Process Control Network

BACKGROUND

Process Control Network Security is Prevention of intentional or unintentional interference with the proper operation of industrial automation and control systems through the use of computers, networks, operating systems, applications and other programmable configurable components of the system. Sometimes it is also called by:

  • SCADA Security
  • Control System Security
  • Industrial Automation and Control System Security
  • Control System Cyber Security
  • Industrial Network Security
  • Electronic Security for Industrial Automation and Control Systems

Process Control Systems are more vulnerable today than they have ever been. There are several reasons for this including:

  • Heavy use of Commercial Off-the Shelf Technology (COTS) such as MS Windows, SQL, and Ethernet
    • Means that process control systems are now vulnerable to the same viruses, worms and trojans that affect the office world, where traditional IT security practices are used. Goals of Office System use are different from Control System so can’t just apply traditional IT Security practices without adapting them
  • Increasingly Connected to the Internet (via Business networks)
    • No longer is the defense “We are not connected to the internet” valid –  most process control systems are connected to their business systems, which are in turn connected to the internet. Means that (legacy) process control systems are now being subjected to stresses they were not designed for
  • Hackers are increasing their knowledge of control systems
    • “Security by Obscurity” is no longer a valid strategy – It used to be that folks could be protected because no-one outside of the controls community understood the proprietary communication infrastructure
  • Increasing demands for Remote Access and 24/7 access to data (less personnel to run operation)
    • Means more external connections to control system

ACTUAL INCIDENTS RELATED TO CONTROL SYSTEM SECURITY

According to data in the Repository for Industrial Security Incidents (RISI) database approximately 35% of industrial control system security incidents were initiated through remote access. Supporting this finding is RISI survey results that indicate nearly 65% of facilities allow remote access to their control systems. These findings and many more were published in the 2011 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.

RISI is an industry-wide repository for collecting, analyzing, and sharing information regarding cyber security incidents that directly affect industrial control and supervisory control and data acquisition (SCADA) systems

    • Stuxnex
      • First malware specifically targeting industrial control systems
      • First discovered in June 2010 (in circulation since June 2009)
      • Has the ability reprogram Siemens S7 PLCs
      • Infects Siemens SIMATIC software running on Win PCs
      • Uses SIMATIC software to read S7 PLC memory and overwrite FB with its own code (hidden)
      • Spreads via USB memory sticks, local networks and Step 7 project files
      • Approximately 17 cases reported on SIMATIC systems
    • August 2012, Virus Attack in Gulf Oil

    • October 2006

STANDARD

The boards such as ISA, API, IEC and NIST have a lot of efforts to develop standard such as following:

  • International Society for Automation (ISA)
    ISA99, Industrial Automation and Control System (IACS) Security
  • American Petroleum Institute (API)
    API 1164, Pipeline SCADA Security
  • International Electrotechnical Commission (IEC)
    IEC 62443 series of standards (equivalent to ISA 99)
  • National Institute for Standards and Technology (NIST)
    SP800-82 Guide to Industrial Control Systems (ICS) Security

SECURITY OBJECTIVES

Information security has traditionally focused on achieving three objectives, confidentiality, integrity, and availability, which are often abbreviated by the acronym “CIA.” An information technology security strategy for typical “back office” or business systems may place the primary focus on confidentiality and the necessary access controls needed to achieve it. Integrity might fall to the second priority, with availability as the lowest.

In the industrial automation and control systems environment, the general priority of these objectives is often different. Security in these systems is primarily concerned with maintaining the availability of all system components. There are inherent risks associated with industrial machinery that is controlled, monitored, or otherwise affected by industrial automation and control systems. Therefore, integrity is often second in importance. Usually confidentiality is of lesser importance, because often the data is raw in form and must be analyzed within context to have any value.

SECURITY LIFECYCLE

Following figure depicts the security lifecycle to establish robust and secured Process Control Network

ANSI/ISA S99.02.01-2009 explains how to establishing an Industrial Automation Control System Security Program as following figure:

WHAT WE CAN DO TO HELP YOU?

We provide

  • Process Control Network Security Assessment and implement obvious fixes
  • Follow-up with an ICS security vulnerability analysis (risk assessment) for a complete identification of vulnerabilities and recommendations for corrective action
  • Implement an ICS security management program that is integrated with existing company management systems for security, safety, quality, etc
  • Consultancy services to meet the standards (such as ISA-99 and API-1164)
  • PCN Security Training

We have expertise from System Engineer and Process Control Network Security Engineer which are highly capable and synergize to provide complete solution in PCN Security