Every second, every hour, every day and every month security researchers around the world discover hundreds & thousands of new worms and viruses attacking the world’s computer systems. Usually, few in supervisory control and data acquisition (SCADA) and process control take notice. In early July 2010, however, a new type of computer worm was discovered that shocked experts in the industrial automation community, the worm one of its kind was known as &ldquo Stuxnet”,this worm was designed specifically to attack the Siemens WinCC, PCS7 and STEP7 control systems. Suddenly industrial control systems had moved from an accidental target to the centre of the bull’s-eye. Of course, in one sense this should be no surprise.
Stuxnet was not designed to immediately disrupt operations. Stuxnet infiltrated industrial plants on a USB memory stick, physically bypassing the firewall, and once deployed attacked a previously unknown vulnerability in the Windows operating system. It then sent detailed production information through the Internet to a set of servers in Malaysia. It also provided the attackers with the ability to remotely control the infected process and hide the existence of their changes to the system.
A research shows that, even without a cyber war, it is estimated that there are 400 – 500 cyber security incidents which took place in Fortune500 companies in the US alone each year, and in Europe it is probably worse. In the world of processing industries and automation infrastructures, the Repository of Industrial Security Incidents (RISI), which records cyber security incidents directly affecting SCADA and process control systems, shows the number of incidents increasing by approximately 20% a year over the last decade. The increase in cyber thefts and crimes has moved the factory owners in automation sector to search for security solutions that can protect their assets and prevent potentially significant monetary loss and brand erosion.
Cyber threats are primarily aimed at industrial control systems such as distributed control systems (DCS), programmable logic controllers (PLC), supervisory control and data acquisition (SCADA) systems and human machine interfaces (HMI) through loopholes which can range from unsecured remote access, to inadequate firewalls, to a lack of network segmentation.
Such threats are not a new phenomenon. However, a spate of high-profile attacks over the last decade has brought this issue to centre stage.
Flash Back of Cyber incidents in Plant automation Industry
Control systems include distributed control systems (DCS), programmable logic controllers (PLC), supervisory control and data acquisition (SCADA) systems, and related networked-computing systems. Control systems are designed and operated differently than mainstream IT business systems. Traditionally, the emphasis in securing business IT systems is to employ the best practices associated with the well-established “Confidentiality, Integrity, Availability” (CIA) triad model – in that order of importance.
Control systems can no longer rely on security through obscurity. Instead, they need the same protection against network attacks and vulnerabilities that have long plagued enterprise IT systems. Unfortunately, perfect security is unachievable and, even if it were, would be unaffordable. What is required therefore is network security that protects against external threats, while preventing problems that do materialise in one part of the system spreading to other critical control systems. The solution is security zones.
Based on the ANSI/ISA 99 and (soon to be ratified) IEC 62443 standards, key automation and control devices should be grouped into zones that share common security level requirements. Any communication between these zones must then pass through a conduit, a path that regulates the flow of data between zones to allow them to communicate securely.
Defining the security level of each zone is not easy. At a minimum, ISA 99 requires three levels for security zones: high, medium and low. Each zone will require a security level target (SLT), based on a risk analysis of the plant, taking into account the consequences and likelihood of the range of possible threats.
Equipment in each zone will have a security level capability (SLC). If this is lower than the SLT value, a security technology or policy needs to be added to equalize them.
The implications of cyber security and the need for a comprehensive security strategy are now being acknowledged by more sections of the industry. This is because the increased number of cyber attacks and the potential disruption they can cause have made security risks now very much part of operational risk. However, apart from uncertainty in the regulatory landscape, the main roadblock is the lack of a clear management policy on cybersecurity within organizations.
One reason that is used to explain this gap is the perception of low ROI on cybersecurity investments. However, it is becoming clearer that as cyber threats become more sophisticated, the impact of a cyber attack can be catastrophic for organizations, governments and the public.
Potential monetary losses for industry are considerable. In the case of critical infrastructure, non-compliance (with increasingly stringent regulation on security) is unlikely to remain an option.
In this context, organizations will be able to make the successful shift toward securing their operations by relying on industrial control solutions providers that treat security as core to their offerings. Of course, it is vital that organizations realize that this is a joint process where vendors and clients need to work together to achieve agreed objectives. That is why one of the critical success factors in raising the bar for cybersecurity in an organization is the level of trust it has in its solutions provider. After all, security is never a one-time project and the process of learning and adapting is ongoing.