critical infrastructures worldwide, including electric power plants, oil/gas operations, pipelines, mining operations and transportation. Today's security problems are like never before, which is why those working in ICS need help from those working in the IT security industry.
ICSs include Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems (DCS), Programmable Logic Controllers (PLC), Remote Terminal Units (RTU), Intelligent Electronic Devices (IED), field controllers, sensors, emission controls, building controls such as fire suppression, thermostats and elevator controls, and automated business and residential meters.
ICSs measure, control and provide the operator a view of the process. The operator view is often Windows-based and appears to be traditional business IT technology. However, the field devices that measure and control the process use proprietary operating systems and communication protocols and have their own unique characteristics. These field systems do not look like business IT systems and are technically and administratively different from IT systems. Even security policies are different: ISO-27001 applies to IT, but ICSs utilise ICS-specific policies such as those from the International Society for Automation (ISA). ICSs used to be isolated – out of sight, out of mind.
But that's all changing. ICSs are being upgraded with advanced communication capabilities and networked (including to the Internet) to improve process efficiency, productivity, regulatory compliance and safety.
These networks can be within a facility or even between facilities that are continents apart. When an ICS does not operate properly, the resulting problems can range in impact from minor to catastrophic, including deaths and physical destruction.
Until recently, ICS were not specifically targeted by hackers and were only impacted by the law of unintended consequences when these systems were connected to the Internet.
That changed last month with the Stuxnet worm. The worm was directed at a very popular process controller (Siemens Simatic Programmable Logic Controller) and exploited a zero-day vulnerability in the PLC's WINCC SQL database.
The exploit lay bare the disconnect between the IT and ICS communities. This particular PLC (as well as many other ICSs) burned the default passwords in software. The hackers exploited this design to get access to the database.
The nominal response would be to change the default password. However, because of the controller software, a change to the default password would shut down the PLC since the applications depend on that password.
Now what's needed is for the IT community to help the ICS community secure these thousands of devices, even though the default passwords cannot be changed.
It can be argued that the ICS community is about 10 years behind the IT community in securing systems. We need help to catch up. However, cultural issues between the IT and ICS communities make this difficult.
Unfortunately, there are competing technical and administrative requirements between IT and ICS systems as well as inter-departmental conflicts because of scarce dollars. The IT community understands security, but not the technical domain of these systems. Conversely, the ICS community understands the technical domain but not security. We need to get both sides working together.
Moreover, the Stuxnet worm should once and for all dispel the notion that ICSs are not susceptible to targeted cyber attacks. I've written a book, Protecting Industrial Controls Systems from Electronic Threats that details the specific differences between IT and ICS systems and provides approximately 20 actual ICS cyber incidents (there have been more than 170 ICS cyber incidents to date including four that have killed people).
We also need the forensics community working with us as there are minimal ICS cyber forensics capabilities. Most of the 170 ICS cyber incidents were not identified as cyber. The 10th Applied Control Solutions ICS Cyber Security Conference will be held September 20-23. This conference is focused exclusively on cyber security of ICSs. As an example of the need for ICS cyber forensics, two ICS engineers spoke at last year's conference. Each had multiple ICS cyber impacts - one actually shut down a major coal-fired power plant. However, in both cases, the logging was not capable of identifying who or when.
The bottom line is that we need help and soon. A major ICS cyber incident can cause mind-numbing consequences as can be seen from the recent BP oil spill.
Joe Weiss is managing partner at Applied Control Solutions and author of "Protecting Industrial Control Systems from Electronic Threats."