SCADA Cyber Security: An International Issue
Three years ago, the concept of industrial cyber security became a popular discussion topic within the industrial networking community. Now the discussion has risen to the level of heads of state within the international community. The Executive Order – Improving Critical Infrastructure Cybersecurity signed by President Obama in February of this year is just one indication of the importance being attached to this issue.
What’s also interesting is the change in focus of this discussion topic. The key question has changed from an interested “Why do we need to secure our industrial network?” to a frantic “How do we do it?”
Obama’s Executive Order on Cybersecurity: A Sign of the Times? Image Credit: Mashable
US intelligence chiefs have said that cyber-attacks have replaced terrorism as the primary security threat. And they are taking these threats very seriously. For example, on March 12th 2013, US General Keith Alexander testified to Congress regarding an announcement made by the Pentagon Cyber Command. This announcement outlined a plan to create 13 teams, by the fall of 2015, charged with the national defense against large scale cyber-attacks that could knock out domestic electric power infrastructures.
Transportation, Energy and Manufacturing Industries Are Paying the Price
So who are the cyber-attackers targeting?
To answer this question, we can refer to the Mandiant Report, an annual report compiled from hundreds of advanced threat investigations, which aims to reveal:
“...evolving trends, case studies and best practices gained from Mandiant observations to targeted attacks in the last year.”
According to the Mandiant Report released in February 2013, transportation, energy and manufacturing are in the top ten most targeted industries for cyber-attacks. If there was any deliberation about it before, industrial cyber security is now without a doubt an international security topic.
The costs of these cyber-attacks are staggering - and difficult to estimate.
For example, the 2012 Cost of Cyber Crime Study from the Ponemon Institute put the cost of cyber-attacks within the USA at $8.9 billion in 2012. However, according to the Foreign Policy National Security Newsletter, “more recent estimates have put the cost of theft as high as $338 billion per year”. Frankly we think the second number is high, but the fact remains - poor security is getting expensive. And a large portion of this total loss is incurred within the industrial automation and energy sectors.
Attention Hackers - Only 416 days to Access the System Prior to Detection!
Built for reliability and stability rather than security, industrial infrastructure networks have long been easy targets for malware attacks. City and regional infrastructures depend on reliable access to energy and sound transportation systems. In a very real sense, all infrastructures are built upon the industrial infrastructure base. The concept of the ‘network of everything’ that futurists and city-planning commissions have spoken about optimistically for years has arrived.
But they forgot one thing: industrial security.
According to Mandiant, 416 days is the median number of days that advanced attackers have access to networks before they are detected. Yes, you read that correctly. 416 days! A lot of damage can be done in 416 days.
This much is certain then – many current cyber threats are yet undiscovered and unknown.
Industrial infrastructures are growing in size and complexity. And it’s all too clear that traditional enterprise IT solutions have not been successful at safeguarding them from cyber-attack. They do not meet the best-practice deep-packet inspection capability in the field, nor do they place an emphasis on zone protection network segmentation. As well, they tend to focus on preventing loss of confidential information, rather than what really matters in the industrial world – reliability and integrity of the system.
Many cyber threats are ‘hidden dangers’, lying undiscovered and unknown. Image Credit: The Allstate Blog
In the process automation sector alone, we typically find six to eight auxiliary networks outside of the central distributed control system (DCS). These auxiliaries can include the Safety Instrumented System (SIS), Sequence of Events (SOE), Analysis Management Data Acquisition Systems (AMDAS), Plant Information Management Systems (PIMS), Vibration Monitoring Systems, Position Location Systems, Alarm Management Systems, Fire and Gas Systems, and Building Automation Systems. As well, most companies now have some form of remote support for each of these systems.
The reach and scope of industrial IT networking has increased mobility, efficiency and operational safety. However, without proper security considerations, these growing networks only increase the vulnerability to cyber threats.
How Can We Secure SCADA and Industrial Control Networks?
It’s evident that there’s no simple solution to securing our critical infrastructure. It’s going to take time and careful planning. A combination of best practices, utilizing technologies designed for industrial security, and focused effort is the only way to mitigate the risk of attacks on industrial systems.
It is important that staff is familiar with industrial security standards. We recommend the ISA/IEC 62443 (formerly ISA-99) standard. Major oil and gas and chemical companies such as Exxon, Dow and Dupont are using it and we have repeatedly seen its strategies used successfully in the field.
Particular industries also have their own standards – the North American power industry’s NERC CIP, for example.
At Tofino Security, we have developed, in partnership with exida, our own best practice for ensuring good security. To read the details about this process, download the "7 Steps to ICS and SCADA Security" white paper.
Use Network Technologies Designed for Industry
Look for technology solutions that are designed specifically for the plant floor, rather than for standard IT systems. Seek robust technologies that integrate with industrial network management systems. Deploy firewalls that secure industrial protocols, and practice Defense in Depth with zone-level security.
Collaboration and Teamwork
Last but not least, let’s not forget the importance of teamwork. IT and engineering teams must collaborate to ensure that best practices are in place and that innovative advances to security are developed and deployed.
Regardless of whether your organization is a critical infrastructure provider, or whether your enterprise has one or many industrial networks, securing your networks has never been more important.
In 2013, do you think enough emphasis is being placed on the importance of industrial cyber security? Are we making any significant progress in tackling this issue? What else needs to be done? I look forward to hearing from you.
Thomas Nuth, BA and MBA
Thomas is responsible for market analysis and valuation for Belden's global INET business.
Practical SCADA Security thanks Thomas for this article.
Ed Note: Tofino Security is part of the Hirschmann industrial networking solutions group within Belden.
Related Content to Download
White Paper - "7 Steps to ICS and SCADA Security"
- Automation.com, Webpage: Cyber Attacks on Industrial Systems Increasing Rapidly
- National Vulnerability Database (NVD), Webpage: Database search page
- Blog: SCADA Security Basics: Why are PLCS so Insecure?
- Blog: S4 Security Symposium Takeaway: Time for a Revolution