http://manufacturing.net/article/CA6420702.html By Peter Cleaveland Technical Editor, PD&D Manufacturing.Net March 5, 2007 September 11, 2001 brought the vulnerability of the United States into sharp focus, yet it was not the first terrorist attack on our shores. The World Trade Center itself had been bombed in 1993, and home-grown terrorists had blown up the Murrah Federal Building in 1995. Then in June of 2004, the CBS News program 60 Minutes showed reporters walking unchallenged into facilities storing chlorine, anhydrous ammonia and boron trifluoride. The public began to realize that the casualty count from an attack on one of these could dwarf those of both Oklahoma City and 9/11. Cyber attacks have also proliferated, many of them against SCADA (supervisory control and data acquisition) systems. In 2004 US-CERT, the United States Computer Emergency Readiness Team, stopped reporting statistics for attacks on SCADA systems, saying increased use of automated attack tools had made any such counts meaningless. Attacks from 1988 to 2003 totaled 319,992, with 137,529 counted in 2003 alone. Where Are We Now? It is difficult to obtain an accurate count of attacks on industrial facilities. Incidents are reported in the press from time to time, and there are databases listing attacks, but, says Marilyn Guhr, senior marketing manager in Honeywells Lifecycle Services group, We think that only about ten percent or so of the incidents, maybe less than that, ever get reported. While the threat is real, U.S. companies have made substantial progress in bolstering their defenses. For example all member companies of the American Chemistry Council (ACC) are required, as a condition of membership, to comply with the ACCs Responsible Care Security Code of Management Practices, which begins with a thorough vulnerability assessment. The program, says Ted Cromwell, ACCs senior director of security and operations, was developed with the aid of Sandia Labs and the Center for Chemical Process Safety, and was put together through nationally-accredited programs. But there is a limit to what ACC can do. While its members have 85 percent of the nations chemical production capacity, says Cromwell, there are another 15,000 to 20,000 sites outside ACCs purview that fall under the Department of Homeland Securitys classification as chemical facilities. These could range from a local paint store to a warehouse full of solvents or pesticides. The first step to security is to find out where you are: get an assessment done. Some control system vendors provide services that can be tailored to the individual plant. According to Henry Malo, SureService business development manager, Emerson Process Control, Calling a third party organization such as us, that is familiar with the DCS, can quickly bring clarity as to where there are potential issues and where there are best practices. The service, he continues, can document that and facilitate the company understanding their baseline of where they are, and the things they can do to mitigate risk. Physical Attacks The 60 Minutes report showed how easy it would be to walk through an unlocked gate or drive a truck through a fence to cause a large-scale chemical release, but the defenses against that vary. In Texas, says ACCs Cromwell, it may be half a mile from the gate to the actual process equipment, while in a crowded state like New Jersey there may be process equipment just 15 feet from the perimeter fence. In a lowland area with drainage ditches, it might be possible to configure those drainage ditches to block a bomb-laden truck, while in New Jersey, a mechanical arrangement or concrete barrier might be needed. Attacks dont have to come from the outside. Just because someone wears a hard hat and shoes and goes in the contractors entrance doesnt mean he belongs there. Employee screening, badges, and employees trained to step up and question people who dont seem to be in the right place can go a long way. Cyber Attacks Idaho National Laboratories likens cyber security to an arms race. Over time the attackers change, their techniques and motivations change and their knowledge and understanding changes. On the defender (your) side, new vulnerabilities are constantly discovered and the technologies of the defended systems, and the system knowledge, must change as well. Figure 1 is a graphic representation of the range of threats and of necessary responses. The most obvious way to prevent an attack on a control system would seem to be to have no connection between the plant control network and the outside world. An air gap between the two leaves no path for intrusion. But a connection is usually necessary, either for remote monitoring, notifying plant personnel of upsets, or connecting to a remote maintenance or database service. If such a connection isnt provided intentionally it may appear by itself, as plant personnel install local modems or wireless links without the knowledge of the people in charge of plant security. There are tools available to detect so-called rogue wireless LAN users, and they should be used on a regular basis. Any connection between the corporate network and the control network must be designed with care. At a minimum, there should be a firewall between the two, although a poorly-designed system may give the illusion of safety without providing it. Firewalls take a number of forms, both software-based and hardware-based. Software firewalls are available from firms like Symantec, and there is a firewall built into Windows XP. Hardware firewalls may be stand-alone units or be included in routers. As pointed out in the Emerson Process Control white paper, Best Practices for DeltaV Cyber-Security, The firewall should be set up to allow only specific users to access the system and to block access through any ports not specifically needed to support the [control system] connections to the outside LAN. Specifically, port 80 for the Internet and all/any ports that would allow e-mail access must be closed or blocked. Firewalls come in several flavors, according to NIST Publication 800-82 - Guide to Supervisory Control and Data Acquisition and Industrial Control Systems Security. Packet filtering, the simplest, checks basic information in each packet against a set of rules.The application-proxy gateway examines packets at the application layer and filters traffic based on specific application rules, such as specified applications. Additional security can be gained by establishing a so-called Demilitarized Zone (DMZ), a separate network segment that connects directly to the firewall. The DMZ can contain things like the data historian, the wireless access point, or remote and third party access systems. One way to do this is to run all connections through a workstation. Many security breaches are caused by sheer carelessness. One of the biggest issues, says Bob Huba, senior product manager, DeltaV at Emerson Process Control, is keeping users from bringing in portable media like floppy disks and memory sticks to download MP3s so they can listen to them, or download a game so they can play, and in the mean time infect your system. Some facilities allow employees to connect laptops to the corporate LAN, but when disconnected and used elsewhere, such a laptop can become infected with malware, which is then introduced when the user re-connects to the LAN. One might think that the security measures used by the companys IT department would be sufficient, but a control network and a corporate network are used differently, have different priorities, and are maintained differently, which means that normal IT security measures may not be applicable to the control network, and may actually degrade or disable it. The IT departments priorities, says Huba, are confidentiality, availability and integrity in that order. In our world, its the opposite. Availability is most important, integrity is important, and confidentiality tends not to be a big issue. Selling It To Management Some corporate types resist spending anything that doesnt have an ROI attached. If Im a control systems manager, trying to put forward a project that will increase the security of my control systems, says Marty Edwards, industry liaison lead for control system security program, Idaho National Labs, how do I put that into a business case or an ROI type of conversation that I can have with my upper management so I can secure budgetary funding? The answer, suggests Ric Kucharyson, senior marketing manager for Honeywell Process Solutions Migrations and Expansion Solutions group, is to ask yourself one simple, yet important question: What if this particular asset got hit at some level of criticality, and what would it cost if that damage did occur? Helping Hands Perhaps the first place to look for assistance is the vendor of your plants control system. Many control system vendors, including Invensys Process Systems, Emerson Process Control and Honeywell Process Solutions provide security services, beginning with vulnerability assessments and extending to match whatever type of program the plant may need. -=- Acknowledgements: Ted Cromwell, senior director of security and operations, American Chemistry Council; Bob Huba, senior product manager, DeltaV, and Henry Malo, SureService business development manager, both at Emerson Process Control; Ric Kucharyson, senior marketing manager for Honeywell Process Solutions Migrations and Expansion Solutions Group; Marilyn Guhr, senior marketing manager in Honeywells Lifecycle Services Group; Marty Edwards, industry liaison lead for control system security program at Idaho National Labs; and Ernie Rakaczky, program manager for cyber security and Doug Clifton, senior solutions architect, both of Invensys Process Systems. Copyright 2007 Advantage Business Media. All rights reserved. _________________________________________ Visit the InfoSec News Security Bookstore http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Mar 05 2007 - 22:50:34 PST