Control Systems (DCS/SCADA/PLC/SIS) are part of the critical infrastructure of any large industrial facility. Disruptions in these systems can therefore cause undesirable incidents that may not only affect the concerned industrial plant, but also impact people and the environment adversely. Hence cybersecurity of these systems should be the concern of all stakeholders associated with these systems. Note that similar systems exist outside of your typical industrial plant or facility too, such as SCADA systems for municipal water supply and sewage networks or for electric supply grids, railway signalling systems and so on. Hence it may not be in the purview of just companies, at some places it may even involve the government and other bodies such as municipal authorities.
However in Abhisam's conversations with a few of these stakeholders (engineering managers, plant managers, control system engineers, safety professionals et al), we realized that there are quite a few myths out there about Industrial Cybersecurity. This is an attempt to dispel some of those. (These are not the only ones, but these are the most common ones)
You can either watch the video below that explains these myths briefly, or go ahead and read the entire Industrial Cyber security White paper below.
Myth 1: My Control system (DCS/SCADA/PLC/SIS) is not connected to the internet, so I need not bother about Cybersecurity
Nothing could be further from the truth. This is because it is not necessary for your industrial control system, to be directly connected to the internet in order to be vulnerable. For example, Stuxnet, the infamous malware that affected a lot of Siemens make control systems, was spread mainly via USB flash drives and not through the internet. The Polish Lodtz tram network was hacked into by a bright teenager who had modified his TV remote (!), to change track points and caused a couple of trams to derail. Luckily there were reportedly no fatalities in that case.Note that the signalling system was NOT connected to the internet. The Maroochy wastewater SCADA (in Australia), was hacked into directly via a wireless device that was used to configure the system. It was not via the Internet.
One more way of getting malicious software into the system is via a PLC configurator or an engineering PC/notebook, that is directly connected to your industrial controller. Most user industries these days outsource the maintenance as well as the design and engineering part of these systems to automation vendors or their system integrators, who typically directly connect their configuration computer to the controller. If this computer has a malware targeted towards your system, it is a guaranteed way to get easily infected. It is thought that a few infections of Stuxnet happened this way. Another way is if your System is connected in some way to your company’s Business System, for reporting or other purposes. If the design of the system is not proper, then the malware that has gotten into your business system can sneak into your Control System very easily. These are just some of the ways that malicious code can find its way into an Industrial Control System.
Do you check the devices that are connected by contractors, vendors or system integrators to your control system as shown above?
You may also have to implement perimeter level security to limit access to Control Rooms, Marshalling panels and racks, even wireless instruments, that may be close to the outer perimeter. This is especially important during shutdowns, or plant startups and commissioning activities, when a large number of outsiders such as contractors and vendors are required to regularly be physically present in the plant.
Myth 2: Industrial Control System Cybersecurity is the same as any IT cybersecurity, so it is the IT department’s baby.
IT cybersecurity that is referred to here, typically deals with business systems, such as ERP, Inventory, Accounting, Reporting and other such systems. The characteristics of these systems are completely different from those of Control Systems. Even a second’s difference in response time from a Control System could be unacceptable, whereas a slower ERP system could be at worst an irritant. Even the way vulnerability testing is done, differs. A mere enumeration of the network or use of a port scanning tool will not cause any harm to a business IT system, but it may well crash a Control System. Same is the case with patches and updates. The GUI software is from control system vendors, whose update cycle is less frequent that those from IT OS vendors. The latest OS patch may simply not be useful at best, or at worst, actually shut down your Control System!
Myth 3: Cybersecurity attacks cannot cause physical harm to plants/people/environment
Not true. For example in the case of the incident of the Maroochy Shire wastewater treatment plant in Queensland, Australia a disgruntled ex-employee of a contractor could access the SCADA remotely and cause millions of liters of sewage water to contaminate creeks, parks and even a five star hotel’s premises, causing extensive damage and cleanup. In the Lodtz tram case, there were two incidents of trams getting derailed and bumping into each other, but luckily nobody got hurt or injured.
There have been other incidents as well, however victims rarely make a noise about it, as these may point to lapses and individuals and organizations responsible for them may be questioned or punished. Also they do not want to give ideas to potential malicious agents. So the fact that you do not hear about it, does not mean that incidents do not happen, not all of them get reported and the ones that do, have a low profile.
Really speaking, the fact that these incidents can do damage in the real, physical world is what should be worrisome. For example, if there are some incidents of breach of customer data, or passwords to banking systems getting hacked- the worst thing that can happen is the loss of money (which may be compensated by the authorities or insurance companies or the banks themselves) but if industrial systems get attacked one can have real consequences which can be really bad such as toxic releases, or damage to infrastructure. Do not get me wrong here, I certainly would not want to lose my money due to such an incident. I do not intend to say that other business IT or banking/financial IT related cybersecurity is less important, my intention is only to highlight that industrial cybersecurity incidents have the potential to cause real physical and environmental disasters and damage that may not be easily mitigated, once it occurs.
Myth 4: All I need to do to ensure cybersecurity for my Control System to install a firewall and antivirus software
Installation of a firewall at the front of the Control System network and antivirus software (typically on the Operator Stations or Engineering Stations that may be Windows or Unix based) is a necessary but not sufficient condition to secure your system. For example, the most recent Havex RAT malware (with closely related versions that have been called by other exotic names such as Dragonfly, Energetic Bear and others) were spread by an infection in the Control System vendor’s websites! These websites (that were used by the customers to download the latest versions of the SCADA software) were themselves compromised and the customer’s control systems ended up downloading and installing these compromised versions in the customer’s systems. There was no way that a Firewall or standard Antivirus software could have prevented it. This is because presumably the vendor’s website, as well as the software, must have been whitelisted and hence downloads from this website could happen unhindered, without causing any suspicion.
Myth 5: Bah! If the problem is getting bad, I will simply hire somebody to fix it for me.
Not so easy. IT Cybersecurity is a discrete skillset by itself and Control System knowledge is another discrete skillset. There are very few people out there, who know both domains well. See a rough sketch above that explains this problem.
Therefore building up expertise and knowledge inhouse (via appropriate training) should be a priority. You should start educating your IT sys admins about Control Systems and your Control Systems personnel about IT security. This knowledge need not be expert level knowledge, but it should be at least enough to secure your Control Systems from the most basic attacks. Also, it will be helpful to have this knowledge of cybersecurity aspects, when you start writing that new specification for the new Control System that you intend to buy for the next project.
Note: The original version of this white paper was published by Abhisam on LinkedIn's Pulse network. Authorship & Rights of both is with Abhisam.
We value your Privacy. We do not reveal your data to third parties.
Our HAZOP e-learning course is the only course on the market that covers everything including Computer HAZOP (CHAZOP). Get it today, to get certified!