Not your Father's Control System

It is no secret that control systems have changed dramatically over the last 25 years. While those changes have brought great rewards, they have also introduced fierce threats, like Stuxnet.

Sometimes, however, it’s helpful to step back and look at those changes from a distance. What types of things have changed? What were the drivers that caused the change to happen? Maybe (if we’re lucky) we can use the knowledge gained from this reflection to predict how control systems are likely to evolve in the next decade or so.

Personal computers did exist when I entered the working world, although they were the 8-bit variety at the time and ran long-forgotten operating systems such as CP/M. Computer networks were something most of us could find only in scientific journals, along with other cool but seemingly remote concepts like graphical user interfaces. The vast majority of sensor and control devices communicated to other systems only through interfaces such as RS-232, RS-485 or current loop. For most control system engineers, the idea of connecting these systems to the business network was out of the question. Why would you even want to do that?

But in the 1990’s Microsoft got Windows onto a stable 32-bit platform, and Ethernet took hold as a communications technology. This meant control system vendors could build their products on top of an inexpensive, high-performance platform, resulting in control systems that were not only very rich and capable in their own right, but could also interface with the enterprise data systems that were running the business. This sparked a revolution that is still happening today. Control systems evolved to use TCP/IP networks in the space of only a few years. PLC and sensor vendors rushed to retrofit Ethernet interfaces and TCP/IP onto their existing designs. Windows-based software applications like data historians, HMIs and MES systems attained levels of capability that would have seemed like science fiction only ten years earlier.

Huge productivity gains resulted from this technological revolution. In fact, for most industries the integration of business and control systems has become a competitive necessity. However, in adopting these technologies, we not only inherited all the advantages, but also the disadvantages. The complexity of control systems skyrocketed, so now there are more potential points of failure – even down to simple components like cables, switches, routers, and power supplies.

Of course, security is one area that this mix of openness and complexity has really affected control systems. For example, malware was never really an issue in control systems prior to the move to open systems. And prior to Stuxnet, most viruses didn’t care whether the PC they were infecting was part of an enterprise or a control network – both were infected indiscriminately. However the financial and safety consequences of a malware incident can be much more severe on the plant floor. There’s nothing too scary about re-booting an accounting workstation; re-starting a boiler or a paper machine is a whole different matter.

The cyber security incident data collected in the not-for-profit Repository for Industrial Security Incidents (RISI) database tells an interesting story. The earliest incident recorded in RISI occurred in 1982, over a quarter century ago. However, the period of continuous annual incidents (i.e. where there is no year without a reported incident) didn’t begin until 1994. The first year to see a significant increase in the frequency of cyber-security incidents was 1998. Then there is a striking increase in the annual incident rate starting in late 2001. In recent years, the rate of reported incidents is even higher, settling out at about 10 to 15 new incident reports per quarter.

At the risk of looking like complete fools in a few years’ time - let’s take the history of the last 20 years, and project it forward to 2030. What will our control systems look like then?

First of all, we know that we will have to deal with new types of threats. Stuxnet is a wake-up call on this topic – control system security will never be the same after the revelations of this past summer. Security solutions must, and will, adapt to address these new threats.

One other thing that is certain – the competitive pressures that drove the technological revolution are not going away, in fact the safe bet is they will only increase over time. Where are the new productivity gains going to come from? It’s hard to predict the path of innovation, but I feel pretty confident that significant productivity gains will not continue unless cyber security improvements (at least) catch up.

Finally, it’s fairly certain the complexity of our ICS and SCADA systems will not be decreasing either – a factor which tends to make improved security even tougher to achieve. We’re going to need a quantum leap in security capability to keep this party going…

So what might a next-generation security solution look like? We’ve been working for a couple of years now with several members of an organization called the Trusted Computing Group (TCG) on a promising initiative called Trusted Network Connect (TNC). TNC is a standards-based network access control (NAC) infrastructure. Since the TNC protocols are open and fully documented, equipment from multiple vendors can be combined to create sophisticated and highly flexible systems. One particular TNC standard that we find exciting is the Interface for Metadata Access Points (IF-MAP).

The range of systems that interface to TNC is already mind-boggling. Of course, it includes the expected devices like LDAP servers, firewalls, switches and VPN appliances. What is interesting are the things like access control systems that report where users are in a facility, wireless APs that can report the location of mobile assets, and data leakage sensors that can tell you if you have holes in your firewalls. These disparate systems talk to each other through an IF-MAP server, which acts like a clearing house for real-time event data. We’re working with several TCG members to adapt TNC to the requirements of ICS and SCADA networks, in the hope plant operators will have access to the same flexible and scalable solutions and maybe even manage security for both enterprise and ICS networks with the same set of tools.

Why is this important? Imagine you have a user connected to the control system from home via VPN, then the physical access control system reports he has badged into the building from the parking lot. What is he doing in two places at the same time? Using proprietary interfaces, integrating this information to drive security policy would be a challenge, but using TNC, it is pretty straight forward. In our case, we tested having the Tofino VPN break connections if there is a physical location violation. It really is cool.

If you have a chance to attend the ISSE security conference this week in Berlin, I’ll be presenting a paper called “SCADA and Control System Security: New Standards Protecting Old Technology” on behalf of TCG. It provides more info on TNC and the work we’re doing with other TCG members to implement it in SCADA and control networks.

How do you see ICS and SCADA networks evolving in the future? What do you think will need to be done to secure them? We’d love to hear back from you.

Related Links

Blog: Speak Up NOW on New IF-MAP Specs for ICS and SCADA Security