Control system security

A major cyber attack on a refinery is a clear and present danger. What lessons can be drawn from other sectors?

SINCLAIR KOELEMIJ
Honeywell Process Solutions

Viewed : 3280

Article Summary

Since the 2010 attack on Iranian uranium enrichment facilities, the cyber security of industrial control systems has attracted significant attention and investment as companies have sought to improve their protection against cyber threats. Refining companies and other industrial businesses have revisited their approach to cyber security, which was until then focused on protecting systems against malware and hackers. An attack on the physical installation had been inconceivable.

Even so, the 2010 attack required considerable resources and skills to succeed.1 Several factors contributed to its complexity:
• It required stealth. Focused on damaging the centrifuge equipment, it needed to be done quietly to prevent early detection. To hide what was happening from the process operators, the feedback from the control system also required manipulation.
• It was targeted, aimed at one particular installation. It seems unlikely it was intended to infect other systems, since when it eventually did so resulted in the attack being discovered and stopped.
• It bridged an air gapped/isolated system – the control system for the installation. A method had to be developed to infect mobile computer equipment that was ultimately connected to the control system network for engineering/maintenance purposes.
• It required knowledge of the physical system. The attacker needed to know the variations â€¨in speed that would cause excessive wear of the centrifuge bearings, the exact structure of the physical installation, and the exact code running in the control equipment and feedback from the sensors.

All this meant the attack required a substantial effort. For many, it therefore seemed such an attack was unlikely to occur against targets where no significant political motivation existed, since only nation states would have the resources, focus and motivation to undertake it.

Damaging a physical plant installation or removing it from service does not always require such a complex attack, however. There is a variety of ways to create damage through thermal, mechanical or hydraulic stress in a plant or to cause physical systems to wear more quickly than anticipated. The operation window of the equipment is in large part determined by the data in the industrial control system. A determined attacker successfully accessing the control system will therefore not have much difficulty causing a plant shutdown.

With the recent attacks on the steel industry (Germany, 2014), the power industry (Ukraine, 2015), and water treatment (US, 2016), an expanding range of business leaders are becoming aware of the risks. And while the refining community has thus far been spared a major attack, its leaders are looking across industry for best practice security approaches. The net result of this heightened awareness is that chief information security officers and chief security officers are slowly expanding their focus beyond corporate IT systems to ask critical questions of the automation systems, too.

This article explores the differences between information security and control system security, and it uses learnings drawn from the manufacturing and processing industries to inform refining decision makers.

While information security methodologies aim to secure the integrity and availability of the information in the control system, they do not analyse the consequences for the underlying physical system. This limits the ability of information security to predict and prevent attacks on the physical system.

The main focus of control system security, by contrast, is on identifying and analysing the different types of failure scenarios and designing security to withstand attacks that could cause these. Control system security develops scenarios for such smart attacks and identifies counter-measures against them. The article provides some examples and discusses ways to protect the system.

Background
Industrial control systems typically have three tiers:
• The physical system (production system)
• The production management system, including the distributed control system (DCS), supervisory control and data acquisition (SCADA) system and safety instrumented system (SIS)
• The operations management system (optimisation, quality management, environmental management, planning, and maintenance).

Operations management systems focus on the efficiency, effectiveness and quality of the manufacturing process. Production management systems focus on the manufacturing process itself – the automation of the production process. Finally, the physical system (production system) is composed of the various process units in the plant (such as the distillation column, boilers, furnaces, tanks and pipelines), including the sensors and actuators.

Figure 1 shows the high level structure, including the levels assigned by the ISA 95 standard.2 The focus of this article is on levels 0, 1 and 2, but some applications at level 3 can also impact the physical system, so it is not always possible to distinguish a clear boundary between control system security and information system security. Depending on the application, there may be an overlap between the two.

The security of the systems at the business management layer differs considerably from the control system. A frequently mentioned example is the difficulty in updating the control system or installing security patches for it. Stopping production for this is difficult to justify, and changes in general are seen as a risk to the business continuity.3 This is why so many legacy systems are still active despite no longer having security patches available for them, with the result that they contain well-known vulnerabilities that can be exploited by attackers.

Another difference is that an automation system such as a DCS requires a stricter operational environment than the average computer system.

Real-time availability ensures every automation task in the system has sufficient time to complete its task. Real-time environments differ from a time sharing environment where tasks are allocated a specific time slot to complete their workload, over-runs are not allowed, and ultimately tasks may not be completed. In a real-time environment, overloading the system can result in resource starvation. The environment is therefore more vulnerable to denial of service attacks than business management systems, which can cope with a very broad range of delays.

Finally, risk is different in an industrial control system. Consider the attack model developed by André Teixeira, Henrik Sandberg, Daniel Pérez, and Karl H. Johansson.4 Unlike cyber security for the business management systems where cyber security is focused on protecting data, they noted that cyber attacks on control systems have the potential to change the physical production process in different ways depending on the specific attack scenario. The attack space for a control system can be described by their model (see Figure 2).

The attack space for cyber physical systems has three dimensions:
• System knowledge: attacking the cyber physical part of the system requires an understanding of the production process, the various parameters, measured values, and actuators that can be used in the attack.
• Disclosure resources: an attack can also require knowledge of the real-time state information of the system, process values, limits and control parameters.
• Disruption resources: an attack requires the capability to disturb the system, perhaps by modifying an output setting, a control parameter, or disabling a system action.
Complex attacks, like the attack on the Iranian nuclear facility, use all three dimensions, but a simpler attack such as replaying Modbus traffic to ‘freeze’ a process value only needs two dimensions. An attack like the HAVEX attack5 used only one dimension – a Trojan horse for eavesdropping.