Just when you thought it was 'safe to go in the water', along comes an expert on cyber security and proves you wrong. We take it for granted that the lights will come on, the faucet will deliver water, the corner service station will pump gas. Yet, how can you be sure? So much of our infrastructure is vulnerable, to error and to intentional attack.
Dr Joseph Weiss, a managing partner at Applied Control Solutions, is considered an expert in control systems cyber security. He is the closest thing you can get to a 'rocket scientist', in that he is a nuclear engineer with 30 years experience in the commercial power industry. His work spans design, development, implementation, and analysis of industrial instrumentation and control systems. He has reviewed the cyber security vulnerability for power plants, electric utility control centers, and water systems. His overview was presented before the Committee on Commerce, Science, and Transportation in the US Senate this month.
Weiss began with a historical view and some definitions. At the beginning of this decade, interconnecting control systems with other networked computing systems began to be viewed as a way help lower costs and improve efficiency. Systems that could not share information were considered outdated. However, cyber security risks were not fully appreciated yet.
Weiss defines cyber as referring to electronic communications between systems and/or individuals, and applies to any electronic device with serial or network connections.
He points out that Industrial Control Systems (ICS) are an integral part of the industrial infrastructure. Critical infrastructure protection is aimed at protecting and maintaining a safe, reliable supply of essentials, such as electric power, chemicals, water, and food. The safety and functionality of these systems must be protected against computer cyber vulnerabilities.
Usually cyber security has been the responsibility of the IT department, while control system departments have focused only on equipment efficiency and reliability. IT and ICS have two different purposes: enterprise security protects the data residing in the servers from attack. ICS security protects the facility's ability to operate safely and securely, regardless of the state of the network.
Weiss describes a crude distinction between mainstream IT and control systems in that IT uses 'physics to manipulate data' while an ICS uses 'data to manipulate physics.' IT staff design extensive security checks and controls into their product. The ICS designers are more concerned with system failure, and try to make systems idiot proof, according to Weiss.
Traditional IT systems work within a triad model: Confidentiality, Integrity, Availability (CIA) - in that order of importance. The placement of rigorous end user access controls and additional data encryption processes provide confidentiality for critical information. Traditional ICS systems, on the other hand, work with the reverse model, AIC, Availability, Integrity, Confidentiality.
IT systems try to consolidate and centralize for economy of scale to lower operational costs for the IT system. ICS systems, by necessity, are distributed systems that insure the availability and reliability of the ICS and the systems that it controls. Remote access is often available directly from field devices reducing the effectiveness of firewalls at the Central Demilitarized Zone and requiring additional protection at remote locations.
Weiss warned that compromised ICS systems have led to serious problems, such as extensive cascading power outages and dangerous toxic chemical releases.
The end user of an IT system, is usually a person, but the end user of an ICS system is a computer or other highly intelligent control device. These differences lie at the bottom of trying to secure an ICS appropriately. Newer ICS designs use advanced high-speed data networking technologies. What was a single vector problem - the host - has been increased by the number of smart field devices.
Using mainstream operating system environments such as Windows, UNIX, and Linux for running ICS applications makes them as vulnerable as IT systems. However, on the plus side, mainstream IT security technical solutions help secure more modern ICS host computers and PC's used as operator consoles.
Virtual Private Networks (VPN), for example, are used to secure communications to and from ICS networks. IT security relies on the encryption algorithm, while ICS security focuses on what goes into the VPN. Dr Weiss told of one of the US Department of Energy's National Laboratories being hacked by manipulating widely used 'middleware' software running on current mainstream computer systems. Using vulnerabilities in OPC (OLE for Process Control) code, the system appears to be working right, even when it is not. It can, thus, display incorrect information on, or withhold correct information from, system operator consoles.
Furthermore, some mainstream IT security technologies interfere with the operation of ICS, according to Weiss. Components can freeze up while using port scanning tools or block encryption which slows down the control system operation, resulting in a basic denial of service. IT systems differ in their assignment in that the task is done when it is done, regardless of how long it takes. ICS systems, however, must do the assignment 'now'. Time delay is unacceptable. You could say that IT tasks are goal oriented, ICS tasks are time clock oriented.
To enable proper security, Dr Weiss emphasised that it is necessary to understand the ICS and control processes, and to evaluate the impacts of potential security process and actions upon those systems and processes prior to implementing a 'good idea' gone bad.
Dr Weiss warned that a common misconception deals with the availability of knowledge about an ICS. He said that the ICS systems provided internationally are the same systems provided in North America with the same architecture, same default vendor passwords, and same training. Some of the largest implementations of ICS systems originating in the United States are implemented in the Middle East and China. A number of North American control system suppliers have products developed in far flung countries. These facts raise questions of national security. The last half of the speech Dr Weiss gave details such concerns and is definitely food for thought. X
PBS interview with Dr. Weiss
Accessing and addressing ICS cyber threats
out the World news at our sister site The News