[ISN] Protecting Your Facility From Attack

From: InfoSec News (alerts@private)
Date: Mon Mar 05 2007 - 22:34:07 PST


By Peter Cleaveland
Technical Editor, PD&D
March 5, 2007

September 11, 2001 brought the vulnerability of the United States into 
sharp focus, yet it was not the first terrorist attack on our shores. 
The World Trade Center itself had been bombed in 1993, and home-grown 
terrorists had blown up the Murrah Federal Building in 1995. Then in 
June of 2004, the CBS News program 60 Minutes showed reporters walking 
unchallenged into facilities storing chlorine, anhydrous ammonia and 
boron trifluoride. The public began to realize that the casualty count 
from an attack on one of these could dwarf those of both Oklahoma City 
and 9/11.

Cyber attacks have also proliferated, many of them against SCADA 
(supervisory control and data acquisition) systems. In 2004 US-CERT, the 
United States Computer Emergency Readiness Team, stopped reporting 
statistics for attacks on SCADA systems, saying increased use of 
automated attack tools had made any such counts meaningless. Attacks 
from 1988 to 2003 totaled 319,992, with 137,529 counted in 2003 alone.

Where Are We Now?

It is difficult to obtain an accurate count of attacks on industrial 
facilities. Incidents are reported in the press from time to time, and 
there are databases listing attacks, but, says Marilyn Guhr, senior 
marketing manager in Honeywells Lifecycle Services group, We think that 
only about ten percent or so of the incidents, maybe less than that, 
ever get reported.

While the threat is real, U.S. companies have made substantial progress 
in bolstering their defenses. For example all member companies of the 
American Chemistry Council (ACC) are required, as a condition of 
membership, to comply with the ACCs Responsible Care Security Code of 
Management Practices, which begins with a thorough vulnerability 

The program, says Ted Cromwell, ACCs senior director of security and 
operations, was developed with the aid of Sandia Labs and the Center for 
Chemical Process Safety, and was put together through 
nationally-accredited programs. But there is a limit to what ACC can do. 
While its members have 85 percent of the nations chemical production 
capacity, says Cromwell, there are another 15,000 to 20,000 sites 
outside ACCs purview that fall under the Department of Homeland 
Securitys classification as chemical facilities. These could range from 
a local paint store to a warehouse full of solvents or pesticides.

The first step to security is to find out where you are: get an 
assessment done. Some control system vendors provide services that can 
be tailored to the individual plant. According to Henry Malo, 
SureService business development manager, Emerson Process Control, 
Calling a third party organization such as us, that is familiar with the 
DCS, can quickly bring clarity as to where there are potential issues 
and where there are best practices. The service, he continues, can 
document that and facilitate the company understanding their baseline of 
where they are, and the things they can do to mitigate risk.

Physical Attacks

The 60 Minutes report showed how easy it would be to walk through an 
unlocked gate or drive a truck through a fence to cause a large-scale 
chemical release, but the defenses against that vary. In Texas, says 
ACCs Cromwell, it may be half a mile from the gate to the actual process 
equipment, while in a crowded state like New Jersey there may be process 
equipment just 15 feet from the perimeter fence. In a lowland area with 
drainage ditches, it might be possible to configure those drainage 
ditches to block a bomb-laden truck, while in New Jersey, a mechanical 
arrangement or concrete barrier might be needed.

Attacks dont have to come from the outside. Just because someone wears a 
hard hat and shoes and goes in the contractors entrance doesnt mean he 
belongs there. Employee screening, badges, and employees trained to step 
up and question people who dont seem to be in the right place can go a 
long way.

Cyber Attacks

Idaho National Laboratories likens cyber security to an arms race. Over 
time the attackers change, their techniques and motivations change and 
their knowledge and understanding changes. On the defender (your) side, 
new vulnerabilities are constantly discovered and the technologies of 
the defended systems, and the system knowledge, must change as well. 
Figure 1 is a graphic representation of the range of threats and of 
necessary responses.

The most obvious way to prevent an attack on a control system would seem 
to be to have no connection between the plant control network and the 
outside world. An air gap between the two leaves no path for intrusion. 
But a connection is usually necessary, either for remote monitoring, 
notifying plant personnel of upsets, or connecting to a remote 
maintenance or database service. If such a connection isnt provided 
intentionally it may appear by itself, as plant personnel install local 
modems or wireless links without the knowledge of the people in charge 
of plant security.

There are tools available to detect so-called rogue wireless LAN users, 
and they should be used on a regular basis. Any connection between the 
corporate network and the control network must be designed with care. At 
a minimum, there should be a firewall between the two, although a 
poorly-designed system may give the illusion of safety without providing 

Firewalls take a number of forms, both software-based and 
hardware-based. Software firewalls are available from firms like 
Symantec, and there is a firewall built into Windows XP. Hardware 
firewalls may be stand-alone units or be included in routers.

As pointed out in the Emerson Process Control white paper, Best 
Practices for DeltaV Cyber-Security, The firewall should be set up to 
allow only specific users to access the system and to block access 
through any ports not specifically needed to support the [control 
system] connections to the outside LAN. Specifically, port 80 for the 
Internet and all/any ports that would allow e-mail access must be closed 
or blocked.

Firewalls come in several flavors, according to NIST Publication 800-82
- Guide to Supervisory Control and Data Acquisition and Industrial 
Control Systems Security.

Packet filtering, the simplest, checks basic information in each packet 
against a set of rules.The application-proxy gateway examines packets at 
the application layer and filters traffic based on specific application 
rules, such as specified applications.

Additional security can be gained by establishing a so-called 
Demilitarized Zone (DMZ), a separate network segment that connects 
directly to the firewall. The DMZ can contain things like the data 
historian, the wireless access point, or remote and third party access 
systems. One way to do this is to run all connections through a 

Many security breaches are caused by sheer carelessness. One of the 
biggest issues, says Bob Huba, senior product manager, DeltaV at Emerson 
Process Control, is keeping users from bringing in portable media like 
floppy disks and memory sticks to download MP3s so they can listen to 
them, or download a game so they can play, and in the mean time infect 
your system.

Some facilities allow employees to connect laptops to the corporate LAN, 
but when disconnected and used elsewhere, such a laptop can become 
infected with malware, which is then introduced when the user 
re-connects to the LAN.

One might think that the security measures used by the companys IT 
department would be sufficient, but a control network and a corporate 
network are used differently, have different priorities, and are 
maintained differently, which means that normal IT security measures may 
not be applicable to the control network, and may actually degrade or 
disable it. The IT departments priorities, says Huba, are 
confidentiality, availability and integrity in that order. In our world, 
its the opposite. Availability is most important, integrity is 
important, and confidentiality tends not to be a big issue.

Selling It To Management

Some corporate types resist spending anything that doesnt have an ROI 
attached. If Im a control systems manager, trying to put forward a 
project that will increase the security of my control systems, says 
Marty Edwards, industry liaison lead for control system security 
program, Idaho National Labs, how do I put that into a business case or 
an ROI type of conversation that I can have with my upper management so 
I can secure budgetary funding?

The answer, suggests Ric Kucharyson, senior marketing manager for 
Honeywell Process Solutions Migrations and Expansion Solutions group, is 
to ask yourself one simple, yet important question: What if this 
particular asset got hit at some level of criticality, and what would it 
cost if that damage did occur?

Helping Hands

Perhaps the first place to look for assistance is the vendor of your 
plants control system. Many control system vendors, including Invensys 
Process Systems, Emerson Process Control and Honeywell Process Solutions 
provide security services, beginning with vulnerability assessments and 
extending to match whatever type of program the plant may need.


Acknowledgements: Ted Cromwell, senior director of security and 
operations, American Chemistry Council; Bob Huba, senior product 
manager, DeltaV, and Henry Malo, SureService business development 
manager, both at Emerson Process Control; Ric Kucharyson, senior 
marketing manager for Honeywell Process Solutions Migrations and 
Expansion Solutions Group; Marilyn Guhr, senior marketing manager in 
Honeywells Lifecycle Services Group; Marty Edwards, industry liaison 
lead for control system security program at Idaho National Labs; and 
Ernie Rakaczky, program manager for cyber security and Doug Clifton, 
senior solutions architect, both of Invensys Process Systems.

Copyright 2007 Advantage Business Media. All rights reserved.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Mon Mar 05 2007 - 22:50:34 PST