Industrial Control Systems Pattern
Legend: This pattern covers the use of Industrial Control Systems in a secure environment to prevent interruption to processes availability.
[Control refs to be updated once pattern defined]
The main security controls: A/V and software update on SCADA. Lock down controller to read only using password or hardware. Change control for system components: Lockdown O/S, add Checksum or verification code to the PLC that monitors back to the PC. Strong network controls, zone architecture, IDS/IPS for ethernet. Remove USB and Wireless. Physical security for PLC and Network. Place Step 7/HMI in secure zone in plant.
Description: There has been an increased interest in the security of Industrial Control Systems in recent years due to a number of high profile incidents (SoBig 2003, Sasser 2004, StuxNet 2010). The security threats continue to increase as these systems have moved from using stand-alone panel based controls with no communciation with the wider organisation or internet, through proprietary networks and operating systems where security was gained via obscurity of the design, to modern equipment using ethernet based on Commercial of the Shelf (COTS) operating systems and applications like Windows and STEP7, and connected to the wider organisation for management information and the internet for remote support.
The term “Industrial Control System” (ICS) refers to a broad set of control systems, which include: SCADA (Supervisory Control and Data Acquisition), DCS (Distributed Control System), PCS (Process Control System), EMS (Energy Management System), SIS (Safety Instrumented System). The primary architecture used for the control systems is 3 level:
- I/O components such as position and temperature sensors, stepper motors (drives), and control valves which are connected to...
- Controllers such as Programmable Logic Controllers (PLC) which run specific programs reacting to input conditions and providing output to drives or valves that operate part of the plant. These are networked via Ethernet or Serial comms such as Profibus to...
- The top level control system (SCADA, DCS etc) comprising Human Machine Interace (HMI), operator controls, instrumentation displays, data collection and storage
Primary control areas that must be considered are:
- Harden COTS operating systems and applications by changing default passwords, removing or disabling all unnecessary services or applications, configuring access controls to enforce least privilege, setting suitable audit policies.
- Make sure that systems run up to date A/V (ideally Host Based IDS including firewall), and that there is a vulnerability management process to identify critical security patches for operating systems and applications.
- Ensure there are mature security processes in place for password management especially for high privilege accounts. Use complex passwords to prevent dictionary based attacks. This is especially important where there are no lockout policies (e.g. controllers) or monitoring is weak.
- Ensure change management proceedures are in place for modification to the system.
- Implement logging and monitoring of the system using the propietary capabilities of the ICS. Consider adding Intrusion Detection Systems (IDS) to monitor network traffic, and Security Information and Event Management (SIEM) systems for log collection and monitoring depending on scale, complexity and criticality.
- Implement CRC checks or hashing alogorithms in controllers and monitor changes.
- Carefully protect the engineering system or console using physical and logical security controls.
- Prevent code stored in the controller from being overwritten- use passwords or read only switch if available to prevent new instructions from being downloaded.
- Physically secure the process network or communications bus, and use a firewall to logically secure the process network from the corporate network.
- Do not allow wireless or USB devices to be connected to the process computing environment unless specifically authorised.
You also need to ensure that you have regular backups of the systems available. In the event that a system is compromised it is important to be able to rapidly roll back to a known good state. Test the backups you are taking on spare equipment, and make sure you have the processes defined and correct contracts in place with your suppliers.
Assumptions: An attack on Industrial Control Systems allows real-world physical actions via the Internet and it is likely to be used increasingly by criminals and 'black hat' groups to impact operations for critical infrastructure and services. The knowledge and tools to attack will become rapidly available and commoditised via the internet. Financial motives will increase as there is significant potential for extortion demands if high value processes are interrupted.
This pattern assumes that industrial control systems will increasingly utilise standard networking technologies such as TCP/IP over Ethernet and be connected to the corporate network to provide management information on processes. Management and monitoring of systems will be increasingly provided by 3rd parties that supply equipment and supporting services.
This implies that the same security issues that affect general IT systems will increasingly impact process automation systems and therefore requires same level of development maturity to ensure that security requirements are fully specified and built into the systems.
Typical challenges: Lack of skilled personnel or service providers to specify security requirements, configure and manage systems. Legacy ICS equipment that cannot be secured.
It can be hard to differentiate system failures from behaviour under attack. Therefore it is important to identify monitoring options for the system to be secured and as far as possible establish a baseline of 'normal' behaviour. [More details on how you could do this]
Indications: Any commercial or government organisation operating industrial automation equipment- typical applications are process control for production lines, transport infrastructure, energy, emergency services, shipping, heathcare, water. This pattern should apply in the majority of cases given the cost of securing versus the cost of the equipment and impact from process downtime.
Contra-indications: Low impact if the automated process does not operate within specified tolerance levels. Very low availability requirements for processes. Certainty that system is isolated with strong logical and physical access controls. First generation panel based equipment that has no network connectivity or use of COTS software.
Resistance against threats: Infection by malicious code (Recent attacks have placed a shim around the DLL used on the SCADA PC to communicate to controllers). Compromise to integrity or availability of environment that disrupts industrial process or damages equipment.
New York Times article on Stuxnet
Siemens Automation and Control link
Profibus fieldbus controller information
OPC foundation- Open Connectivity for Industrial Automation
Symantec analysis of StuxNet infection process
Homeland Security Analysis on control system security
Example Control System Vulnerability report for Simatic WinCC from National Vulnerability Database (NVD)
HMK Direct Industrial automation security specialists
Related patterns: Any other OSA patterns that are relevant...TBC.
Classification: Industry sector: Manufacturing, Industrial Process Automation
Authors: James Pearce, Russell Wing
Reviewer(s): Tobias Christen
AC-03 Access Enforcement
AC-06 Least Privilege
AC-17 Remote Access
AC-18 Wireless Access Restrictions
AU-02 Auditable Events
CA-02 Security Assessments
CA-07 Continuous Monitoring
CM-02 Baseline Configuration
CM-03 Configuration Change Control
CM-05 Access Restrictions For Change
CM-07 Least Functionality
CP-02 Contingency Plan
CP-09 Information System Backup
CP-10 Information System Recovery And Reconstitution
IA-02 User Identification And Authentication
IA-03 Device Identification And Authentication
IR-02 Incident Response Training
IR-04 Incident Handling
IR-05 Incident Monitoring
IR-07 Incident Response Assistance
MA-02 Controlled Maintenance
MA-04 Remote Maintenance
PE-03 Physical Access Control
PE-04 Access Control For Transmission Medium
PE-06 Monitoring Physical Access
RA-03 Risk Assessment
RA-05 Vulnerability Scanning
SC-07 Boundary Protection
SC-08 Transmission Integrity
SC-09 Transmission Confidentiality
SC-23 Session Authenticity
SI-02 Flaw Remediation
SI-03 Malicious Code Protection
SI-05 Security Alerts And Advisories