Control system security
Encyclopedia
Control system security is the prevention of intentional or unintentional interference with the proper operation of industrial automation
and control systems
. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers
, each of which could contain security vulnerabilities
. The 2010 discovery of the Stuxnet worm
demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulation
s requiring enhanced protection for control systems operating critical infrastructure.
Control system security is known by several other names such as SCADA
security, PCN security, industrial network security, and control system cyber security.
Regulation of control system security is rare. The United States, for example, only does so for the nuclear power and the chemical industries
.
More information about the activities and plans of the ISA99 committee is available on the committee Wiki site (http://isa99.isa.org/ISA99%20Wiki/Home.aspx)
has heightened concerns about the vulnerability of these systems.
Automation
Automation is the use of control systems and information technologies to reduce the need for human work in the production of goods and services. In the scope of industrialization, automation is a step beyond mechanization...
and control systems
Industrial Control Systems
Industrial control system is a general term that encompasses several types of control systems used in industrial production, including supervisory control and data acquisition systems, distributed control systems , and other smaller control system configurations such as skid-mounted programmable...
. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers
Programmable logic controller
A programmable logic controller or programmable controller is a digital computer used for automation of electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, or light fixtures. PLCs are used in many industries and machines...
, each of which could contain security vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
. The 2010 discovery of the Stuxnet worm
Stuxnet
Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment...
demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulation
Cyber-security regulation
In the United States government, cyber-security regulation comprises directives from the Executive Branch and legislation from Congress that safeguards information technology and computer systems. The purpose of cyber-security regulation is to force companies and organizations to protect their...
s requiring enhanced protection for control systems operating critical infrastructure.
Control system security is known by several other names such as SCADA
SCADA
SCADA generally refers to industrial control systems : computer systems that monitor and control industrial, infrastructure, or facility-based processes, as described below:...
security, PCN security, industrial network security, and control system cyber security.
Risks
Insecurity of industrial automation and control systems can lead the following risks:- Safety
- Environmental impact
- Lost production
- Equipment damage
- Information theft
- Company image
Vulnerability of control systems
Industrial automation and control systems have become far more vulnerable to security incidents due to the following trends that have occurred over the last 10 to 15 years.- Heavy use of Commercial Off-the Shelf Technology (COTS) and protocols. Integration of technology such as MS Windows, SQL, and Ethernet means that process control systems are now vulnerable to the same viruses, worms and trojans that affect IT systems Increased Connectivity
- Enterprise integration (using plant, corporate and even public networks) means that process control systems (legacy) are now being subjected to stresses they were not designed for
- Demand for Remote Access - 24/7 access for engineering, operations or technical support means more insecure or rogue connections to control system
- Public Information - Manuals on how to use control system are publicly available to would be attackers as well as to legitimate users
Regulation of control system security is rare. The United States, for example, only does so for the nuclear power and the chemical industries
Chemical industry
The chemical industry comprises the companies that produce industrial chemicals. Central to the modern world economy, it converts raw materials into more than 70,000 different products.-Products:...
.
Government efforts
The U.S. Government Computer Emergency Readiness team (US-CERT) has instituted a Control Systems Security Program (CSSP) which has made available a large set of free National Institute of Standards and Technology (NIST) standards documents regarding control system security.ISA99
ISA99 is the Industrial Automation and Control System Security Committee of the International Society for Automation (ISA). The committee is developing a multi-part series of standards and technical reports on the subject, several of which have been publicly released. Work products from the ISA99 committee are also submitted to IEC as standards and specifications in the IEC 63443 series.- ISA-99.01.01 (formerly referred to as "Part 1") (ANSI/ISA 99.00.01) is approved and published.
- ISA-TR99.01.02 is a master glossary of terms used by the committee. This document is still a working draft but the content is available on the committee Wiki site (http://isa99.isa.org/ISA99%20Wiki/Master%20Glossary.aspx)
- ISA-99.01.03 identifies a set of compliance metrics for IACS security. This document is currently under development.
- ISA-99.02.01 (formerly referred to as "Part 2") (ANSI/ISA 99.02.01-2009) addresses how to establish an IACS security program. This standard is approved and published. It has also been approved and published by the IEC as IEC 62443-2-1
- ISA-99.02.02 addresses how to operate an IACS security program. This standard is currently under development.
- ISA-TR99.02.03 is a technical report on the subject of patch management. This report is currently under development.
- ISA-TR99.03.01 (http://www.isa.org/Template.cfm?Section=Standards&template=/Ecommerce/ProductDisplay.cfm&ProductID=9665)is a technical report on the subject of suitable technologies for IACS security. This report is approved and published.
- ISA-99.03.02 addresses how to define security assurance levels using the zones and conduits concept. This standard is currently under development.
- ISA-99.03.03 defines detailed technical requirements for IACS security. This standard is currently under development.
- ISA-99.03.04 addresses the requirements for the development of secure IACS products and solutions. This standard is currently under development.
- Standards in the ISA-99.04.xx series address detailed technical requirements at the component level. These standards are currently under development.
More information about the activities and plans of the ISA99 committee is available on the committee Wiki site (http://isa99.isa.org/ISA99%20Wiki/Home.aspx)
American Petroleum Institute
API 1164 Pipeline SCADA SecurityNorth American Electric Reliability Committee (NERC)
NERC Critical Infrastructure Protection (CIP) StandardsAmerican Chemistry Council
ChemITC Guidance DocumentsInsightful Articles
Industrial Netorking SecurityISA Security Compliance Institute
Related to the work of ISA 99 is the work of the ISA Security Compliance Institute. The ISA Security Compliance Institute (ISCI) has developed compliance test specifications for ISA99 and other control system security standards. They have also created an ANSI accredited certification program called ISASecure for the certification of industrial automation devices such as programmable logic controllers (PLC), distributed control systems (DCS) and safety instrumented systems (SIS). These types of devices provided automated control of industrial processes such as those found in the oil & gas, chemical, electric utility, manufacturing, food & beverage and water/wastewater processing industries. There is growing concern from both governments as well as private industry regarding the risk that these systems could be intentionally compromised by "evildoers" such as hackers, disgruntled employees, organized criminals, terrorist organizations or even state-sponsored groups. The recent news about the industrial control system malware known as StuxnetStuxnet
Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment...
has heightened concerns about the vulnerability of these systems.