It used to be that security through obscurity was enough to protect automation systems from cyber-attacks. Who would really care about those industrial protocols anyway? We know from the famed Stuxnet and its derivatives that automation systems are now a prime target. There have been numerous documented intrusions to automation environments from those that would do and have done harm.
As an automation professional, what is one to do?
Clearly, education is the key. The first step to any solution is education, and keeping up that knowledge base. This isn’t a sprint to the finish. Dealing with Cyber-Security is a slow and steady marathon run. The primary place to begin this education is with our government and their ICS-CERT website, among others (see resources below).
Security will fall into several areas:
Education and Training – Create an awareness to the problem and equip personnel with the knowledge to do the right thing in prevention, detection and mitigation. Cyber-Security needs to become a part of your corporate DNA.
Design for security – In this fast paced world of technology, we often adopt new technology before fully understanding the ramifications. For example, we see VPNs as a way to co-mingle communications over the same wires. This brings the ability to use common networks for both automation and business purposes. But it also brings with it complexities that need to be managed – bandwidth allocations and potential major disruptions due to firmware updates or misconfigurations. Today, it is common practice to separate industrial networks from business networks. Wireless access points are making their way into our systems, often with poor configuration or default settings. The Power industry and other markets requiring Critical Infrastructure Protection (CIP) have strict rules with respect to securing their automation network.
Defense In Depth – (also known as Castle Approach) is a security concept in which multiple layers of security controls (defense) are placed throughout an automation system. Its intent is to provide redundancy in security in the event a security control fails or a vulnerability is exploited. These redundancies can cover aspects of personnel, procedural, technical and physical issues for the duration of the system’s life cycle.
Selecting the right products – The products you choose are as important as the architecture. In a defense in depth strategy you’ll want to manage access to your systems, first by enabling access to your network. Second, you’ll want to provide secure access to your applications. Third, you’ll want to be sure those applications can withstand the potential of malicious intent. This requires selecting products that you can rely upon, products that have been tested and recommended. Fortunately, the US government offers a vulnerability database of (tested) products. This database highlights products that have been tested, vulnerabilities that have been found, and the status of their corrections.
Industrial Control System Cyber Emergency Response Team – https://ics-cert.us-cert.gov/
Department of Homeland Security – https://www.dhs.gov/topic/cybersecurity
USA Cyber Emergency Response Team – https://www.us-cert.gov/
List of Industrial Cyber-Security Attacks – http://www.risidata.com/Database/event_date/desc
Industrial Safety and Security Source – http://www.isssource.com/
Software Developers – Top 25 Errors – https://buildsecurityin.us-cert.gov/
Product Vulnerability Database – https://ics-cert.us-cert.gov/advisories-by-vendor
The Stuxnet Story – http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
NERC CIP Compliance Standards – http://www.nerc.com/pa/CI/Comp/Pages/
Watch Cyber Attacks in Real-time – http://blog.ctf365.com/interactive-cyber-attack-map/