In early March the Security Incidents Organization (SIO), Sellersville, Pa., released its annual report on industrial control system (ICS) malware incidents. "This report shows the details of the continuing threats to manufacturing and infrastructure security around the world. As the Stuxnet malware showed in 2010, the threat continues and has become even more complicated and mature," says SIO executive director John Cusimano.
The emergence of the Stuxnet worm, which apparently targeted Siemens control systems at an Iranian nuclear-enrichment facility, certainly exposed serious knowledge gaps in how cyber security is implemented and maintained by process companies.
A new white paper, "How Stuxnet Spreads -- A Study of Infection Paths in Best Practice Systems," aims to help bridge those gaps. Published in late Feburary, it's co-authored by a trio of cyber-security experts: Eric Byres, chief technology officer, Byers Security, Lantzville, BC; Andrew Ginter, chief technology officer, Abterra Technologies, Calgary, AB; and Joel Langill, chief security officer, SCADAhacker.com, Lantana, TX.
The authors describe a hypothetical industrial site that follows the high security architecture and best practices defined in vendor documents. They then show the ways the Stuxnet worm could make its way through the site's defenses to take control of the process and cause physical damage.
While speculation continues as to the creators of Stuxnet, the worm underscores that ICSs now are the target of sophisticated attacks, note the authors, who add that owners and operators must adjust their security programs accordingly. In particular, stress Byers, Ginter and Langill, security programs must:
• Consider all possible infection pathways and have strategies for mitigating those pathways rather than focusing on a single pathway such as USB keys;
• Recognize that no protective security posture is perfect and take steps to aggressively segment control networks to limit the consequences of an incursion;
• Install ICS-appropriate intrusion detection technologies to spot attacks and raise an alarm when equipment is compromised or at risk of compromise;
• Deploy, operate and maintain at maximum effectiveness ICS-appropriate security technologies and practices. These include firewalls, antivirus technology, patching systems and whitelisting designed for supervisory control and data acquisition (SCADA) and ICS, to make attacks by sophisticated malware much more difficult;
• Look beyond traditional network-layer firewalls to firewalls capable of deep packet inspection of key SCADA and ICS protocols;
• Focus on securing last-line-of-defense critical systems, particularly safety integrated systems (SISs);
• Include security assessments and testing as part of the system-development and periodic maintenance processes followed by correction of identified potential vulnerabilities, thereby decreasing the likelihood of a successful attack, and;
• Work to improve the culture of industrial security among management and technical teams.
"These changes to improve defense-in-depth postures for industrial control systems are needed urgently. Waiting for the next worm may be too late," they say.
CHANGES NEEDED
Byers highlights two requirements in particular as being essential. The first is culture: "On the macro level you need upper management to really develop a security culture: enthusiastic engineers are not enough."
He points to the safety culture that has emerged in the chemical industry over the last 20 years as a model for how this could happen. "Security needs to follow along the same lines now: it must become a top-to-bottom culture with programs that are both technical and procedural. Nothing works unless this is in place first."
BP, Exxon and Shell in the oil and gas sectors and Dow and DuPont in chemicals exemplify how a safety culture can become a security culture, he says. "The management of these companies really understands the security challenge because they already have sophisticated risk-management cultures. So they have concepts in place that allow them to measure and predict risks far better than other companies."
Byers also cites the findings of a major oil company that recently evaluated the risks and consequences on an offshore oil platform associated with a serious fire versus those of a cyber attack. It determined they were almost identical in terms of cost and loss of life. Yet, the company was spending $50 million/yr on platform fire suppression but only $1million/yr on cyber security. "This spend was instantly increased. This is a level of risk sophistication that is lacking in many other companies."
Such a lack of sophistication was evident at a distributed control system (DCS) vendor's users' conference he attended shortly after Stuxnet appeared last June. While delighted to see operating company managers there treating malware as a serious problem, he was shocked that one proposed solution involved filling USB ports with silicone. "I realized how badly these people were missing the point. Use as much silicone as you like, it won't make any difference. The next attack will come via a pdf or some other source."
Byers' second priority is to firewall-off mission critical systems such as safety ones. "Remember that Stuxnet only had to attack one system because both control and safety were bundled together in the system it infected -- all the eggs were in one basket," he cautions.
Once the low-hanging fruit such as safety systems have been tackled, you must start to work back. "You need what I call multiple prongs: the people and their culture; then mission critical systems; then standards. The new ANSI/ISA-99 and IEC 62443 standards are concerned with dividing plants into different security zones, so that no worm gets a free rein."
STEPS TOWARD SOLUTIONS
Byers emphasizes that the white paper really focuses on problems rather than solutions. However, a number of papers on solutions currently are being developed.
The first concerns OPC and related protocols for open connectivity. With input from Matrikon (now part of Honeywell), Edmonton, AB, the paper will propose solutions to ensure that OPC gets through but a worm cannot, says Byers. It is due to be published this month.
The second paper involves work with an as-yet-unnamed software company to help operating companies better understand network traffic on the plant floor. "Most companies suffer from a lack of visibility about what is going on in their networks. If people had been watching the network that Stuxnet infected they would have seen all sorts of new traffic: pieces of equipment talking to each other that had never done so in the past, for example." This paper is due to appear in the spring.
Also due out then is a third paper, on managing Modbus traffic. By creating deep-packet-inspection capabilities for firewalls that look inside Modbus messages, Byers says users will get very fine-grained control over exactly what they want a human/machine interface or workstation to be able to do over the network to a DCS, programmable logic controller (PLC) or safety integrated system (SIS). He cites the new Honeywell Modbus read-only firewall for SIS (see www.tofinosecurity.com/article/honeywell-selects-tofino%E2%84%A2-modbus-read-only-firewall-secure-critical-safety-systems) as an example of this.
Meanwhile, Rick Kaun, Matrikon's manager, industrial security and compliance, warns of a future fraught with risk. "Stuxnet proves the concepts of: (1) targeted attacks, on (2) control systems using (3) zero day exploits [those in which there's no time between when the vulnerability is discovered and the attack]. Add to this the recent revelation of Chinese hackers infiltrating oil and gas companies and the release of Stuxnet code to the public and you have a whole heap of potential risk. A perfect storm is coming."
Like Byers, he believes cyber security must be treated as an everyday plant issue -- just like safety. "Security isn't about being bulletproof. It's about operating facilities in a safe and secure way. So security needs to have the same philosophy or culture as safety. Security is about how quickly you can detect, contain, recover and learn lessons from an incident."
The U.S. chemical industry is giving increased attention to security because of the Chemical Facility Anti-Terrorism Standards (CFATS). However, Kaun feels a lack of emphasis on cyber security in CFATS has led to an overly strong focus on managing physical security. "There are notable exceptions, but still many in the sector have focused almost 100% on physical security and have done little or nothing yet with cyber security."
Matrikon's cyber-security philosophy has three aspects: people, process and technology. "You must address all three to be secure -- and people is the toughest one to nail down," says Kaun.
To show how challenging this can be, he cites the example of a security firm that went back to check on how a client was implementing a new and very rigorous cyber-security program. The security firm left a selection of USB sticks containing hidden data mining tools around the client's parking lot, reception area and cafeteria. "Within a day the tools were on the network. It's human nature to pick a USB up and plug it in. So if a customer doesn't really get what it's trying to do -- and enforce it -- then it is dead in the water," he warns.
He also points out that if the authors of Stuxnet hadn't used a USB stick as a key method of distribution, the attack would likely have taken much longer to detect. Siemens' web-based Simatic security update still is advising against use of any USB sticks or other mobile data carriers (Figure 1).
Cyber threats are impacting how Matrikon does business. For example, the internal risk-assessment group at one major industrial client has called in the company to assess the cyber security of specific control systems and networks. Matrikon is doing this through a combination of interviews, document reviews, physical login/inspections and control penetration testing. Using a system of likelihood and impact findings, Matrikon then will be able to provide a priority list for remediation.
This sort of assessment also appears as a new trend within Matrikon's own cyber-security projects. The last three customers all have requested that Matrikon return to assess whether their new security measures have been implemented properly and are being run effectively. "People are much more concerned now to know that everything is working properly. And this is important because, for example, a customer might have left the firewall ports open to conduct a vibration analysis and forgotten how to lock them down again," he says.
For chemical operators overall, Kaun emphasizes two basic vulnerabilities that must be tackled to improve cyber security: awareness and enforcement.
BETTER STANDARDS
In early March, the International Society of Automation (ISA), Reseach Triangle Park, NC, announced that its ISA99 standards committee on industrial automation and control systems security has formed a group to conduct a gap analysis of the current ANSI/ISA99 standards with respect to the rapidly evolving threat landscape.
The purpose is to determine if companies following the ISA99 standards would have been protected from such sophisticated attacks and to identify needed changes, if any, to the standards being developed by the committee. A technical report summarizing the results of the group's analysis may come out by mid-2011.
Last November, the International Instrument Users' Association, The Hague, The Netherlands, launched Version 2 of its "Process Control Domain Security Requirements for Vendors," which it calls the first international standard that outlines a set of specific stipulations focusing on cyber-security best practices for suppliers of industrial automation and control systems.
Led by major companies such as BP, Dow, DuPont, Saudi Aramco and Shell, dozens of other end-users, as well as leading vendors such as Invensys and multiple government agencies, the group spent two years developing and piloting the program that culminated in Version 2.
"Not only do the requirements provide current-state measures, they allow us to continue to improve and adapt to the ever-changing security landscape. From our perspective, this program is a major shift, not only focusing on tactics, but one that puts into place strategic elements that address operational change," says Ernie Rakaczky, portfolio program manager control systems -- cyber security for Invensys Operations Management, Dollard-des-Ormeaux, QC.
"This document provides the common language we need to communicate our expectations around security to our suppliers and the framework to work together to help improve the overall security posture for our critical systems," adds Peter Kwaspen, strategy and development manager, EMEA control and automation systems at Shell Projects & Technology, The Hague, The Netherlands.
"We've now come to a truly functional cyber-security standard based on the needs of end-users and it is now up to us, the end-user, to take advantage of this effort and insist that our vendors are certified," stresses Jos Menting, cyber-security advisor with GDF Suez Group, Paris.