Why IT Security And SCADA/ Manufacturing Security Are Different
By Eric Byres, CTO , Tofino Security, A Belden Brand
The Times, They are A’changing
Industrial SCADA, ICS and manufacturing systems once ran on proprietary networks, used proprietary equipment, and were isolated from business networks and the internet. Life was simpler for both the IT manager and the plant manager.
Then in the late 1990s, industrial networks began to migrate from proprietary systems to commercial off the-shelf technology like Ethernet, TCP/IP, and Windows. Business drivers led to the convergence of company networks and industrial technologies, which rendered many control systems accessible through non-SCADA networks. And companies began reducing network deployment and management costs through shared hardware, backbones, and network support resources.
The Perfect Storm
Industrial security is clearly a game with the advantage going to the attacker: millions of decades-old systems that were never designed to be secure, increasing connectivity of SCADA and ICS, and a growing library of free tools and techniques to attack ICS products.
A successful attack on an industrial network could mean production losses, significant safety or environmental issues, or the theft of intellectual property, including information obtained from the enterprise network. Indeed the industrial network could be the simplest backdoor to your enterprise network.
The Times, They are A’changing
It’s evident that there’s no simple solution to securing industrial control systems. The process is going to take a lot of time and effort, as well as some very careful planning.
Recognizing That Industrial Risks and Objectives Are Different
When starting on the path to secure an ICS system, it is important to understand that the risks faced by these systems can be considerably different from those of an IT system. This means very different strategies and technologies may be needed.
As an example, consider the security goals of the IT security manager versus the plant manager. The IT security manager typically sees data protection as paramount (don’t let those credit card numbers be stolen). The resulting strategy is to focus on confidentiality and the necessary access controls needed to achieve that.
In contrast, the plant or utility manager focuses on human and plant safety first, followed by the reliability of the production. Few electrical utility customers will care if their electrical consumption data is stolen, but turn the lights out for 10 minutes and there is hell to pay.
As a result, security in ICS is first and foremost concerned with maintaining integrity and availability. Technologies that get wide usage in the IT world (such as encryption) may be viewed as counterproductive on the plant floor, as they can make troubleshooting network issues more complex, thus reducing overall systems availability.
These differences in goals translate into huge differences in acceptable security practice. For example, using standard password lockout procedures just isn't acceptable for most operator stations in plant control rooms. The default needs to be access for the operator, not lockout, which is the opposite of the IT assumption. Imagine the impact if, during a chemical reactor emergency, the operator panics and incorrectly enters his password, causing the console to lock. Password lockout is considered good policy for protecting IT servers but certainly isn’t going to work in the control room of the average chemical facility.
Since industrial networks are often required to run 24/7/365 and withstand hazardous environments, many IT security policies are never deployed; operational necessities and safety regulations overrule them. Even traditional IT security strategies, such as patching, are often impossible due to conflicting industry-specific regulations.
Finally, control systems have unusual operating systems and applications (such as VXWorks and RSLogix). These products differ significantly from typical IT operating systems and applications. This means that many of the tried-and true IT security solutions will not function correctly or, assuming they do run, will interfere with the process systems. At the most basic level the result is that security solutions we take for granted, such as antivirus protection for critical equipment, just don’t exist. There simply aren’t any AV products that run on PLCs.
Don’t Throw the Baby Out With the Bathwater
This isn’t to say that IT security solutions are bad for industrial systems. In fact, studies at major oil companies have shown that 90 percent of all IT security policies work well for ICS. The answer lies in clearly understanding how operational assumptions and needs differ from those of the IT world and then modifying the IT security practices to use them properly in the ICS world. This takes close cooperation and teamwork from both IT and ICS personnel, rather than blind dependence on IT security procedures and technologies.
Focus on the Crown Jewels
Another key technique is to not to try to apply a blanket solution across your entire ICS. Every control system has one or more assets that would seriously impact production, safety, or the environment if successfully attacked. Your control engineers know what really matters to the operation. If those assets are aggressively protected, the chance of a truly serious cyber incident is significantly reduced. To successfully locate and secure these critical control assets, IT and engineering teams need to work together. Once you locate them, use technologies that are designed for ICS. For example, the use of distributed firewalls that are specifically designed to interpret SCADA protocols can be placed in front of the most critical PLCs to protect them from either accidental or malicious program modifications.
Whether your organization is a critical infrastructure provider or your enterprise has one or more industrial networks, securing these systems has never been more important. Regardless of the pain points involved, investing in industrial security is not only responsible, but also necessary for any mission critical application. The profitability, reliability and safety of both your company and customers depend on it.