Real time control systems security in the modern world

NGP&E. There has been a focus of media attention on security risks associated with control systems, including last year's video release by the Department of Homeland Security. Is there a credible threat against control systems or is this a case of media hype?

LS. While some of the media hype has been just that, there is a real threat to control systems operating today. Changes in the requirements placed on control systems to meet modern business needs expose them to greater risks than in the past. The use of commodity hardware and software to lower costs and ease maintenance burdens adds to this risk. In the past, an attacker had to go to some effort to learn about a specific control system. Commercial operating systems and common hardware platforms change this dynamic, giving an attacker the opportunity to refine their attacks with far less risk. The effect of these shifts can be seen in the rise of presentations on control system vulnerabilities at security conferences like BlackHat and DefCon. Researchers can experiment on control system technologies far more easily than ever before, and that means that the bad guys can too.

This isn't entirely negative; it means a greater number of security professionals can work towards improving the security of control systems. Vendors and asset owners that are open to working with independent groups can harness more diverse talents than they could hope to maintain in-house, leading to a significantly more secure range of products on the market.

NGP&E. As executives continue to be confronted with different types of security threats ranging from social engineering to powerful malware. What types of threats are considered to be most significant to control system operators today?

LS. Only in the last five years have groups begun to collect detailed information on the different types of threats affect ing control systems. To some extent, the lack of information was due to a lower level of awareness regarding the security risks associated with control systems. Detection of attacks or reconnaissance was also very difficult due to the complex and proprietary system architectures, as well as a general lack of reliable and powerful detection systems. All of these factors are changing, providing an opportunity to build up knowledge.

The information gathered strongly indicates that the greatest risks stem from accidental or malicious acts by insiders, and attacks by remote attackers who have gain access to the control system network. Both of these threat vectors focus on the area within the security perimeter and avoid many of the standard defenses. This necessitates a different kind of approach to security, particularly that it can't be simply bought and installed. The type of security required to protect against these classes of threats is built through a combination of control system design and strong discipline by the owner-operators.

NGP&E. Even with the limited information regarding threats to control systems, there doesn't seem to have been a significant improvement in the overall security situation. Why aren't we seeing the type of rapid security buildup that was seen in the IT sector in the 1990s? Even large companies are credited with dramatic security improvements in a single product iteration.

LS. Control system design has changed dramatically since security became a more significant concern. Unlike many application vendors, control system users have much greater restrictions on the speed with which they can take on updates. A typical IT group will maintain a given operating system and server platform for roughly five years, after which it will be upgraded to a newer platform. Control systems typically upgrade, on average, every ten years, resulting in a far slower response to new technologies and requirements. Once a decision is made to upgrade a control system, the actual deployment can take up to two years in order to ensure that the transition is safe and stable. If an email server upgrade fails, a company can lose money, but a failure in the upgrade of a control system can result in the loss of overall production, their raison d’être, if you will ; and most companies are inherently conservative in their approach as a result.

Also , the complexity of control systems contributes to the time needed to integrate advanced security technologies. To maintain compatibility with an increasingly legacy infrastructure, control systems encompass extensive codebases which can rival some operating systems. Take communications with end devices as an example : an IT software programmer can assume that they will use a standard protocol such as TCP/IP. A control system communicating with a field device must be able to adapt to use one of more than 500 individual protocols. That's a significant hurdle to overcome, though numerous groups are working on just that, including the DNP3 working group.

NGP&E. Now that threats are being identified, what is it going to take before control systems can once again be considered secure? Will the industry ever get back to when new control system vulnerabilities weren't being introduced every few weeks?

LS. It's important to note that the vendor has already been dealt with most of the vulnerabilities being announced .Business requirements have evolved, introducing greater levels of complexity, and it’s unlikely that companies are going to require less real-time data.

Sun Tzu said that a key element in achieving victory was to know your enemy and to know yourself. The first road to regaining confidence in our ability to effectively mitigate and respond to security threats is to understand those threats. The control systems industry is well down this path and is continuing to learn. Effort is being directed at understanding how those threats interact with control systems – something which has received little attention in the past. Vendors and asset owners are looking inward at their own technologies and are beginning to actively test their systems in the face of malicious activity, rather than focusing only on functionality and stability. This shift is significant, as it requires entirely different skills and changes the dynamic of the quality assurance process, but it is critical.

NGP&E. Given the complexity of the systems we've talked about, just how much information really exists detailing the extent to which they're vulnerable? How much testing has really been done?

LS. The amount of information available varies from vendor to vendor. There isn't an industry-wide mandate to support a specific level of vulnerability testing or security testing against controls systems, nor is there an easy way to establish something like that. It is a judgment call for each vendor as to how much security testing is considered enough.

Various efforts are working to help get a better overall idea. The most notable being the National SCADA Test Bed at the Idaho National Lab, run by the Department of Energy. They're taking the security expertise of their own cyber researchers and working with vendors to look at potential security risks in control system designs. Through this program, the US government can develop a body of knowledge about the state of security in the industry and pass sanitized data out to support new development. This type of effort is critical in that it provides smaller vendors who cannot support their own full-time security test teams, access to skilled experts. The guidance that comes from working with the National SCADA Test Bed has the potential to be the difference between a reasonably secure product and a technology that will place critical infrastructure at risk.

Beyond broad government programs, private audit companies are beginning to specialize in assessing control systems. Contracted by both asset-owners and vendors, they can bring strong skills and experience to the table to validate security objectives. Particularly for asset owners, private audit companies can give them the ability to test statements made by control system vendors to ensure that the security measures implemented behave as intended. This acts as a safety, helping to confirm that installation or configuration hasn't undermined the security built into a product.

NGP&E. What types of technologies and procedures are vendors putting into place to meet current threats and prepare for future ones? Is there a common thread or is it vendor-specific?

LS. Most vendors and asset owners seem to be on the track when it comes to putting defences in place. There are differences in terms of where energy is being spent between vendors, based on their perception of where they can get the best security for their investment. The shift towards commodity platforms and standard IT hardware has also led to the use of commodity security products. Many of the tools typically found in the enterprise IT arsenal are being tested and deployed in the control systems area as well. This comprises the first of today's defences – technological solutions.

There is also a strong move among vendors to develop best practices for security as it applies to each of their core products. These recommendations usually draw heavily on material prepared by government or academia, but are adapted to take advantages of the strengths of each product while mitigating any weaknesses specific to that vendor's tools. With applications as complex as control systems, it is important that vendors provide guidance to users as to how they can safely secure their environments.

Process and procedure is the third core focus today, and it largely falls on the end-user. No matter how advanced the technology and how thorough the documentation, there will be little benefit if it's not used correctly. End-users must commit to reading logs, hiring security analysts to review intrusion detection data, and developing procedures to ensure that their own employees as well as any contractors who are given access to the control system follow the recommended security procedures. Without a high level of discipline at the operational level, no control system can be considered secure.

NGP&E. With the defensive components of a security strategy coming together, what comes next? Is there an offensive component to control system security?

LS. As an industry, we still have a fair ways to go before we can claim to have a handle on defending control systems against threats. The threats are always evolving as well, making a statement like that only temporary. That being said, the control systems industry, along with IT, is looking towards the next generation of security technologies.

Technology is already moving from a passive defense to a more active defense, with Intrusion Prevention Systems and intelligent Network Access Prevention applications responding to threats far faster than a human analyst could. These technologies are generally not yet well enough understood for integration into control system environment, but they will be in time. Adopting new technologies for a high-uptime, critical infrastructure platform is always about risk. A new tool will only be integrated when the risk of adoption is outweighed by the risk of not having the benefits of the tool. Sometimes this is a rapid process; however, asset owners and control system vendors are cautious when a device can impact safe operations as many of these technologies can.

Looking towards the future, I think that there may be some scope for a 'response' capability. The form it takes could range from a rapid forensic response, tracking a potential attacker aggressively, to responding with a disabling attack of its own. When considering this type of behaviour, it is important to remember that more than technical issues are at stake. National and international laws also come into play, as do the risks of escalating an attack by responding. Using an overt response capability, an attacker could poke targets until they found one that responded offensively, thereby identifying itself as a high value asset. All of these factors must be carefully considered if a response-capability is to be investigated.

NGP&E. There are many successes and challenges affecting today’s control systems. In closing, what else is prominent to the upkeeping of security in critical infrastructure around the world?

LS. A decade ago we wouldn't have been having this discussion. People weren't questioning the security of their national infrastructures and most vendors and asset owners had a very basic perception of the risks facing their installations. Since that time, this industry demonstrated an amazing ability to respond to threats as they became apparent. New products were developed with security as a core objective. Technologies were tested and adopted, and extensive procedural and operational changes were put into place. This has been done without significantly impacting the safety and stability of the existing infrastructure, which was paramount.

This effort has only been the first stage, however, and the next decade will see the security of control systems continue to improve rapidly. The industry began this process with a small cadre of security experts and very basic security practices. Much time was spent expanding capabilities and it has only been in the last few years that the security groups within vendors and asset owners have been able to focus aggressively on reducing vulnerability and decreasing risk. This work will continue to pay off into the future, leading to a critical infrastructure base that is both secure and maintainable. Vendors and asset owners are committed to security and have ensured that it remain s a top priority. 

About the company

Telvent Energy is a provider of real-time IT solutions to better manage energy delivery efficiency. Telvent offers measurement, control systems and services that help manage critical infrastructures and data through highly available and secure solutions in three primary areas: electricity, oil and gas.