New SCADA Security Reality: Assume a Security Breach

Earlier this month I came across a great article called “The new paradigm for utility information security: assume your security system has already been breached” by Ernie Hayden of Verizon’s Global Energy & Utility Practice.  I highly recommend you read it, for the reasons I explain in this blog post.

 

In the article Hayden describes how the mindset of cyber security professionals is typically one of “The Fortress”, or what I refer to as “The Bastion Model”.  That is, an assumption that cyber threats are outside a perimeter and need to be blocked from entry by physical and technology barriers, such as secure premises and firewalls.

 A Case where "The Fortress" Failed

A classic example of this mentality and its limitations in the SCADA security field was shown by the Davis-Besse Nuclear Power Plant incident in 2003.  The plant was infected with the MS SQL 'Slammer' worm which caused a traffic overload on the site network. As a result, the Safety Parameter Display System (SPDS) was inaccessible for almost 5 hours, and the plant process computer was inaccessible for over 6 hours.

The incident investigation showed that a firewall was in place to isolate the control network from the enterprise network.  However, there was a T1 wide area network connection from a software consulting firm that entered the control network behind the firewall, bypassing all the access control policies enforced by the firewall. The worm initially infected the consultant's server and then was able to enter the Davis-Besse control network through this T1 line.

Certainly, the consultant does deserve part of the blame in this incident. But as I discussed in an earlier post, “#1 ICS and SCADA Security Myth: Protection by Air Gap," US Department of Homeland Security vulnerability assessments show an average of 11 direct connections between the control network and the enterprise network.

Thus, even if you catch Consultant A with his T1 link, you are almost certain to have missed Consultant B, Engineer C, Technician D and Supplier E, with their laptops, USB keys, CDs and serial modems. No matter how careful you are, the odds are that eventually something nasty will sneak through to your control network. At that point, you need to be prepared with something more than “Well we have a firewall…”

Bottom line: the Fortress approach to SCADA security is unlikely to be effective today.

Assume Security System Breach

In Hayden’s article he documents several major organizations that have moved beyond the pure Fortress approach to an “assume a security breach” approach, including the U.S. National Security Agency (NSA).  Now, this is quite a change and it is not easy to do.

At a recent automation vendor’s user conference, I noticed that many attendees had just made the realization that cyber security is a problem they need to address.  Their knowledge of what to do about this “new” issue was not very high, and reflects the state of the nation amongst many controls engineers.

For an organization to go from a low level of industrial cyber security practices, to the level of “assuming a security breach” is a very challenging journey.

My message to ICS and SCADA operators is this: you need to do two things about cyber security to make your plant safer and more reliable:

  1. Learn about and start implementing defense-in-depth strategies so you have a process to contain an infection or breach.  The ANSI/ISA-99 and IEC-62443 standards are a good place to start.
  2. Be a change agent in your organization.  Start the ball rolling to develop the 10 Key Practices that Hayden mentions for dealing with security system breaches.

Unfortunately, given the increase in ICS product vulnerability announcements over the last year, it is necessary to move forward on both basic and advanced cyber security initiatives at the same time.

Being organizationally ready for “assuming an infection” is not easy. However, it is a pragmatic strategy, one that takes both the realities of humans and modern control systems into consideration.  The challenge for the controls professional is to apply it in ways that are efficient.

In future articles, we will talk about ways to improve SCADA and ICS Security using techniques that are cost effective, simple and reliable.

Related Content to Download

PDF "Building Intrinsically Secure Control and Safety Systems Using ANSI/ISA99 Security Standards for Improved Security and Reliability"

Related Links

Tofinosecurity.com resources re: Cyber Security Standards

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

3

Very interesting blog post!
I've done a follow-up post about monitoring ICS network:
http://www.netresec.com/?page=Blog&month=2011-08&post=Monitor-those-Cont...

Are there any plans to introduce the ability to capture network traffic to disk in the Tofino FW?

Actually Tofino can do that now. We use it as a utility for both troubleshooting client networks and to send traffic traces to third party analysis tools. Call Scott if you want more details.

Very interesting!! The best way to ensure the security is to use a scada system that support UDP sender protocol and have separated nets with media converters or data diodes.
Take a look to this document. These are the most useful systems in nuclear power plants:
http://www.fileden.com/files/2012/8/24/3340288/MarketResearch.pdf

Add new comment