Getting Started on ICS and SCADA Security (Part 1 of 2)
The furor over the Siemens vulnerabilities and the fear that Son-of-Stuxnet could be around the corner has raised awareness of the need for cyber security to be taken seriously by the process and critical infrastructure industries.
If you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may be wondering how your organization can get moving on more robust cyber security practices. This is the article to get you started.
Step 1 – Get a Security Risk Assessment Done
The ISA99.02.01 and IEC62443 cyber security standards state that your first step should be a Security Risk Assessment, a belief I share wholeheartedly. Unless you know the risks you are trying to mitigate, you are just throwing your money away by rushing to solutions.
Unfortunately, I see many companies do exactly that. A salesperson says “buy my security technology and all will be secure” and companies believe him or her. They throw money at a solution for what might be a minor risk, leaving far more serious risks unaddressed.
Now, we are vendors of security technology and obviously we don’t like to turn down sales! But, as a responsible professional in your organization, you should be advocating for taking a step back and doing the risk assessment work first.
Companies like exida do great work in this area and have sophisticated risk analysis tools and services available. Your investment in a Security Risk Assessment will provide a payback in terms of avoiding errors, highlighting priorities and providing a framework that facilitates discussions between groups.
Step 2 – Learn Industrial Cyber Security Fundamentals
At the same time that the Security Risk Assessment is in process, it is a good idea to learn about industrial cyber security fundamentals.
A good place to start is the ANSI/ISA-99 Standards which address the subject of cyber security for industrial automation and control systems. The standards describe the basic concepts and models related to cyber security, as well as the elements contained in a cyber security management system for use in the industrial automation and control systems environment. They also provide guidance on how to meet the requirements described for each element.
The ANSI/ISA99 standards provide the base documents for the ISO/IEC standards in industrial control security, known as IEC-62443. Over the next few years, these standards will become the core standards for SCADA and process control security worldwide.
Visit the ANSI ISA-99 Standards section of this website for more information. A handy presentation that summarizes the fundamentals of the standards is available at the end of this article.
Step 3 – Understanding the Unique Requirements of ICS and SCADA Cyber Security
Another part of your education process might be to work with your IT group to inform them why ICS and SCADA security approaches are different from traditional IT security approaches. A ton can be written on this, but a brief synopsis of key points is:
- Plant downtime has to be strictly avoided unless scheduled. Thus, technologies that require frequent rebooting of systems are not suitable.
- Industrial cyber security devices, such as firewall appliances, often need to be industrially hardened. That is, be certified to work in extreme operating conditions.
- Plant systems are made by different vendors than typical IT vendors. ICS and SCADA cyber security technologies should be certified and approved by industrial automation vendors and standards groups.
- Ease of configuration and management of technologies is important as configuration errors can negate the protective value of a technology. Industrial cyber security products are often managed by controls engineers who are not firewall specialists. Thus, technology solutions need to be suitable for the skills of the people who operate and manage them.
- Depending on the vendor equipment and networking technologies being used in the plant, cyber security products might need to be effective in securing industrial protocols that do not exist in the enterprise world. Examples are the Modbus TCP and OPC Classic protocols.
- More and more industries are moving towards cyber security regulation. A current example is NERC CIP in the power industry. Thus solutions are needed that meet and exceed relevant industry standards.
- A focused and ongoing effort for cyber security is “normal” for business and enterprise systems. Such effort is “new and unusual” for automation systems. Recognition of the different “state of nation” by the people responsible for the different systems can go a long way towards constructive teamwork.
Now, I know that getting the automation side of the house and the IT side of the house “playing together nicely” is a bit like the quest for the Holy Grail, but the fact is that cooperation is necessary. If you can lead or facilitate such cooperation, then you will be considered “part of the solution” rather than “part of the problem”.
In Part 2 of this article I will discuss the remaining steps to making your facility cybersecure.
Related Content to Download
Note: you need to be a member of tofinosecurity.com and logged in to have access to the document below. Register here to become a member.
"Building Intrinsically Secure Control and Safety Systems Using ANSI/ISA99 Security Standards for Improved Security and Reliability"
(overview presentation on the fundamentals of the ANSI/ISA-99 Standards)
"Effective OPC Security for Control Systems" (1.4 MB)
(even if you do not use OPC, this White Paper has a good discussion of Defense-in-Depth)
Tofinosecurity.com resources re: Cyber Security Standards:
Practical SCADA Security Articles about using Security Zones:
- Controlling Stuxnet – No More Flat Networks PLEASE. Let's Embrace "Security Zones"
- Using Tofino Security to Control Stuxnet - New Application Note (includes a section and a diagram on dividing control networks into security zones)