Opinion: IT Needs to Help Secure Industrial Control Systems
After the Stuxnet worm exploited a zero-day vulnerability in a popular industrial controller, it's clear that operators of large-scale infrastructure management systems need to work with the IT security community to better safeguard these critical systems.
Fri, August 13, 2010
Network World — After the Stuxnet worm exploited a zero-day vulnerability in a popular industrial controller, it's clear that operators of large-scale infrastructure management systems need to work with the IT security community to better safeguard these critical systems.
Industrial Control Systems (ICS) are used by utility companies and manufacturers to manage critical infrastructures worldwide, including electric power plants, oil/gas operations, pipelines, mining operations and transportation. Today's security problems are like never before— which is why those working in ICS need help from those working in the IT security industry.
ICSs include Supervisory Control and Data Acquisition (SCADA); Distributed Control Systems (DCS); Programmable Logic Controllers (PLC); Remote Terminal Units (RTU); Intelligent Electronic Devices (IED); field controllers; sensors; emission controls; building controls such as fire suppression, thermostats and elevator controls; and automated business and residential meters.
ICSs measure, control and provide the operator a view of the process. The operator view is often Windows-based and appears to be traditional business IT technology. However, the field devices that measure and control the process use proprietary operating systems and communication protocols and have their own unique characteristics. These field systems do not look like business IT systems and are technically and administratively different from IT systems. Even security policies are different: ISO-27001 applies to IT, but ICSs utilize ICS-specific policies such as those from the International Society for Automation (ISA). ICSs used to be isolated – out of sight, out of mind.
But that's all changing. ICSs are being upgraded with advanced communication capabilities and networked (including to the Internet) to improve process efficiency, productivity, regulatory compliance and safety.
These networks can be within a facility or even between facilities that are continents apart. When an ICS does not operate properly, the resulting problems can range in impact from minor to catastrophic, including deaths and physical destruction.
Until recently, ICS were not specifically targeted by hackers and were only impacted by the law of unintended consequences when these systems were connected to the Internet.
That changed last month with the Stuxnet worm. The worm was directed at a very popular process controller (Siemens Simatic Programmable Logic Controller) and exploited a zero-day vulnerability in the PLC's WINCC SQL database.
The exploit lay bare the disconnect between the IT and ICS communities. This particular PLC (as well as many other ICSs) burned the default passwords in software. The hackers exploited this design to get access to the database.
The nominal response would be to change the default password. However, because of the controller software, a change to the default password would shut down the PLC since the applications depend on that password.