Under recent economic conditions, it is understandable that a control-system cyber-security audit is not the top priority for many plant operators. Less staff due to layoffs and deferred maintenance can present a clear, tangible threat to operations. Too often, “the imaginary hacker,” discussed in many papers and blogs, is often considered as a non-credible threat. No matter how many blogs, magazine articles and white papers are written, a real credible threat to a refinery or petrochemical facility from some vague person or organization seems “imaginary” to those controlling plant budgets.
Stuxnet—The structure of cyber-attacks.
Some believed that control-system cyber-security threats would be clearly credible after the 2010 Stuxnet incident. Stuxnet is rogue software; it was created to penetrate and breech Siemens programmable logic controllers (PLCs) in Iran. The rogue software actually infiltrated the system. Stuxnet reached the controllers and modified the programmed control logic. This code was very specific and targeted nuclear-fuel processing. The allegations are that a well-financed organization was responsible for the attack. I recall first reading about this event and thinking “this is no real problem for anyone not making nuclear fuel.” The real threat to the hydrocarbon processing industry (HPI) is negligible.
Later, I learned that the Stuxnet code was completely reverse engineered and, more importantly, posted on hackers websites. Now, these techniques, created with all that engineering effort and funding, were available to every individual or organization that had a web browser. The true problem is that this software/code can now provide “evil groups” the tools to facilitate attacks on any manufacturers’ control/automation products for any application—not just nuclear-fuel processing. All HPI facilities are vulnerable, and it is time to worry.
Control systems—The new market for ‘security researchers.’
Again, control-system cyber-attack risk levels have increased. I read articles describing how many individuals, and even companies, are working to discover the vulnerabilities present in industrial controllers. Since Stuxnet, these researchers have realized that there is a whole new category of potential customers. Some researchers publish, and even present, this information at hackers’ conferences. Others contact the compromized controller manufacturer and offer to sell the vulnerability information. If no sale is made, then they publish and/or present it to the world. In conversations with my IT friends, I understand that this is a normal practice in the personal computer/server world. Finding the attack points within systems is the latest path to fame and glory in the hacker community. Something about this business model is most unethical.
All this news means that the industrial control community is now a target. Gone are the days of flying below the radar of the imaginary hacker. Although the Repository of Industrial Security Incidents (www.risi.org) has recorded hundreds of incidents, few were caused by deliberate malicious hackers. It’s too bad that things have changed. Today, tremendous volumes of information are being published addressing how to cause trouble in process control/automation systems.
Fortunately, a number of very practical defense techniques have also been published. The ISA SP99 zone and conduit concepts, combined with a systems-level audit, is a simple and effective technique that provides some protection. Some control-system vendors are upgrading their software to meet requirements of the ISA Security Compliance Institute for embedded systems. That will provide more layers of protection.
Although we have much to learn about cyber-security protection, I believe that some protection is a whole lot better than none. I am reminded about an old story. Two hikers were out in the woods when they suddenly encountered a grizzly bear. The bear spots them and rises up on its hind legs and roars. The first hiker yelled, “I’m sure glad I wore my running shoes today.” The second hiker replied, “It doesn’t matter what kind of shoes you’re wearing; you are not going to outrun that bear.” “I don’t have to outrun the bear, I just have to outrun YOU,” the first hiker answers back.
I can imagine a hacker trolling the Internet looking for vulnerable control systems. Systems that are easier to hack are the most likely targets. So, I am thinking that the basic, cost-effective cyber security measures are good prevention options, at least for now. The best policy is to “outrun” other control systems and, hopefully, avoid being cyber attacked.