The dynamics of information security in industrial control systems

5 10 2011

by Zeal P. Somani

Anyone who followed news last summer would agree that one of the biggest cyber-attacks in recent times to shock the information security community was the malware [i]“Stuxnet” that affected Siemens controls systems running on Microsoft Windows. It was first of its kind to target an industrial control system and compromise a PLC (Programmable Logic Controller)- a programmable device controlling different critical processes – pressure valves, water levels, temperature controls in an industrial environment. It exploited 4 zero-day Windows vulnerabilities. Hence a paradigm shift in information security in critical infrastructures can be concluded.

Risk Drivers

Briefly introducing- Industrial control systems (ICS) or SCADA(Supervisory Control And Data Acquisition) Systems are core to major critical infrastructures of within a country like Energy systems- nuclear/coal/renewable power plants, power grids, Oil/Gas- pipelines, rigs, extraction facilities,  Manufacturing and Production, Metals and mining. These systems have undergone a massive change in their design and the way they communicate in this past decade. To support real time needs of business and with the rise of eCommerce they are largely integrated with Enterprise IT systems e.g. the amount of oil extracted in is fed in real time to the marketing department in an Oil/Gas majors in exploration, production and marketing of crude oil. With the rise of modern IT and pervasive business needs, these systems are not spared from infected portable devices- USB, disk, hard drives etc. They are no longer sacrosanct so the concept of “security through obscurity” no longer applies.

C.I.A  vs  A.I.C-

One of the biggest challenges with ICS is that the CIA(Confidentiality, Integrity, Availability) triad gets inversed. Because the goals of these systems are to keep the critical process available for its uptime. Unfortunately very few IT and IT security folks understand this difference and hence end up failing to secure these systems. For e.g. a Penetration Test on an ICS is a not a good strategy of detective control. It can adversely hamper a critical system making it enter an infinite loop. A good strategy is to have a non –invasive identification and assessment of threats and the resulting risk posture.

Common Vulnerabilities and Attacks

Vulnerability Attack
Legacy Systems unable to integrate physical –logical secured architecture on applications. Systems vulnerable to Viruses, Worms, Malwares, Spywares from portable devices
Industrial Protocols lacking encryption and authentication Eavesdropping, Session Hijacking
Lack of proper segmentation and Defense in Depth Compromised perimeter firewall can leave the entire network compromises
Insecure Database and improperly configured Active Directory SQL injection attacks


Risk Mitigation Framework:

Here I have listed some of the common practices of a sample mitigation framework. This is not exhaustive and it depends on different cases within the industry.

Segmentation and Defense in Depth

One of the first steps is to [ii]segment the network adequately and have a multi layered secured architecture i.e. the SCADA systems polling data from plant is in secure zone 1; it pushes its data to a historian in secure zone 2- a DMZ and the enterprise users in secure zone 3 collect data from DMZ instead of directly connecting to control systems. There could also be a test or a buffer zone between the DMZ and zone 3 to test any software update, patch, new configurations before sending them to live data. In each zone we employ a “defense” mechanism isolated from other zone. This defense could be a technology- e.g. firewall, IPS/IDS(Intrusion Prevention/Detection Systems) or a process

Application White Listing:

Up till now, we focused on black listing the rogue application and programs like viruses and worms. But another approach is to white list i.e. systems runs the programs and applications “whitelisted” for that particular system. This works best for legacy systems and systems which are isolated and remote

Periodic Audits:

Regular audits checks – automated on a tool or manual can prevent many threats from exploiting. These audits are based on industry standards like NERC(North American Electric Reliability Corporation) CIP(Critical Infrastructure Protection) for US grid operators.

[i] “Stuxnet: Fact vs Theory” by Elinor Mils

[ii] “Building a Better Bunker:Securing Energy Control Systems Against Terrorists and Cyberwarriors” –A SANS white paper written by Jonathan Pollet




One response

23 03 2013
The Increasing Threat to Industrial Control Systems/Supervisory Control and Data Acquisition Systems | cmu95752

[…] Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition Systems (SCADA) here and again here in November 2012.  Recently, ICS-CERT has released several bulletins that have […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: