Control system security

Control system security, or industrial control system (ICS) cybersecurity, is the prevention of (intentional or unintentional) interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents.^[1] The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.

The term industrial control system (ICS)^[2] is the most widely recognized and is considered the standard term used to describe control system security. Under industrial control systems there are numerous subgroups. These include SCADA (Supervisory Control and Data Acquisition) security, DCS (Distributed Control System), and PLC (Programmable Logic Controller) environments.^[2][3] However, the term may also be referred to as automation and control systems (ACS)^[2]. Automation and control systems (ACS) is the broader term that is frequently used in the context of engineering and manufacturing.

Development of Control System Security

In the past, industrial control systems (ICS) were kept separate from external networks and utilized vendor produced hardware and software, This set up was referred to as an air gap, and produced a false sense of security as people believed that the systems were safe from external attacks. As modern innovation progressed, companies advanced and started using technologies such as Ethernet, TCP/IP, and common commercial hardware (COTS). This connected the control systems called operational technology (OT) and corporate IT networks. This lead to shared security risks.^[2]

The 2010 Stuxnet attack was the turning point.^[4] Stuxnet was a powerful computer worm that infected Programmable Logic Controllers (PLCs) used in industrial machines. It targeted Iran's nuclear program by secretly changing how the machines were operating and displayed fake normal readings on the screens that were being monitored. This resulted in substantial physical damage and no one noticed it immediately.^[3] The attack was monumental and showed that malware was not limited to only stealing data, and could also destroy equipment.

Subgroups of Control Systems

Industrial control systems (ICS) are made up of several subsections that work cohesively. Each group is designated with a specific role; however, they all rely on each other to operate and maintain security. The main categories include Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems (DCS), Programmable Logic Controllers (PLC), and Networked Control Systems (NCS).^[2]

Supervisory Control and Data Acquisition (SCADA)

SCADA systems are designed to monitor and control processes on a large scale. This includes processes that are spread over wide geographic areas, such a electric power grids, oil pipelines, or water distribution networks. They gather data in real time from devices such as Remote Terminal Units (RTUs) and PLCs. They then send this information to a central control center where operators can analyze system performance and manage it accordingly. Because SCADA systems reply on continuous communications between remote sites and central servers, they are especially susceptible to cyber threats.

Distributed Control Systems (DCS)

DCSs are used in industrial facilities such as refineries, power plants, and manufacturing sites. Their function is to manage continuous processing from a single location. Multiple controllers are placed throughout the plant and communicate with each other to keep operations running efficiently. These controllers automatically adjust variables such as temperature, pressure, and flow rate to make sure that production is happening within the limits of what is safe, while ensuring that the speed of production is optimal. Because all of these controllers are connected through a network, operators can oversee and manage the entire process from a central room. DCS are often incorporated with corporate networks to share data and monitor performance. However, the issue with this is that is also creates more risks and requires network segmentation to be properly maintained.^[3]

Programmable Logic Controllers (PLC)

PLCs are specialized industrial computers that carry out control of machinery in real time. This includes pumps, valves, conveyor belts, and robotic systems.^[2] They begin by inputting data from sensors. They then take that data and execute programmed logic based on the data received. Lastly, they produce and send output commands to devices on the plant floor. This process helps industrial systems operate at ideal speeds, while maintaining accuracy. Due to the fact that PLCs have direct connection to the controls of the physical operations, a cyberattack that targets them can have immediate and dire consequences. If compromised and directed to complete false commands, a PLC could damage equipment, stop production, or create safety hazards.^[2]

Networked Control Systems (NCS)

NCSs are a more recent development, still in the early stages. They utilize both wired and wireless networks to connect sensors, controllers, and actuators across multiple systems and facilities.^[5] The structure of this system makes communication between devices flexible, scalable, and overall more efficient. However with this, it can also increase the risk of timing delays, opportunities for data manipulation, and synchronization failures from cyberattacks.^[5] Research on the topic is still ongoing and is focusing on developing secure communication protocols and control algorithms, in order for stable systems and overall reliability, even if parts of the network are compromised.^[5]

SCADA, DCS, PLC, and NCS join together to form a layered architecture that is the backbone of current industrial automation. PLCs control machines and equipment in real time, DCSs coordinate the processes that are occurring within a single plant, SCADA systems monitor and control operations over large regions,^[2] and NCSs help these systems communicate with one another efficiently.^[5]

Risks

Insecurity of, or vulnerabilities inherent in automation and control systems (ACS) can lead to severe consequences in categories such as safety, loss of life, personal injury, environmental impact, lost production, equipment damage, information theft, and company image.

Guidance to assess, evaluate and mitigate these potential risks is provided through the application of many Governmental, regulatory, industry documents and Global Standards, addressed below.

Vulnerability of automation and control systems

Automation and Control Systems (ACS) have become far more vulnerable to security incidents due to the following trends.

• Increasing use of Commercial Off-the Shelf Technology (COTS) and protocols. Integration of technology such as MS Windows, SQL, and Ethernet means that these systems may now have the same or similar vulnerabilities as common IT systems.
• Enterprise integration (using plant, corporate and even public networks) means that these (legacy) systems may now be subjected to stresses that they were not designed for.
• Demand for Remote Access - 24x7 access for engineering, operations or technical support increases the attack surface, possibly leading to more insecure or rogue connections.
• Increased awareness and understanding of industrial systems - As more and more people become aware of these systems, the strategy of Security Through Obscurity is no longer viable.
• Although the cyber threats and attack strategies on automation systems are changing rapidly, regulation of industrial control systems for security is rare and is a slow-moving process. The United States, for example, only does so for the nuclear power and the chemical industries.^[6]

Government efforts

The U.S. Government Computer Emergency Readiness Team (US-CERT) originally instituted a control systems security program (CSSP) now the National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems, which has made available a large set of free National Institute of Standards and Technology (NIST) standards documents regarding control system security.^[7] The U.S. Government Joint Capability Technology Demonstration (JCTD) known as MOSAICS (More Situational Awareness for Industrial Control Systems) is the initial demonstration of cybersecurity defensive capability for critical infrastructure control systems.^[8] MOSAICS addresses the Department of Defense (DOD) operational need for cyber defense capabilities to defend critical infrastructure control systems from cyber attack, such as power, water and wastewater, and safety controls, affect the physical environment.^[9] The MOSAICS JCTD prototype will be shared with commercial industry through Industry Days for further research and development, an approach intended to lead to an innovative, game-changing capabilities for cybersecurity for critical infrastructure control systems.^[10]

Automation and Control System Cybersecurity Standards

The international standard for cybersecurity of automation and control systems is the IEC 62443. In addition, multiple national organizations such as the NIST and NERC in the USA released guidelines and requirements for cybersecurity in control systems.

IEC 62443

Main article: IEC 62443

The IEC 62443 cybersecurity standards define processes, techniques and requirements for Automation and Control Systems (IACS). The IEC 62443 standards and technical reports are organized into four general categories called General, Policies and Procedures, System, Component, Profiles and Evaluation.

1. The first category includes foundational information such as concepts, models and terminology.
2. The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
3. The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model.
4. The fourth category includes work products that describe the specific product development and technical requirements of control system products.
5. The fifth category provides profiles for industry-specific cybersecurity requirements according to IEC 62443-1-5.
6. The sixth category defines assessment methodologies that ensure that assessment results are consistent and reproducible.

NERC

The most widely recognized and latest NERC security standard is NERC 1300, which is a modification/update of NERC 1200. The latest version of NERC 1300 is called CIP-002-3 through CIP-009-3, with CIP referring to Critical Infrastructure Protection. These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best-practice industry processes.

NIST

Main article: National Institute of Standards and Technology

Although it is not a standard, the NIST Cybersecurity Framework (NIST CSF) provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes. It is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it.^[11]

NIST Special Publication 800-82 Rev. 2 "Guide to Industrial Control System (ICS) Security" describes how to secure multiple types of Industrial Control Systems against cyber attacks while considering the performance, reliability, and safety requirements specific to ICS.^[12]

Control system security certifications

Main article: IEC 62443

Certifications for control system security have been established by several global Certification Bodies. Most of the schemes are based on the IEC 62443 and describe test methods, surveillance audit policy, public documentation policies, and other specific aspects of their program.

External links

• IEC 62443
• US NIST webpage
• US NERC Critical Infrastructure Protection (CIP) Standards Archived 2011-01-01 at the Wayback Machine
• UK NPSA Tools, Catalogues and Standards