ICS security

These days, industrial network security is a top of mind concern for managers in industrial automation organizations. However, there isn’t a simple formula for applying it and many engineers either don’t know where to start or don’t know how to develop practical skills in this area.

Add on the challenge of trying to implement something new, while still getting the day job done ... and all in all it can be overwhelming.

Author Mike Miclot

Nobody likes the job of replacing a good team member when they retire. Yet, that is the job the manufacturing industry is faced with as a trusted component of the industrial application ecosystem steps down from active duty. That component is the Windows XP operating system (OS), a workhorse of a product that is pervasive in factories, energy facilities and many critical infrastructure systems around the world.

Author Mike Miclot

On the eve of April 8, Microsoft retired support for the Windows XP operating system (OS) – leaving millions of Windows XP users susceptible to accidental and deliberate security issues. Though the retirement had been long planned and with fair warning, industrial network users are just beginning to comprehend the ramifications.

You have likely never worried about the possibility of a high school geek doing some programming that affects your home water quality. Well, neither had I until I learnt that some municipal networks have no security between the network their schools use and the one that runs their water/wastewater facility.

One of the major differences between industrial networks and enterprise networks is that industrial networks are typically managed by engineers or technicians. Now engineers are experts at making good product, designing control loops and so on, but they are not IT security wizards. That's the reality, and it means that security products that "just work" reliably and safely with automation systems are going to be more effective in actually delivering security than products that don't.

Dale Peterson and I have been debating ICS security in our blog posts for over a year now. This January, we took our debate live at the S4x14 conference in Miami, Florida. While Dale refers to me as a SCADA Apologist, I believe I am more of a SCADA Realist.

Jeff Smith of American Axle & Manufacturing (AAM) is a guru in the world of industrial Ethernet networking and ICS Security. We were fortunate to have him speak again at the 2013 Belden Industrial Ethernet Infrastructure Design Seminar.

Today I am glad to be writing about a good news story. That story is that Belden's Eric Byres is being awarded the ISA (International Society of Automation) Excellence in Leadership award for his contributions to the automation industry in the area of industrial security.

This award must be particularly exciting for Eric because it is ISA's most prestigious award and is awarded by his peers, that is, members of ISA.

ISA President Terrence G. Ives remarked:

In a recent blog article – Chicken, Egg, and Chicken Omelette with Salsa – Dale Peterson is squawking like a rooster. Nothing new, but this time his message is scrambled. He once again referred to me as a SCADA Apologist, though this time he also labeled me the “salsa” that accompanies a chicken omelette.

Due to a “if it ain’t broke, don’t fix it” mentality, our industry has historically resisted, rather than embraced, emerging technology. Thankfully – and not a moment too soon – experts have started to take advantage of the technologies at their disposal in one key area: security.

One of the industries major oil and gas trade shows, the Offshore Technology Conference (OTC) was held last month. Belden and Tofino Security had a very busy booth there, as both safety and security were hot topics with attendees. It is good to see that security is finally making the list of corporate priorities.

Now when engineers look at security, a topic they should know about is Deep Packet Inspection (DPI) and why offshore networks need to use it if they want to be secure.

Improving the cyber security of industrial networks is a challenge you may be facing.

On the one hand your manufacturing processes probably use devices such as PLCs (programmable logic controllers) and DCS (distributed control systems) that were designed with a focus on reliability and safety rather than security. On the other hand your industrial networks are already, or soon will be, connected to your company’s enterprise networks and migrated to Ethernet.

Our last blog, contributed by Thomas Nuth, highlighted the fact that industrial cyber security is now being discussed by heads of state within the international community - the Executive Order – Improving Critical Infrastructure Cybersecurity signed by President Obama in February of this year being just one indication of the importance being attached to th

Three years ago, the concept of industrial cyber security became a popular discussion topic within the industrial networking community. Now the discussion has risen to the level of heads of state within the international community. The Executive Order – Improving Critical Infrastructure Cybersecurity signed by President Obama in February of this year is just one indication of the importance being attached to this issue.

In my last blog, I shared some secrets on how to successfully use patching in SCADA and control systems.

This week, I’ll look at the pros and cons of using compensating controls as an alternative to patching, and discuss the requirements for success.

If you have read my previous blogs on patching for control system security, you might think I am completely against patching. Guess what? I’m not against them!

In my last blog, I discussed the reasons why critical industrial infrastructure control systems are so vulnerable to attacks from security researchers and hackers, and explained why patching for such systems is not a workable solution.

As regular readers of this blog know, after Stuxnet, security researchers and hackers on the prowl for new targets to exploit shifted their efforts to critical industrial infrastructure.

Unfortunately, the Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) applications they are now focusing on are sitting ducks.

Last week I received am email (shown further down on this page) purporting to be from the US Internal Revenue Service (IRS).

Editor’s Note: This is an excerpt from ISSSource.

It wasn’t that long ago when cyber security seemed like a foreign language to those folks entrusted with running companies. It was not like they didn’t know about it, but it just was not top of mind.

Not anymore.

With cyber threats evolving to the point where they are affecting their companies and their customer’s companies, chief executives are taking a new look and approach to how they attack cyber security.