With businesses' needs to get plant and factory systems seamlessly connected, we are facing new and very real threats to our security – and to our safety. Brian Tinham examines the issues
Anywhere that has a control or automation system in a manufacturing environment needs to undertake a risk assessment for potential cyber attacks as a matter of urgency. As hitherto softer business and personal targets become better protected, while industrial systems, perversely, move onto more mainstream communication and operating systems, but without adequate protection, numbers of incidents are on the up. There are serious accidents out there, not just loss of production and embarrassment, waiting to happen.
This is a big issue, and all the more worrying because on the one hand, there are few guidelines or standard systems to deal with the threat, and on the other, ignorance and denial are widespread. "It's a very big concern," warns Justin Lowe, principal consultant in PA Consulting's IT and security management practice, who has been monitoring the situation closely. "A lot of equipment is now networked, and some of that is now vulnerable to attack. It's going to have to be fairly big budget stuff over the next year or so."
So what's this about? And why the big scare now? At the close of last year, one of the first ever global reports into industrial cyber security, 'The myths and facts behind cyber security risks for industrial control systems', produced jointly by security experts at the British Columbia Institute of Technology (BCIT) and PA, revealed a 10-fold increase in successful attacks on process control and SCADA (supervisory control and data acquisition) systems since 2001. Additionally, it showed that many of the attacked systems were responsible for running critical services such as electricity, oil and gas production, nuclear power, water, transportation and communications.
Then in March this year, data security specialist Symantec – which has over 20,000 sensors monitoring network activity in more than 180 countries, covering some 120 million client, server and gateway systems – issued its Internet security threat report, with comprehensive data on growing attacks specifically on the power, energy and utilities industries. We're not talking trivial. But note, viruses, worms and the like do not discriminate between large, high profile plants and much smaller ones: the risk is universal.
These findings may shock many in the plant management and engineering community. Industrial process control and automation systems have traditionally been seen as immune to external attack because they were based on proprietary technologies, networks and hardware, and anyway isolated from other IT systems. But all that has now changed, and any complacency is misplaced: the moves to open computing standards, alongside web and wireless connections into plant systems – albeit for good commercial reasons that have to do with agility, customer service and cost cutting – are opening the back door to hackers.
Best industry estimates indicate that today between 100 and 500 unreported industrial cyber attacks occur every year. And that can only get worse as hackers target process control and SCADA systems. A recent hacker conference included a demonstration on how to attack a water utility control system.
Why can't manufacturers simply use commercially available security software, firewalls, intruder detection and the rest – the likes of Norton and MacAfee? Well to an extent they can – but there are very important limits. As PA's Lowe says: "Many of the tools in mainstream IT are applicable, but you need to be very careful. You don't want default disk scanning for anti-virus, for example, to take down part of your control or safety systems."
Be afraid, be very afraid?
But that's not the real killer. Lowe again: "Security patches from Microsoft every month can't be applied without [IT] vendors accrediting them for their systems. But the fact is there's little or no service for that. And if it takes six to nine months to get accreditation while a virus can be launched and infecting your systems within a couple of days, we've got a real problem."
That's the nub of it: hackers that access Microsoft patches are in a great position to reverse engineer malware against the vulnerability revealed – and all the while you don't have your control system vendor's validation, you're wide open to them. "Until 18 months ago, almost all of the control system vendors were effectively saying 'This equipment is for installation in isolated environments only'. Now there's a shift, and Honeywell is doing a lot and Aveva is working with Symantec. But most of the control and SCADA system vendors seem to be doing nothing to help at all."
So what are the automation system companies doing? Bob Huba, marketing manager at process systems developer Emerson, asserts that the cyber risk is only relevant to its flagship DeltaV since it's the firm's only process management system founded on Microsoft technologies – XP and Ethernet, running on a PC. Older systems, like Fisher Provox and Rosemount System 3, he describes as "not germane to the cyber security issue… Provox workstations don't run on PCs; they're proprietary systems and a lot of the older systems aren't connected to the outside world."
A moot point that. If they are linked externally, you need to make a judgement: how determined do you think the outside world is to attack your legacy control systems? But that said, Emerson's immediate concern is rightly mainstream systems, and Huba says it has validated Symantec security systems. "We support all the Microsoft hot fixes: we look at the patches and see which apply to us and immediately test and apply those. How long that takes depends on what's involved – typically it's a few days, but it could take longer."
If that's not enough, Huba says plant mangers have a problem – they're either into second guessing hacker mentality and enforcing roles and policies, or they don't connect to the outside world. "If someone is funded and has the time and determination, no matter what you do, you will be hacked."
Meanwhile, Kevin Staggs, control systems solutions planner for Honeywell, says: "We qualify two virus protection systems for our Experion NTPS [formerly TPS], and those are MacAfee and Norton. Microsoft monthly hot fixes have to be deployed immediately. Right now we deliver validation in 14 days against Microsoft's 10 days. It's not as good as it needs to be. We want to do better than a day or two. We have to get hot fixes done before the expedite date."
Does that mean plants are potentially unprotected during that time? Yes and no. "With our 'defence in depth' strategy and the lock-down model we provide, and properly implemented interfaces in the demilitarised zone, users have strong perimeter security," Staggs reminds us. "Beyond that, the business side can deploy its fixes before they're deployed in the control systems, which also makes it that much harder for worms and viruses to get in. With proper security strategies, that's the best you're going to get."
The bigger picture
Just so; draw a deep breath. Defence in depth, to Honeywell means a range of measures starting with delivering security directly in its network – with Level One peer-to-peer control devices, Level Two for supervisory control, and Level Three for the WAN. "There is no visibility between Level one and Level Three," says Staggs, so there's the first defence. "All the rest of our systems are proprietary," he explains. Does that mean they're inviolable? "Nothing is," he says, "But those systems would be very much harder to get to."
And beyond that: "We require the use of Cisco routers and we provide configuration guidance – how they should be using the equipment to get properly protected. Next, we lock down the file system and the registry based on pre-configured groups that are role-based – operators, supervisors, engineers, administrators. Also, we provide configuration for the Windows domain server. Also, we provide scripts that assign down to the groups.
"We also provide a very comprehensive service for our systems and for others – a cyber perimeter security measure." That's best practice guidance for security in terms of physical access, roles, policies, passwords and so on. "We've been doing this since 1997 but quietly. Now that there's more awareness, we've introduced the service publicly.
"Ultimately, it's the responsibility of the user to run safe and secure plant. Everyone in the equipment supply chain needs to give them the tools to do that."
What about Emerson? DeltaV too has password protection plus restricted access for recognised roles like operators and engineers – effectively NT lockdown, also meaning no access to the Windows desktop. Beyond this internal human security, it too is architected to run on a separate, isolated private control network. And the significance of that, as Huba puts it, is: "Users have no ability to assign network addresses; you can't mingle this with the plant or business LANs." Emerson doesn't allow connection to its control system LAN other than through one of its workstations. "We don't connect through a Cisco switch or router, for example," he says, "although people can still set that up," he concedes.
Which brings us to common sense and managing risk holistically. Consider increasingly popular remote access to SCADA systems, for example: "We approach this by distinguishing between data access and system access," says Huba. "You don't want to grant system access to remote users – certainly not configuration or control of plant. So we move data off the DeltaV infrastructure, replicate what's required on the other side of the firewall, and let them access that." There's your answer to much of the plant to business connectivity problem: maintain system LAN separation and mirror subsets of data on a read-only basis, with enforced roles and policies.
What about engineering and troubleshooting? "IT might like to do all that remotely via a VPN, and there are plenty of tools to do it: we use something like Terminal Services. But then you need to protect that with limits, roles and enforced policies." And there is one very big difference between making that stick versus attempting to do so in the general Internet world. "This isn't about allowing anonymous users onto web pages: we are managing named users coming in, and then they are only allowed to do what their roles permit."
From then on, we're back to basic stuff: "A lot of this is common sense and managing the users," says Huba. He, for example, recommends "just saying no," even to plant managers and engineers, so that only operators are allowed to touch control consoles that are necessarily left open for quick response. He also recommends keeping quiet about what you're doing – keeping your head below the proverbial parapet so you don't attract attention.
So what should manufacturers do? Kings Lynn-based pharmaceutical dispensers manufacturer Bespak has an ethanol extraction plant for purifying its rubber components, and David Scott, the firm's IS director, is only too aware that a successful attack could be devastating. He also talks of a new plant in Milton Keynes with automated systems running in a clean room environment to make Pfizer's inhaled insulin dispensers. If hackers got into the systems, not only would there be production losses, but concerns over batch traceability and audit trails that could cause major write-offs.
Action plan
"We've put SAP and our barcode system behind a firewall, but you can only do so much. You have to open your systems to do some things. We only have two IP addresses now. We've been audited by KPMG for penetration and they say we're low risk, but it's holding us back technologically. Our commercial users want WiFi access from coffee shops, for example, but we're saying 'hold on guys, we're operating in a validated industry here; we need to do some work and get proper controls."
PA's Lowe suggests companies first to do a detailed risk assessment, and his company offers a seven-point plan. "Some of that can be done at low cost with some network redesign, firewalls, anti-virus systems and also physical security," he says. "But there is no silver bullet, no single suite of protective systems… No two systems are alike: manufacturers have got to work with multiple vendors to create a suite of tools that respond to the different threats and their systems and criticality."
Note his mention of 'physical security'. Cyber attacks are real, but it's important to put them in context, understand the scope and recognise that there are IT and non-IT risks, and shades of both. As Emerson's Huba says: "You have to look at cyber security in the same was as you look at the rest of security and safety – and then there's a lot of steps you can take."
Scott sums it up: "We need to get audited to see if we're vulnerable or not. Over the last 18 months we have been infected by two worms, which have disrupted the company to some extent but not stopped production. As an industry, we have got to spend money to protect ourselves."