It used to be that security through obscurity was enough to protect automation systems from cyber-attacks. Who would really care about those industrial protocols anyway? We know from the famed Stuxnet and its derivatives that automation systems are now a prime target. There have been numerous documented intrusions to automation environments from those that would do and have done harm.
As an automation professional, what is one to do?
Clearly, education is the key. The first steps to any solution is education, and keeping up that knowledge base. This isn’t a sprint to the finish. Dealing with Cyber Security is a slow and steady marathon run. The primary place to begin this education is with our government and their ICS-CERT website, among others (see resources below).
Security will fall into several areas:
Education and Training – Create an awareness to the problem and equip personnel with the foundational knowledge to do the right thing in prevention, detection and mitigation. Cyber Security needs to become a part of your corporate DNA.
Design for security – In this fast paced world of technology, we often adopt new technology before fully understanding the ramifications. For example, we see VPNs as a way to co-mingle communications over the same wires. This brings the ability to use common networks for both automation and business purposes. But it also brings with it complexities that need to be managed – bandwidth allocations and potential major disruptions due to firmware updates or misconfigurations. Today, it is common practice to separate industrial networks from business networks. Wireless access points are making their way into our systems, often with poor configuration or default settings. The Power industry and other markets requiring Critical Infrastructure Protection (CIP) have strict rules with respect to securing their automation network.
Defense In Depth – (also known as Castle Approach) is a security concept in which multiple layers of security controls (defense) are placed throughout an automation system. Its intent is to provide redundancy in security in the event a security control fails or a vulnerability is exploited. These redundancies can cover aspects of personnel, procedural, technical and physical for the duration of the system’s life cycle.
Selecting the right products – The products you choose are as important as the architecture. In a defense in depth strategy you’ll want to manage access to your systems, first by enabling access to your network. Second, you’ll want to provide secure access to your applications. Third, you’ll want to be sure those applications can withstand the potential of malicious intent. This requires selecting products that you can rely upon, products that have been tested and recommended. Fortunately, the US Government offers a vulnerability database of (tested) products. This database highlights products that have been tested, vulnerabilities that have been found and the status of their corrections.
The selection of a product, for example an industrial reporting and performance dashboard solution like Dream Report, will make your job of Cyber Security management much easier as it is listed in the ICS-CERT database and is current with today’s cyber security best practices. In addition, Dream Report works well with other cyber security products such as Data Diodes, that may leveraged to create even more secure environments.
Industrial Control System Cyber Emergency Response Team – https://ics-cert.us-cert.gov/
Department of Homeland Security – https://www.dhs.gov/topic/cybersecurity
USA Cyber Emergency Response Team – https://www.us-cert.gov/
List of Industrial Cyber Security Attacks – http://www.risidata.com/Database/event_date/desc
Industrial Safety and Security Source – http://www.isssource.com/
Software Developers – Top 25 Errors – https://buildsecurityin.us-cert.gov/
Product Vulnerability Database – https://ics-cert.us-cert.gov/advisories-by-vendor
The Stuxnet Story – http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
NERC CIP Compliance Standards – http://www.nerc.com/pa/CI/Comp/Pages/
Watch Cyber Attacks in Real-time – http://blog.ctf365.com/interactive-cyber-attack-map/