Security for industrial IT systems

The control and automation industry, with its specific hardware and network protocols, has long been considered immune to the network attacks plaguing traditional IT. However, corporate demand for centralised data and remote control has created the need for increased connectivity, thus linking industrial control networks with off-the-shelf computers using standard operating systems and web applications.

The use of ethernet protocols and web technologies is opening the industrial networks to hacker attacks and virus infections. The same worms and viruses, vulnerabilities, Trojans and hacking tools that have infested the internet can now influence our manufacturing plants, distribution networks and critical infrastructure. As real-time computers used in industrial control have many different characteristics compared to traditional information processing systems used in business applications, a new approach will have to be taken.

There are two models of network architecture used in industrial IT depending on the geographic distribution of the operation and depending on the purpose of the network. Distributed Control Systems (DCS) are used to control large and complex plants, for example power plants, refineries, chemical plants, typically at a single site. SCADA is used to control more scattered assets where centralised data acquisition is as important as control. Distribution networks including water, gas and electricity typically use SCADA.

A DCS consists of a supervisory controller and one to several distributed controllers contained within the same processing plant. The supervisory controller runs on the control server and communicates to its subordinates by means of a peer-to-peer network. The supervisor sends set points to and seeks data from the controllers. The controllers control their process actuators based on requests from the supervisor and feedback from the process sensors. Many controllers use a local field bus to communicate with actuators and sensors, removing the need of point-to-point wiring between the controller and each device. There are several types of controllers used at the distributed control points of a DCS including machine controllers, programmable logic controllers (PLC), process controllers and single loop controllers depending on the application. Many of the controllers on a DCS can be directly accessed by a modem allowing remote diagnostics and servicing by vendors as well as plant engineers. Human Machine Interfaces (HMI) are present at different levels to allow direct intervention by plant operators.

A SCADA consists of a Central Monitoring System (CMS), located within the plant and one or more Remote Stations. The CMS, similar to the supervisory controller in a DCS, includes the Control Server and links to routers via a peer-to-peer network. The CMS collects and logs information gathered by the remote stations and reacts to events detected. A remote station consists of either a Remote Terminal Unit (RTU) or a PLC which controls actuators and sensors. Remote stations can be directly accessed by field operators using hand held devices to perform diagnostic and repair operations. The communication between remote stations and the CMS is performed using telephone line, cable, or radiofrequency.

SCADA systems are also used in some experimental facilities such as nuclear fusion. Earlier systems used to run on DOS, VMS and UNIX; in recent years most of the SCADA vendors have moved to Windows NT and some also to Linux.

Security threats

Many control engineers and plant managers believe that DCS, SCADA and PLC are safe because they require special knowledge that no hacker or terrorist would have. Unfortunately, this is plain delusion; while it is true that some SCADA systems are proprietary, all technical colleges and engineering schools are teaching PLC and DCS programming as part of their standard curriculum. Extensive technical details and free basic training modules are available on the internet for almost every equipment. Statistics show there is a growing hacker interest in control systems. Also, the move to open systems in process control has increased the vulnerability of those systems to worms and viruses.

The wake up call came from Australia: in 2001, using a laptop PC and a radio transmitter, a disgruntled ex-employee hacked into a sewage plant in Queensland, releasing raw sewage into local parks and waterways. The hacker was subsequently identified and prosecuted. This was the first well-published industrial cyber security attack; it took the control and automation world by surprise! Since then, more incidents have been reported and investigated. Studies on industrial cyber security reveal a tenfold increase in number of successful attacks on process control and SCADA systems since 2000.

In January 2003, the Slammer worm penetrated a computer network at Ohio's Davis-Besse nuclear power plant, disabling a safety monitoring system for several hours. Fortunately, the plant had been offline since February 2002, so the incident did not post a safety hazard. The worm penetrated the network though a contractor's T1 line, showing that internet viruses can affect networks that are not using the internet at all. The T1 line service provider was using a common server and network for various services, including the internet.

Despite official denial, some experts believe the big August 14 2003 power blackout in Eastern North America may have been worsened by a Blaster worm infection. Without directly affecting power generation and delivery systems, the virus would have jammed the alarm systems, thus delaying human intervention urgently needed to limit the chain-reaction that occurred. True or not, the scenario is plausible and should be considered as a learning experience.

The vulnerabilities

Why can't we apply the existing practices and technologies from IT security to the process and automation networks? The answers lay in several significant differences in technology, goals and cultures between the two worlds.

Firstly, there is a significant difference in design between the real time computer systems used in process control and the traditional information processing systems used in business applications. Process control systems are designed for efficiency, security and time-critical response while information processing systems are designed with the data integrity and performance in mind. Control systems tend to have limited computing resources available to perform security functions. There are still many old controllers running 8088, 286 and 386 processors out there. For such processors, data encryption could not be implemented without introducing serious timing issues.

Interfaces between machines and operators or supervisors (HMI), data historian systems and engineering workstations heavily rely on standard operating systems and applications (Windows NT, Linux, SQL Server, etc). These often are coded with a core based on business application, therefore vulnerable to common IT attacks and viruses. Because of the real-time characteristics of the control applications, end users are reluctant to apply new security patches and anti-virus updates. These updates were developed for traditional IT systems and no one can guarantee what will happen when applied to a control system. Some control system makers even advise their customers not to load particular patches.

Individual components of some control systems such as PLC and machine controllers have direct communication accesses by modem or handheld terminal. These entry points often bypass the firewall, therefore posing extra security vulnerabilities.

Finally, many IT security measures cannot be applied in a plant floor environment. For example, standard password lockout isn't acceptable for many HMI stations. Imagine what could happen if an operator panicked and misspelled his password three times during an emergency situation (a reactor meltdown for example) causing the HMI to lock him out.

The solutions

Vendors are becoming more aware of the need to strengthen the security of their products. Symantec and AREVA announced a partnership to provide a comprehensive security solution that includes products, services and best practices for SCADA systems in the electrical power industry. Similarly, ABB and IBM announced that they will jointly develop cooperative IT Security Consulting Services for Automation customers in all industries.

Some governments have also joined the party. In the US, the National Institute of Standards and Technology (NIST) created a working group of representatives from various industrial sectors and vendors of the Control and Process Industry. This group, called Process Control Security Requirements Forum (PCSRF) is developing security specifications and standards for control systems.

Awareness of Industrial IT systems vulnerabilities still has to increase and new tools should be developed. The IT world existing security technologies and practices should not be thrown out but modified and adapted to the industrial IT world. A better understanding between corporate IT and Industrial IT would certainly be a step in the right direction.

* Gerald has held a number of positions around the world, teaching and coaching field service engineers from various industries ranging from industrial electronics to telecommunications. Since moving to Australia in 1990, Gerald has specialised in writing technical documentation and training manuals.