Industrial Control Systems: a Primer for the Rest of Us

Industrial Control Systems: A Primer for the Rest of Us

Abstract In the current turbulent landscape of cybersecurity for industrial control systems (ICS), system owners struggle to protect systems that were never intended to be interconnected. This white paper presents a balanced, informed primer for cybersecurity practitioners, C-level executives and vendors. It scopes the threat environment, presents similarities and discusses special considerations for ICS to provide an overview of the concepts and issues related to these systems.

www.isaca.org/cyber Industrial Control Systems: A Primer for the Rest of Us

INTRODUCTION The current landscape for cybersecurity of industrial to limit use of the word “differences” when discussing control systems (ICS) is best described as turbulent, cybersecurity considerations for an ICS vs. a traditional as system owners struggle to protect systems IT infrastructure. This decision not to focus on the that were never intended to be interconnected. dissimilar levels of maturity between the two arises The systems have long existed in many industrial from the recognition that it was not that long ago that and manufacturing settings, but were traditionally modern-day IT networks were new themselves; the first isolated. Technological advances and convergence dot-com top-level domain was registered on 15 March with traditional information and communications 1985, a mere three decades ago.3 Cybersecurity technology (ICT) necessitate unparalleled security professionals across the globe, regardless of industry, for the critical services they provide. Headline stories are in the daunting position of consistently having to such as those about Stuxnet, Duqu and Flame play defense. Research reveals massive quantities of revealed certain fallibilities surrounding ICS and educational material and discussion in the form of blogs, serve as constant reminders for vigilance about books, standards and publications—not unlike the vulnerabilities and attack vectors. ICS security mountain of knowledge surrounding IT. Many dedicated incidents have become more frequent and attack individuals selflessly contribute to tasks aimed at vectors have expanded in the brief period since advancing the security posture of critical infrastructure. Stuxnet’s 2010 discovery by antivirus vendor Is it enough? No. Even modern IT networks that employ VirusBlokAda.1 the most sophisticated of controls are compromised. Is all the media attention afforded to breaches and Stuxnet caught many off-guard and created a vulnerabilities just hype? Doubtful, yet media coverage tremendous demand for engineering expertise.2 can excite emotions already known to influence Thirty minutes of searching in one’s favorite consumer behavior.4 browser makes it clear that disagreement between ICS and IT cybersecurity camps is as plentiful as Budgets are continually manipulated to accomplish malware traversing the Internet. Despite high-profile more with less. It was not too long ago that businesses incidents, governmental involvement and an increase struggled to spend money just to introduce technology, in information sharing, barriers still exist today. yet in 2015 global cybersecurity spending is forecast These barriers hinder significant advances in ICS to exceed US $79 billion.5 Technology has undoubtedly cybersecurity, especially in converged environments. positively affected business earnings. Similarly, many are getting rich in what could be described as an arms race This white paper was researched and written to to fight a losing battle. present a balanced, informed primer for cybersecurity practitioners, C-level executives and vendors alike. It scopes the threat environment, presents similarities and, where appropriate, discusses special considerations for ICS. Significant effort was made

1 Kaspersky, Eugene; “The Man Who Found Stuxnet—Sergey Ulasen in the Spotlight,” Nota Bene, 2 November 2011, http://eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight/ 2 Roberts, Paul; “Security Firms Scramble for SCADA Talent after Stuxnet,” Threatpost, 8 October 2010, http://threatpost.com/security-firms-scramble-scada-talent-after-stuxnet-100710/74562 3 Abell, John C.; “March 15, 1985: Dot-com Revolution Starts With a Whimper,” Wired, 15 March 2010, www.wired.com/2010/03/0315-symbolics-first-dotcom/ 4 Murray, Peter Noel; “How Emotions Influence What We Buy,”Psychology Today, 26 February 2013, www.psychologytoday.com/blog/inside-the-consumer-mind/201302/how-emotions-influence-what-we-buy 5 Kovacs, Eduard; “Global Cybersecurity Spending to Reach $76.9 Billion in 2015: Gartner,” SecurityWeek, 25 August 2014, www.securityweek.com/global-cybersecurity-spending-reach-769-billion-2015-gartner

Defining Industrial Control Systems

The term “industrial control system,” hereafter noted Comprehending the breadth of systems inferred by ICS as ICS (the same acronym is traditionally used for requires looking past both definitions, especially by those the singular “system” and the plural “systems”), who live or work outside the US or are unfamiliar with the is understood to be those systems that reside in subject matter. Within the US, the term “industrial sector” industrial and manufacturing environments, i.e., encompasses manufacturing, agriculture, mining and electricity, water and energy production. However, construction.9 Dr. Michael Chipley’s definition may be more ICS encompass far more. It was not until the descriptive of the array of systems that can fall under the early 21st century that attempts were made to ICS title: “… physical equipment oriented technologies standardize language and terms such as process and systems that deal with the actual running of plants and control systems (PCS), distributed control systems equipment, include devices that ensure physical system (DCS), and supervisory control and data acquisition integrity and meet technical constraints, and are event- (SCADA) systems. Before that, the terms were driven and frequently real-time software applications or used interchangeably.6 Occasionally, one may find devices with embedded software.”10 This elaboration references to industrial automation or industrial supports the proper characterization of ICS to include automation and control systems (IACS), especially building automation systems (BAS) that may otherwise in older articles. be overlooked by those unfamiliar with types of DCS. BAS “monitor and control the environment in commercial, In 2008, the US National Institute of Standards and industrial, and institutional facilities.”11 Technology (NIST) released Special Publication 800-82, Guide to Industrial Control Systems (ICS) Definitions can unnecessarily constrain thinking, reinforcing Security, which defined ICS as “a general term that the importance of embracing the categorization of ICS encompasses several types of control systems, as an operational technology (OT), which Gartner defines including supervisory control and data acquisition as “hardware and software that detects or causes a (SCADA) systems, distributed control systems (DCS), change through the direct monitoring and/or control of and other control system configurations such as physical devices, processes and events in the enterprise.”12 skid-mounted Programmable Logic Controllers Information technology (IT), on the other hand, is defined as (PLC) often found in the industrial sectors and “the hardware, software, communication and other facilities critical infrastructures.”7 used to input, store, process, transmit and output data in whatever form.”13 This high-level distinction may be core to The European Union Agency for Network and the varying thoughts with regard to securing the two. Information Security (ENISA) describes ICS as those systems “used to control industrial processes such as manufacturing, product handling, production, and distribution.” 8

6 Macaulay, Tyson; Bryan L. Singer; Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS ,CRC Press, USA, 2012 7 Stouffer, Keith; Joe Falco; Karen Scarfone;Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, NIST, USA, 2011 8 Pauna, Adrian; Konstantinos Moulinos; Matina Lakka; Dr. John May; Dr. Theo Tryfonas; Can we learn from SCADA security incidents?, ENISA, 9 October 2013, http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems/can-we-learn-from-scada-security-incidents 9 TeachMeFinance.com, www.teachmefinance.com/Scientific_Terms/Industrial_sector.html 10 Chipley, Michael; “Cybersecurity,” Whole Building Design Guide, 23 October 2014, www.wbdg.org/resources/cybersecurity.php 11 “Understanding Building Automation and Control Systems,” KMC Controls, www.kmccontrols.com/products/Understanding_Building_Automation_and_Control_Systems.aspx 12 IT Glossary, Gartner, www.gartner.com/it-glossary/operational-technology-ot 13 Glossary, ISACA, www.isaca.org/glossary

Demystifying the ICS

Architecture An ICS contains multiple components that span two broad categories: control and network. Components may appear in multiple systems or may be unique to just one type. The major components in both categories are listed and defined in figure .1 These definitions are from NIST Special Publication 800-82, a source document that is broadly accepted within the industry.

FIGURE 1 ICS Components14

Term Definition

Control Components

The control server hosts the DCS or PLC supervisory control software that Control server communicates with lower-level control devices. It accesses subordinate control modules over an ICS network.

This is a device that acts as the master in a SCADA system. Remote SCADA server or master terminal units and PLC devices (described below) located at remote field terminal unit (MTU) sites usually act as slaves.

Also called a remote telemetry unit, an RTU is a special-purpose data Remote terminal unit (RTU) acquisition and control unit designed to support SCADA remote stations. It is a field device often equipped with wireless radio interfaces to support remote situations where wire-based communications are unavailable.

PLCs are small industrial computers originally designed to perform the logic Programmable logic controller (PLC) functions executed by electrical hardware (relays, switches and mechanical timer/counters). They have evolved into controllers with the capability of controlling complex processes and they are used substantially in SCADA and DCS systems. Other controllers used at the field level are process controllers and RTUs; they provide the same control as PLCs, but are designed for specific control applications. In SCADA environments, PLCs are often used as field devices because they more economical, versatile, flexible and configurable than special-purpose RTUs. Sometimes PLCs are implemented as field devices to serve as RTUs; in this case, the PLC is often referred to as an RTU.

14 Stouffer, Keith; Joe Falco; Karen Scarfone;Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, NIST, USA, 2011

An IED is a “smart” sensor/actuator containing the intelligence required to acquire data, communicate to other devices, and perform local processing and control. It could combine an analog input sensor, analog output, low-level Intelligent electronic device (IED) control capabilities, a communication system, and program memory in one device. The use of IEDs in SCADA systems and DCS allows for automatic control at the local level.

An HMI is software and hardware that allow human operators to monitor the state of a process under control, modify control settings to change the control objective, and manually override automatic control operations in the event of an emergency. It also allows a control engineer or operator to configure set points or control algorithms and parameters in the controller. The HMI Human-machine interface (HMI) displays process status information, historical information, reports and other information to operators, administrators, managers, business partners and other authorized users. The location, platform and interface may vary a great deal. For example, an HMI could be a dedicated platform in the control center, a laptop on a wireless local area network (LAN) or a browser on any system connected to the Internet.

Information stored in this database can be accessed to support various Data historian analyses, from statistical process control to enterprise level planning.

The IO server is a control component responsible for collecting, buffering Input/output (IO) server and providing access to process information from control subcomponents such as PLCs, RTUs and IEDs. An IO server can reside on the control server or on a separate computer platform. IO servers are also used for interfacing third-party control components, such as an HMI and a control server.

Network Components

The fieldbus network links sensors and other devices to a PLC or other controller. Use of fieldbus technologies eliminates the need for point- Fieldbus to-point wiring between the controller and each device. The devices communicate with the fieldbus controller using a variety of protocols. The messages sent between the sensors and the controller uniquely identify each of the sensors. Control network It connects the supervisory control level to lower-level control modules.

A router is a communications device that transfers messages between two networks. Common uses for routers include connecting a LAN to a wide Communications router area network (WAN), and connecting MTUs and RTUs to a long-distance network medium for SCADA communication.

The following three network components are • Modems are often used in SCADA systems not included in figure ,1 as their definitions are to enable long-distance serial communications undoubtedly well known to readers of this publication. between MTUs and remote field devices. However, their use in ICS may not be quite so familiar, They are also used in SCADA systems, DCS so examples follow: and PLCs for gaining remote access for operational and maintenance functions such as • Firewalls are useful in managing ICS network entering commands or modifying parameters, and segregation strategies. for diagnostic purposes.

• An example of the role of a remote access point control loops, HMIs, and remote diagnostics and is using a personal digital assistant (PDA) to maintenance tools that have been built using network access data over a LAN through a wireless access protocols on layered network architectures. point, and using a laptop and modem connection The control loops can be “interdependent,” in that to remotely access an ICS system. variables determined in one loop can set off another, different loop. Supervisory-level loops and lower-level Simply stated, ICS perform monitoring and control loops, whose cycle times can range from fractions of functions, depending on the specific implementation. a second to minutes, operate continuously over the Typical ICS implementations exist in the form of DCS duration of a process. The basic operation of an ICS or SCADA systems, but hybrids, containing elements is illustrated in . of both, are found. A typical system contains multiple figure 2

FIGURE 2 Basic Operation of ICS

Set points, control algorithms, parameter constraints process data

Manipulated Controlled variable variables

Process Process inputs outputs

Disturbances

Source: Stouffer, Keith; Joe Falco; Karen Scarfone; Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, NIST, USA, 2013, figure 2.1. Reprinted courtesy of the National Institute of Standards and Technology, US Department of Commerce. Not copyrightable in the United States.

The key components of the operation of an ICS are defined infigure 3, again with thanks to NIST Special Publication 800-82.

FIGURE 3 Key Components of Operation of ICS15

Term Definition The control loop consists of sensors for measurement, controller hardware such as PLCs, actuators such as control valves, breakers, switches and motors, and the communication of variables. Controlled variables are transmitted to the controller from the sensors. The controller interprets Control loop the signals and generates corresponding manipulated variables, based on set points, which it transmits to the actuators. Process changes from disturbances result in new sensor signals, identifying the state of the process, to again be transmitted to the controller.

Operators and engineers use HMIs to monitor and configure set points, Human-machine interface (HMI) control algorithms, and adjust and establish parameters in the controller. The HMI also displays process status information and historical information.

Diagnostics and maintenance utilities are used to prevent, identify and recover Remote diagnostics and from abnormal operation or failures. maintenance utilities

No discussion of ICS would be complete without at least a basic understanding of the following ICS types and configurations. NIST Special Publication 800-82 is the source of these brief descriptions.

15 Stouffer, Keith; Joe Falco; Karen Scarfone;Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, NIST, USA, 2013

Distributed Control Systems (DCS) DCS control industrial processes within the same geographic location and are integrated as a control architecture containing a supervisory level of control overseeing multiple, integrated subsystems that are responsible for controlling the details of a localized process. DCS are used extensively in process-based industries. They distribute control components, unlike SCADA systems, which are centralized. In many modern systems, the DCS are interfaced with the corporate network to give business operations a view of production. An example DCS implementation is shown in figure .4

FIGURE 4 Example of DCS Implementation

Source: Stouffer, Keith; Joe Falco; Karen Scarfone; Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, NIST, USA, 2013, figure 2.7. Reprinted courtesy of the National Institute of Standards and Technology, US Department of Commerce. Not copyrightable in the United States.

Supervisory Control and Data Acquisition (SCADA) Systems SCADA systems consist of both hardware and software and are highly distributed systems used to control geographically dispersed assets where centralized data acquisition and control are critical to system operation. They integrate data acquisition systems with data transmission systems and HMI software to provide a centralized monitoring and control system for numerous process inputs and outputs. SCADA systems are designed to collect field information and transfer it to a central computer facility so that an operator can centrally monitor or control an entire system in real time. Control of any individual system, operation or task can be automatic or can be accomplished through operator commands, dependent on system sophistication and setup. They are usually designed to be fault-tolerant systems with significant redundancy built into the system architecture. A SCADA system general layout is depicted in figure .5

FIGURE 5 SCADA System General Layout

Source: Stouffer, Keith; Joe Falco; Karen Scarfone; Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, NIST, USA, 2013, figure 2.2. Reprinted courtesy of the National Institute of Standards and Technology, US Department of Commerce. Not copyrightable in the United States.

Process Logic Controllers (PLC) PLCs are computer-based solid-state devices that control industrial equipment and processes. While PLCs are used throughout SCADA and DCS systems, they are often the primary components in smaller control system configurations used to provide operational control of discrete processes such as automobile assembly lines and power plant soot blower controls. PLCs are used extensively in almost all industrial processes. Figure 6 illustrates an example of a PLC control system implementation.

FIGURE 6 Example PLC Control System Implementation

Source: Stouffer, Keith; Joe Falco; Karen Scarfone; Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, NIST, USA, 2013, figure 2.8. Reprinted courtesy of the National Institute of Standards and Technology, US Department of Commerce. Not copyrightable in the United States.

Are ICS really that dissimilar from IT?

The short answer is yes and no. It is true that • Availability—Little can be disputed about the performance requirements, protocols, network importance of ICS availability. ICS are designed architecture and priorities of the cybersecurity triad to monitor and respond to abnormal conditions and (confidentiality, integrity, available) do not align, but unavailability may jeopardize life, safety, and often there are other aspects that reveal more similarities expensive equipment and/or processing plants. (No than may be obvious at first glance. The linchpin reports of death from a system reboot were found may be a major cultural difference. Those who work in the research for this publication.) Alternatively, with ICS are operational people; they understand the IT outages affect productivity and customer purpose and processes of the systems and know satisfaction. The notion that only ICS outages the systems down to the device level. They have to, must be planned well in advance and changes because lives are often at stake. On the other hand, thoroughly tested is false. Generally speaking, people many IT professionals have a focus that is system- have grown to accept lower IT system up time, also or task-specific. This compartmentalization is known as availability, likely in part because reinforced by many operating system (OS) and instabilities in non-*nix environments have led most software certifications. to freely adopt the three-step troubleshooting technique: Refresh, reboot, reload. The following section takes a deeper look at, and sometimes challenges, some of the differences that • Change management—It is ironic that NIST’s 16 have been defined between the two technologies. comparison of the two systems17 made no mention of The intention is not to discount any efforts to thoroughly testing changes prior to deployment on an distinguish between the two disciplines, but rather to IT system. Outages to Facebook,18 Bing,19 eBay20 and provide additional context where possible to explore Google21 reinforce the need for change management. similarities or explain distinctions. • Communication—Although protocols do vary, they • Access to components—Regardless of are simply a means for devices to communicate. technology, components may or may not be One way of thinking about this is to compare difficult to access. Due to the unique roles that ICS protocols to spoken languages. For example, often serve, authorized technicians are often Ethernet is like English: Regardless where one is in needed to diagnose, repair and/or replace the world, many can speak it. On the other hand, components. This is prevalent in SCADA systems ICS protocols areproprietary and thus foreign to and BAS. The same can be said for backhaul and those outside of the industry. even backbone trunks laid underground.

16 Stouffer, Keith; Joe Falco; Karen Scarfone;Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, NIST, USA, 2011, table 3.1 17 Ibid. 18 Kincaid, Jason; “Facebook Gives A Post-Mortem On Worse Downtime In Four Years,” Techcrunch, 23 September 2010, www.techcrunch.com/2010/09/23/facebook-downtime/ 19 Albenesius, Chloe; “Configuration Change Takes Down Microsoft’s Bing on Friday,” PCMag.com, 7 December 2009, www.appscout.pcmag.com/security-spyware/271010-configuration-change-takes-down-microsoft-s-bing-on-friday 20 Balza, Melissa; “eBay blames outage on server maintenance,” Prestige Essence, 4 September 2014, www.wslifestyle.com/site/news/ebay-blames-outage-on-server-maintenance/ 21 O’Reilly, Lara; “Google suffered a rare but major outage on Thursday,” Yahoo! Finance, 12 March 2015, www.finance.yahoo.com/news/google-appears-down-now-090900626.html;_ylt=A0LEV7kcPwJVIh0AVCQnnIlQ

When asked how long it takes to be proficient with SCADA protocols, most ICS practitioners Threat Environment will respond, “Years.” Yet many who are new to IT can become Network+ or Cisco Certified Cybersecurity professionals across the globe have Networking Associate (CCNA)-certified in a a daunting role in that they are constantly playing month. As ICS and IT systems continue defense. Challenges are abundant regardless to converge, one of three things is likely to of industry sector. Unlike traditional IT defense, occur: (1) More Ethernet will be introduced to ICS defense requires its security practitioners to ICS networks, (2) the industry will embrace and face the overwhelming task of defending a critical teach this art to larger audiences or (3) a infrastructure that is full of antiquated technology. new protocol that achieves what current According to the SCADA Asia Summit, these systems propriety protocols do, yet can communicate are typically 10 to 15 years behind the “security curve” 23 with Ethernet, will be developed. of IT used in home and offices around the world.

• Physical security—Banks do not leave Threat agents and attack vectors do not differ vaults open. Why? Because they are entrusted between ICS and IT systems. ENISA and the US with safeguarding their customers’ money. Department of Homeland Security’s Industrial The same should hold true for IT and ICS Control Systems Cyber Emergency Response Team systems. Cybersecurity is the protection (ISC-CERT) have identified and characterized threat of digital assets, including hardware and agents, as illustrated in figures 7 and 8. software media.22 The best security for any computer component is to leave it in the box, not connected to a network. IT systems safeguard intellectual property and a great deal of personally identifiable information (PII), whereas ICS monitor and control some of the world’s most lucrative manufacturing processes and production plants. Unlike many IT environments, ICS are typically monitored every hour of every day of the year. Access to key architecture must be adequately protected, not only from outsiders, but also from insiders. Good policies, robust technical controls, deeper background checks for privileged users and audits are all necessary components for safeguarding both IT and ICS.

22 ISACA, Cybersecurity Fundamentals Study Guide, USA, 2015 23 Pain, Richard; “The 5 Most Critical SCADA Security Failures,” 7th Annual SCADA Asia Summit, 27-30 January 2015, www.scadasummit.com/redForms.aspx?eventid=1000535&id=389080&FormID=%2011&frmType=1&m=34731&FrmBypass=False&mLoc=F&SponsorOpt=False&utm_ campaign=ISG_SIA&utm_medium=ISG_SIA&utm_source=ISG_SIA&utm_content=ISG_SIA&utm_term=ISG_SIA&MAC=ISG_SIA

FIGURE 7 Cybersecurity Threat Agents

Source: ENISA, “ENISA Threat Landscape 2014, Overview of current and emerging cyber-threats,” 2014, www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/ enisa-threat-landscape-2014

FIGURE 8 Incident Threat Actors

Source: Timpany, Bob; “ISC-CERT Update,” Industrial Control Systems Cyber Emergency Response Team (ISC-CERT), February 2015

An actor’s motivations ultimately influence the reasons: Digital information cannot cross a physical gap and designation of target. Up until now, ICS attacks have bad things never get into control systems.25 Multiple events typically been attributed to nation-states. It is important have proven this to be untrue: to note that convergence of ICS with corporate IT 1. Many air-gapped systems are actually connected systems has significantly increased exposure. These directly to the Internet. Project SHINE was a 22-month interconnections—known and unknown—reveal that study to see whether researchers could locate any ICS are no longer susceptible only to direct attacks, Internet-connected critical control systems. The results but also are at tremendous risk for collateral effects were astonishing. Sampling 2.2 million devices, due to the tremendous opportunities that IT systems researchers identified 586,997 industrial systems, afford. However, long before ICS were connected to 13,475 HVAC and BAS, and 204,416 serial-to-Ethernet corporate networks they were still at risk. In 1982, a devices from a staggering 182 manufacturers.26 Trojan was inserted into a SCADA system responsible for the Siberian Pipeline, resulting in its explosion. Two 2. Many air-gapped systems rely on the use of USB years later, a hacker gained unauthorized root level thumb drives. Stuxnet and the data exfiltration of access to the Salt River Project via a modem, resulting US Department of Defense systems are powerful in significant information disclosure. In 1992, a malicious reminders of the damage these devices can do. insider sabotaged the Chevron Emergency Alert System, 3. Even if removable devices are not infected, people can which was not noticed until an emergency occurred, extract and disseminate information that was never 24 jeopardizing the lives of thousands of people. intended to be shared. WikiLeaks 27 and Snowden 28 are For decades, many believed the air gap to be a viable modern-day examples. Additionally, telecommunications security measure. Air gap traditionally refers to physically signals are susceptible to eavesdropping. isolating sensitive/secure systems from nonsecure ones, 4. There are proof-of-concept attacks that demonstrate but for this discussion it will be used to mean isolating successful acoustical infections.29 Van Eck phreaking is the control networks from the business network and, one form of this; it relies on specialized equipment to more specifically, the Internet. Vendor documentation monitor electromagnetic emanations.30 is a great source of highlighting air gaps. According to Tofino Security, the use of air gaps was attractive for two

24 Miller, Bill; Dale C. Rowe; “A Survey of SCADA and Critical Infrastructure Incidents,” RIIT ‘12, Proceedings of the First Annual Conference on Research in Information Technology, Association for Computing Machinery, 2012, http://dl.acm.org/citation.cfm?id=2380805 25 Byres, Eric; “Unicorns and Air Gaps—Do They Really Exist? Living with Reality in Critical Control Systems,” Automation World, 6 June 2013, www.automationworld.com/security/unicorns-air-gaps-do-they-really-exist 26 Rashid, Fahmida Y.; “Project SHINE Reveals Magnitude of Internet-connected Critical Control Systems,” SecurityWeek, 6 October 2014, www.securityweek.com/project-shine-reveals-magnitude-internet-connected-critical-control-systems 27 Khan, MD.Obaiduzzaman, “US Military Bans Removable Media Again,” The Tech Journal, 13 December 2010, http://thetechjournal.com/tech-news/us-military-bans-removable-media-again.xhtml 28 Schwartz, Matthew J.; “Thumb Drive Security: Snowden 1, NSA 0,” InformationWeek Network Computing, 14 June 2013, www.networkcomputing.com/storage/thumb-drive-security-snowden-1-nsa-0/d/d-id/1110380? 29 TechTarget accoustical infection http://whatis.techtarget.com/definition/acoustical-infection 30 Rouse, Margaret; “van Eck phreaking,” TechTarget Search Security, http://searchsecurity.techtarget.com/definition/van-Eck-phreaking

Another threat vector lies in the supply chain. Within the IT industry it is common practice to ship devices with default usernames and passwords for devices. Specifically, equipment manufacturers have a long history of installing backdoors for ease in troubleshooting remotely. Unlike most ICS, these passwords are user-configurable. Within ICS, user accounts (if they even exist) and backdoors are hard-coded, which prevents local hardening.31 Sophos predicts the gap between ICS and IT security will continue to broaden and far more serious flaws will be exposed.32 Figure 9 dissects, by vendor, the 398 ICS-CERT security issues, vulnerabilities and exploits experienced in the early months of 2015.

FIGURE 9 ICS CERT Advisories Through 12 March 2015

Source: Adapted from Timpany, Bob; “ISC-CERT Update,” Industrial Control Systems Cyber Emergency Response Team (ISC-CERT), February 2015

Additional information can be gleaned from Open Source Vulnerability Database (OSVDB, www.osvdb.org). Figure 10, adapted from the SCADAhacker.com site and built on OSVDB vulnerability trend statistics, is a good representation of the type of data tracked by OSVDB.

31 Zetter, Kim; “Equipment Maker Caught Installing Backdoor Account in Control System Code,” Wired, 25 April 2012, www.wired.com/2012/04/ruggedcom-backdoor/ and Goodin, Dan; “Intruders hack industrial heating system using backdoor posted online,” Arstechnica, 13 December 2012, http://arstechnica.com/security/2012/12/intruders-hack-industrial-control-system-using-backdoor-exploit/ 32 Sophos, “Our top 10 predictions for security threats in 2015 and beyond,” 12 November 2014, http://blogs.sophos.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/

FIGURE 10 Vulnerability Trends Through 14 March 2015

Sources: Open Source Vulnerability Database, www.osvdb.org. SCADAhacker.com, “Vulnerability Trend Data,” 14 March 2015, https://scadahacker.com/resources.html#sansics

Security simply cannot be bolted on with any expectation of success. Early attempts by vendors to produce ICS Mitigation security products and appliances were rightfully met with resistance because the offerings highlighted a profound Vendors persistently release patches but, as in IT, they lack of understanding of the unique operating environment take time to develop and make available. A sampling of they were built to secure. the vendors listed in figure 9 revealed a surprisingly high patch availability—greater than 90 percent, on average. Cyberattacks against ICS are growing in sophistication. (In this context, patch also includes hot fix, maintenance As if this were not enough, a security researcher release, firmware updates and software upgrades.) In discovered banking Trojans being packaged as legitimate some instances, vendors do include mitigation language ICS patches.33 In these instances, ICS are not believed encouraging administrators to limit exposure and verify to be targeted for system interruption, but rather to steal firewall rules. When this language is not provided, financial information. ICS-CERT typically publishes similar guidance.

33 Higgins,, Kelly Jackson; “Banking Trojans Disguised as ICS/SCADA Software Infecting Plants,” InformationWeek Dark Reading, 8 January 2015, www.darkreading.com/attacks-breaches/banking-trojans-disguised-as-ics-scada-software-infecting-plants/d/d-id/1318542?_mc=RSS_DR_EDT

Unfortunately, just because a patch is available does contribute to creating standards, offer training and not mean it can or will be implemented. Comprehensive education, hold conferences and help create relevant risk assessments are necessary to determine whether certifications. Many belong to professional associations any particular patch is a necessary control and, if such as the International Society of Automation (ISA), so, testing must be conducted to ensure it performs which reports on its web site a membership in excess as expected and does not adversely affect other of 30,000. Organizations such as ISA (and ISACA) rely components or systems. Then again, if operations can heavily on member contributions to support industry never be interrupted, the patch would likely not even be professionals with training and education, conferences entertained. In these situations, defense in depth is not and certifications. ISA’s recent notable achievements only good practice, but is paramount. in this area include the creation of ISA99, “Industrial Automation and Control Systems Security,” which has ICS implementations vary, so it goes without saying become the global industrial cybersecurity standard that defense-in-depth architecture strategies will differ. from the Industrial Electrotechnical Commission, the Defense in depth can be implemented using concentric IEC 62443 series, as well as the ISA99/IEC 62443 rings, overlapping redundancy, compartmentalization or Cybersecurity Fundamentals Specialist Certificate, any combination or thereof.34 Architecture specificity is designed specifically for industrial control security and beyond the scope of this document. systems professionals. Risk management and governance are paramount, Summary regardless of whether one is charged with defending critical infrastructure, manufacturing plants, building Few can dispute that attempting to secure technology or automation or building the corporate network. Rarely devices about which one has no technical understanding will any two networks require identical cybersecurity is intimidating. Some might argue it is reckless. strategies. Business objectives differ, as do risk Regardless of prevailing opinion, that scenario is playing assessments, which influences risk appetite. out in many organizations when cross-discipline teams ICS is no exception. are not leveraged for development and execution of There are tremendous advantages to creating and enterprise cybersecurity strategies. sustaining cross-functional teams. Both ICS and IT Earl Perkins, Gartner consultant, noted this disconnect in cybersecurity professionals bring valuable and unique a 2014 report: “As vulnerabilities in SCADA and industrial perspectives to the table. IT risk and governance control system protocols become exposed, exploited are not new concepts and should serve the ICS and become incidents, and because of their experience community well, especially in converged enterprises. in vulnerability management, CISOs will become ICS professionals are operationally-minded individuals, responsible for Operational Technology (OT) patch and similar to the military, who understand the criticality change management — and will become ultimately of repeatable processes, preplanned responses and responsible for gaps in operational control systems that profound familiarity with the network they are charged were never specifically designed with security in mind.”35 with maintaining. Many IT departments could learn a great deal from the ICS camp about the importance of Research has revealed that a great deal of work has accurate inventories and network data flow. been accomplished to date by individuals who selflessly

34 Op cit, ISACA 35 Perkins, Earl; “How to Organize IT/IOT Security for Success,” Gartner, 29 January 2014, www.bayshorenetworks.com/2014/07/bayshore-networks-announces-four-new-scada-firewalls/

Phone: +1.847.253.1545 With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business Fax: +1.847.253.1443 and IT leaders build trust in, and value from, information and information systems. Established Email: [email protected] in 1969, ISACA is the trusted source of knowledge, standards, networking, and career Web site: www.isaca.org development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus™, a comprehensive set of resources for Provide feedback: cybersecurity professionals, and COBIT®, a business framework that helps enterprises govern www.isaca.org/industrial-control-systems and manage their information and technology. ISACA also advances and validates business- Participate in the ISACA critical skills and knowledge through the globally respected Certified Information Systems Knowledge Center: Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance www.isaca.org/knowledge-center of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™)

Follow ISACA on Twitter: credentials. The association has more than 200 chapters worldwide. https://twitter.com/ISACANews Disclaimer Join ISACA on LinkedIn: ISACA (Official), ISACA has designed and Industrial Control Systems: A Primer for the Rest of Us (the “Work”) primarily as an educational http://linkd.in/ISACAOfficial resource for security professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety Like ISACA on Facebook: of any specific information, procedure or test, security professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment. www.facebook.com/ISACAHQ

Expert Reviewers Gregory T. Grocholski Phil J. Lageschulte CISA, CGEIT, CPA, Chase Cunningham SABIC, Saudi Arabia, Past International President KPMG LLP, USA PhD, CTRC, USN (retired), USA Debbie A. Lew Anthony P. Noble CISA, CRISC, CISA, Monica Jain Ernst & Young LLP, USA, Director Viacom, USA CGEIT, USA Frank K.M. Yam Jamie Pasfield CISA, CIA, FHKCS, FHKIoD, CGEIT, ITIL V3, MSP, PRINCE2, Cheryl Santor Focus Strategic Group Inc., Hong Kong, Director Pfizer, UK CISA, CISM, CGEIT, CISSP,

USA Alexander Zapata Lenis Ivan Sanchez Lopez CISA, CGEIT, CRISC, ITIL, PMP, CISA, CISM, ISO 27001 LA, CISSP, Sidney Sakota Grupo Cynthus S.A. de C.V., Mexico, Director DHL Global Forwarding & Freight, Germany USA Stephanie Schaeffer Knowledge Board Cybersecurity Task Force CISSP, CEH, GCIH, Steven A. Babb Eddie Schwartz USA CGEIT, CRISC, ITIL CISA, CISM, CISSP, MCSE, PMP, Vodafone, UK, Chairman USA, Chairman ISACA Board of Directors Rosemary M. Amato Manuel Aceves Robert E Stroud CISA, CMA, CPA, CISA, CISM, CGEIT, CRISC,CISSP, FCITSM, CGEIT, CRISC, Deloitte Touche Tohmatsu Ltd., The Netherlands Cerberian Consulting, SA de CV, Mexico CA, USA, International President Neil Patrick Barlow Sanjay Bahl Steven A. Babb CISA, CISM, CRISC, CISSP, CISM, CIPP, CGEIT, CRISC, ITIL, Capital One, UK India Vodafone, UK, Vice President Charlie Blanchard Neil Patrick Barlow Garry J. Barnes CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA, CISA, CISM, CRISC, CISSP, CISA, CISM, CGEIT, CRISC, Amgen Inc., USA Capital One, UK Vital Interacts, Australia, Vice President Sushil Chatterji Brent Conran Robert A. Clyde CGEIT, CISA, CISM, CISSP, CISM, Edutech Enterprises, Singapore Intel, USA Clyde Consulting LLC, USA, Vice President Derek Grocke Ramses Gallego HAMBS, Australia CISM, CGEIT, CCSK, CISSP, SCPM, Samuel Linares Six Sigma Black Belt, CISA, CISM, CGEIT, CRISC, CISSP, GICSP, Dell, Spain, Vice President Industrial Cybersecurity Center (CCI), Spain Theresa Grafenstine Marc Sachs CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, Verizon, USA US House of Representatives, USA, Vice President Vittal R. Raj CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President Tony Hayes CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President