I’m heading out to the SANS European SCADA and Process Control summit in Rome at the beginning of December and this has put me in a reflective mood. Rome is of course one of the most historic and best known cities in the world. The ‘Eternal City’ has survived the fall of a civilization, countless wars and other trials and tribulations.
What has this got to do with Industrial Control System (ICS) security? Well, there are a couple of things. Firstly, industrial control systems change a lot in their lifetimes. These are shorter than Rome’s but they commonly last 10-15 years (sometimes longer) and some components like RTUs and PLCs can last longer still. That’s a long time in business terms and also in the evolution of computer technology. Many systems in service today existed before the Internet was really a force to be reckoned with and certainly before web servers, wireless networks, mobile devices and virtualization were thought of in the same context as ICS. The security implications of these technologies just could not have been thought of when the systems were designed and installed. In fact many systems in service today were created in a simpler time when security wasn’t even thought of as an issue.
The other similarity with Rome is that Industrial Control Systems need to change by evolution more than revolution. If you thought of a better street plan for Rome you couldn’t just rip it. Your typical ICS is the same. Some systems (e.g. for power plants) do have outages but many do not. Power transmission and distribution systems and many other systems don’t typically have outages so enhancements to security have to be made to running systems. Even if there is an outage you might prefer to avoid trying to make changes at that time. Outages only happen for a good reason and usually everyone knows what the cost of a day’s lost production is. Better to work on a running plant when things are all going along smoothly.
Of course, Industrial Control Systems do actually get replaced at some point so isn’t that the answer? Just build in all the security you need into a state of the art control system and your problems are over? Not quite. More and more control system vendors are incorporating security into their systems but replacing systems is expensive. When the time comes to replace a system you should make sure it incorporates the features you need but to my knowledge nobody has ever replaced a control system just to improve security. Even if you install a system with superb security features you have to make sure those features are correctly configured when the system is delivered, when it is being commissioned and throughout the rest of its life and even if the security is state of the art now it won’t be in five to ten years’ time.
Worse, most ‘control systems’ are not single systems from a single vendor. A typical power station will have a main control system but will also have additional systems for handling raw materials, water treatment, turbine control etc. Often these will be different vintages from different vendors and they will not all necessarily be changed out at the same time. The connections between these systems need to be secured as does the all-important connection to the business network. This can be hard for a single vendor to do.
So what can you do? The key thing is to embrace ICS security as an on-going process just like most other things you do in business. You need to understand the challenges you face which you can do through internal audits or by getting an external assessment done. The resulting report will recommend a combination of training, technology, procedures and governance. The full list of recommendations may be daunting but a good assessment will prioritize the findings.
Going back six or seven years most ICS owners were in the same boat – they may or may not have had a firewall but if they did that was about it. Now there is a whole spectrum of maturity in this field but the coming years will see new threats and countermeasures. Internal and external security standards are becoming more significant and the need to demonstrate conformance will grow. Some technologies like application whitelisting will become more pervasive as well. As the complexity of security grows managing it becomes a more critical part of the process – technology is useless if deployed incorrectly. The key thing is to understand the issues and make a start in a controlled, structured way – don’t expect this to be a one off project.
In January I’ll take my direction from the Roman god Janus and look back at least as far as SANS but looking forwards it always more interesting. Mobile devices, wireless and virtualization will surely be a part of the future but there will doubtless be other technologies and issues to discuss as well.