Security teams need to recognize how their processes can impact engineering, Cosman (right) says. Too many times cyber decisions will institute information-related protections, when what's needed is to protect the availability and integrity of a critical machine system.
As with all business-critical systems, Cosman advises that operators assess their assets and apply traditional risk metrics to their cyber operations: Threat times vulnerability times consequences equals risk. That should show organizations where to prioritize their risk management efforts.
Thanks to Stuxnet, people understand that control systems run on computers and are susceptible to threats, he says. Now they need to fully understand the consequences of system failure or malicious manipulation.
“I once explained to an industry peer that there are some chemical processes that operate at pressures of tens of thousands of pounds per square inch, so the consequences of a serious plant upset can be quite dramatic.” Cosman says. “The peer said, ‘Well, if our control systems have problems, we'll just be up to our knees in ketchup.' ”
This is not far-fetched, given that Stuxnet was able to change control processes and hide its system interferences from Iranian controller operators.
“These systems are expensive to replace and insecure by design,” says Dale Peterson, president of Digital Bond, a Sunrise, Fla.-based consulting firm that performs security assessments and supports SCADA operators. “GE, Rockwell, Snyder, Siemens…If attackers can get onto these devices, they can own them, stop pipelines from working, ruin a food batch or make things blow up.”
Think of monitoring from the SCADA operator networks all the way out to the smart meters, adds Walt Sikora, VP of security solutions at Industrial Defender, a Foxborough · Mass.-based provider of automation system management.. “It's a huge challenge for these organizations, especially since many of these devices don't even have logging capability.”
SCADA: On the lookout
The production and distribution of electricity, or the smart grid, is in jeopardy. In September, Telvent Canada, which provides infrastructure management systems for utilities, reported that its firewalls had been breached and its smart grid meshing technologies had been stolen. From there, it's only a matter of time before customers using this technology become a target.
Since speedy replacement with newer SCADA systems containing logging and authentication is not practical, one has to keep its control networks segmented, monitor what one can, and deploy controls all the way to substations and the endpoints plugging into the control networks, says James Collinge, product line manager for HP Enterprise Security.
“When it comes to SCADA and other control systems, the key priorities are reliability and uptime,” he says. “So SCADA operators need to look at their own systems, set their security policies and implement controls that are specific to their networks.”