Over the last few months, there has been much press coverage on the subject of viruses and worms that have been specifically aimed at the industrial control systems market. Just enter "Stuxnet" into your favorite search engine to marvel at the results.
The IT world has embraced security for many years, but the world of industrial systems is lagging behind by as much as 15 years in some sectors. However, it is not all gloom and doom and most of the major control systems vendors are incorporating AV, whitelisting products, firewalls, IDS/IPS and other security devices into their current and future products. However, the life of a system in the industrial world is long, with some sectors looking at installing a system that will last for 30 years or more, which no IT system would be expected to do.
The industrial control world can learn much from the IT security experts of today, and the following is a number of top tips that industrial controls engineers need to embrace.1. Security Awareness
The tailoring of IT security awareness programs for the industrial controls world can easily be done. There are specific challenges around control systems that will need to be addressed, such as ensuring that all devices, such as a USB thumb drive, are only installed after a thorough virus and malware check.
In addition, there are many control systems engineers who do not have a good IT knowledge due to their age and the fact that they have never really needed these skills. These people probably need more education on a continual basis than those who deal with IT on an everyday basis. The systems integrators and contractors used by your company should also not be ignored as these can often be unaware of current security best practices.
2. Risk Assessment
Each control system needs to be assessed to ascertain the risk that it poses to the organization. Without knowing where the major risks are, it is impossible to prioritize any risk mitigations, such as firewalls or IDS devices. Having a firewall segregating your control systems from your corporate network but leaving modems connected increases risk but also can give a false of security.
3. Legacy Systems
IACSs often have a long lifetime and it is common to see out of date operating systems in use around a plant, such as Windows NT and Windows 98. These have dual problems in that they cannot be patched, yet are still vulnerable to new exploits, and often are not compatible with AV. These devices should be isolated from other devices on the network using a firewall or VLANs.
Also, devices that have a built-in computer should not be forgotten. For example, analyzers are often essential to the industrial process but can be a weak point in your network.
The use of wireless around an industrial plant has become more and more prevalent over the last few years, even to the point where suppliers are offering tools to control your network from an iPhone or Blackberry. Any wireless network should be built using robust, secure devices, such as those designed around the ISA 100 protocol and also isolated wherever possible with a firewall. As wireless signals can be the subject of denial of service attacks, the use of wireless for control or safety critical functions needs very careful consideration.
5. Communicate and Collaborate
The world of IT and industrial computing is similar in many ways with the use of DHCP servers, Domain servers, routers, and VLANS. But the terms used are often different which can lead to many issues. There is no how-to manual for either side to learn the others terminology, and the only way is to communicate with each other. The trends in IT security today will be in the industrial world tomorrow, so it is essential to learn what the hot security topics are and, more importantly, how these can be applied to the industrial space. Collaborating with IT personnel on projects will become more and more essential as the two groups merge the technology.
The task of securing control systems cannot be left to one group. Everyone needs to be aware of the risks and participate in ensuring systems are more secure from vendors all the way through to end users. Any group along the way who neglects security will introduce a potential insecurity into the system that may be present for many years to come.
Graham Speake is a principal systems architect at industrial automation supplier Yokogawa Electric where he provides security advice to internal developers and customers. His specialties include industrial automation and process control security, penetration testing, network security, and network design.