Anyone integrating automation technologies these days is well aware of the pressure on the operators of industrial plants to increase productivity, reduce costs and share information in real-time across multiple industrial and enterprise systems. Adding to these business pressures is the growing fear of cyber attack as the world has become aware that the Stuxnet worm was specifically designed to disrupt an industrial process. Operators and engineers are under pressure to isolate automation systems, while at the same time management is asking for greater interconnectedness.
How can you help your company or clients deal with the conflicting requirements of more integration and more isolation? This white paper explains how the ‘zone and conduit’ model included in the ANSI/ISA-99 security standards provides a framework for helping deal with network security threats that arise from both the ‘push for productivity’ and the fear of the next ‘Son-of-Stuxnet’ worm.
Why the ‘Push for Productivity’ has degraded control network security
As corporate networks have converged with industrial control system (ICS) networks, there have been many integration projects where proprietary networks were replaced with commercial-off-the-shelf equipment using Ethernet-TCP/IP technology.
This shift in technology has greatly increased the complexity and ‘interconnectedness’ of control systems. As a result, they now have many of the same vulnerabilities that have plagued enterprise networks. In addition, the controllers in these networks are now subjected to new threat sources that they were never designed to handle.
The result has been a significant increase in the number of plant disruptions and shut-downs due to cyber security issues in the control networks.
The Repository for Industrial Security Incidents (RISI) is the world’s largest database of security incidents in control and scada systems. An analysis of the data from 1982 to 2010 found that the type of incidents affecting control systems breaks down as follows:
* 50% of incidents were accidental in nature.
* 30% of incidents were due to malware.
* 11% of incidents were due to external attackers.
* 9% of incidents were due to internal attackers.
In our study of the incidents included in the RISI database, we see problems arising from three common sources:
Proliferation of ‘soft’ targets
Supervisory control and data acquisition (scada) and ICS devices such as PLCs, DCS controllers, IEDs, and RTUs were designed with a focus on reliability and real-time I/O, not robust and secure networking. Many ICS devices will crash if they receive malformed network traffic or even high loads of correctly-formed data. Also, Windows PCs in these networks that run for months at a time without security patches or antivirus updates, are ever susceptible to new, or even outdated, malware.
Multiple points of entry
Even without a direct connection to the Internet, modern control systems are accessed by numerous external sources. All of them are potential sources of infection or attack and include:
* Remote maintenance and diagnostics connections.
* Historian and manufacturing execution systems (MES) servers shared with business users.
* Remote access modems.
* Serial connections.
* Wireless systems.
* Mobile laptops.
* USB devices.
* Data files (such as PDF documents or PLC project files).
These pathways are underestimated and poorly documented by the owners and operators of industrial systems. As the Stuxnet worm showed us in 2010, these pathways can be readily exploited by malware and other disruptive elements. Stuxnet used at least eight different propagation mechanisms, including USB drives, PLC project files and print servers to work its way into the victim’s control system.
Poor internal network segmentation
Control networks are now more complex than ever before, consisting of hundreds or even thousands of individual devices. Unfortunately the design of many of these networks has remained ‘flat’ with virtually no segmentation. As a result, problems that originate in one part of the network can quickly spread to other areas.
To learn the methods of ANSI/ISA-99 Zone and Conduit Security Model framework for network security improvements through integrated design, implementation, monitoring and continuous improvement, visit http://instrumentation.co.za/+C16783
| Tel: | +27 10 055 7300/1 |
| Email: | [email protected] |
| www: | www.extech.co.za |
| Articles: | More information and articles about Extech Safety Systems |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version