By: Karl Braun
Are you investing in automated control of your industrial systems? Have you installed sensors, monitors, and control systems to increase quality, gain control of inventory, and improve the efficiency of your supply chain?
That’s good – it’s how smart businesses are differentiating themselves from the competition, and decreasing overhead. But it also brings new risks.
Advantages of Industrial Automation
Many companies are now implementing SCADA (Supervisory Control and Data Acquisition) systems in their factory environments. These systems use simple controllers, sensors, and other monitoring devices connected with an Ethernet interface to networks and computer systems, which collect this data for reporting. There are many reasons to use SCADA, which can provide a competitive edge:
• Better / more refined control over factory environments,
– Especially important in biomedical, agriculture, food, and beverage processing environments;
• Better / more refined control over equipment operations – better alignment to actual production needs;
• In-line automated testing and reporting on quality;
• Real-time reporting on inventory and consumption;
• Better insight into real-time status of fulfillment.
Risks
As with so many things these days, at first glance it seems that all you have to do is add a computer, and the advantage is yours. Also as with most cases, there’s more to it than that.
Frequently, industrial automation systems are implemented by facilities and industrial operations staff. Such personnel may have knowledge in electrical and cabling systems, and in the equipment being controlled and monitored, but it is likely they are not experienced with network standards and security.
We’ve seen systems where consumer-grade switches and routers are used along with un-firewalled internet connections. Cabling systems are strung ad hoc, without any protection from a harsh industrial environment filled with fast-moving forklifts, caustic chemicals, and heavy equipment putting out large amounts of electromagnetic radiation.
In addition, little thought may be given to maintenance and support. Updates and patches may not be applied, since industrial automation systems are frequently on separate networks or otherwise not on the corporate domain. System warranties may expire, making support and replacement costly with long periods of downtime.
Companies may also take immediate advantage of the reduced need for personnel afforded them by automation, and are not prepared with a backup plan when the inevitable outage occurs.
Of all of these issues, we consider security to be the most critical threat. This has become particularly problematic in the last two years. Prior to that, the biggest cyber security threat was due to common computer viruses, but since systems in SCADA networks are not usually under the control of a common operating systems, or don’t have common applications on them like email or word processing, the potential damage was somewhat contained.
That changed in Summer 2010, when the Stuxnet virus was discovered in Iran. Even as its discovery was being published, samples of its code were being found “in the wild” on the Internet. What is particularly threatening about the Stuxnet malware is that it is specifically targeted at SCADA systems, and it is specifically designed to cause physical damage to the machinery being monitored and controlled. It is also very stealthy by design, and managed to remain in the wild undetected for at least a year.
The computer security industry has been talking about this threat and the vulnerability of control systems in general, for some time, and lately there has been a lot of talk about terrorist threats against the nation’s utility infrastructure. Now we see concrete evidence of how this vulnerability might be exploited.
In November of 2011, reports surfaced of a water district in the United States possibly being the victim of a cyber-attack. The DHS and FBI have found that there were no signs of cyber intrusion in this case, and downplayed the risk of utility exposure to terrorist attacks. In response, a hacker posted screen caps of an HMI interface for a water utility system in South Houston, Texas. The screen caps were made after hacking a 3-character password on an apparently otherwise unprotected system connected to the Internet. The “gray hat” hacker (“gray” because he hacked illegally, but did only to bring notice to the security issue and did no harm) used a commonly available scanner to find the exposed SCADA system.
Whether or not there is a large utility exposure to this type of threat is still open to debate. But the threat to industry is real, and any company investing in Industrial Control Systems (ICS) should take steps to secure these systems accordingly.
Here’s a brief overview of some concerns in ICS, SCADA and other factory automation systems:
Security
Unsecured internet connections. Internet connections without a tightly-configured firewall are not good practice under any circumstances. Such systems can be easily compromised, as noted above, with commonly available script-kits. Firewalls should be installed and only specific, necessary traffic should be allowed.
Vendor Control. Vendors should have limited access to the systems they operate or maintain, and should have no access to other systems on the plant. This limits inadvertent interference with other systems as well as any nefarious activity.
Limited Remote Access. Control how employees, contractors, and vendors access these systems from off site:
• Limit access to the SCADA network to specific users under some sort of administrative control (like Active Directory accounts with specific group policies).
• Restrict resources that can be brought into the SCADA environment through remote connections. For instance, if users are coming in through a Citrix environment, do not let local drives be shared into the session, since you will have little or no control over what kind of virus protection policies those remote systems will have in place.
Limited Physical Access. Access to the SCADA network should be controlled. Worms and viruses can be introduced into the environment through vendors’ laptops, USB drives, etc. SCADA systems are particularly vulnerable to this kind of attack, because the controllers and consoles in these environments typically do not have anti-virus and firewall protection due to the limited capabilities of these systems.
Operations
Lack of consistent standards. Because SCADA and Industrial Control Systems are often implemented by factory staff, and because these people have full-time responsibilities in plant operations, they most likely will not have the background and resources to develop and implement a set of standards for implementing secure and stable IT environments. This can result in a patchwork implementation that may be difficult to expand or maintain. Involve IT staff, or personnel whose responsibility it is to work with IT staff, on designing, implementing, and maintaining a sound network that will adequately meet the needs of the operations staff, vendors, and corporate security.
Maintenance plan. Some mechanism needs to be in place to keep key hardware under warranty and software patched against new threats. Plans need to be made to review and update systems as hardware and software reach end-of-life support.
Over-dependence on automation. It is not unusual for management to be impatient for the financial returns on investment in automation; it is very tempting to immediately reduce staff once automation is in place. Traditional IT implementations usually take Disaster Recovery (DR) scenarios into account and have detailed plans on how to operate in case of systems failure. However, this usually involves exempt employees taking on additional duties during a crisis. In a factory environment, where the majority of workers are hourly employees and possibly union members, it will not be easy or even lawful to draft employees into performing extra duties in the case of a systems failure. How the plant will operate in the event of the inevitable failure must be considered, documented, and occasionally practiced.
Solutions
There is a range of actions you can take to minimize these problems. Which are right for you depends on the size and strategic importance of your control systems. In any case, you will want to develop or hire expertise to implement and maintain these systems. The following list offers a number of practical steps you can take:
• Stay abreast of change. Develop or leverage Subject Matter Experts (SMEs) to integrate
o IT standards
o Factory production processes
o Business processes.
• Develop relationships between key stakeholders in factory operations, facility management, and IT, and build a cross-functional team to
o Develop standards for rapid implementation
o Review specific vendor implementations
o Monitor system growth and issues.
o Implement maintenance plans.
• Work with vendors, but insist on adherence to policy. You are protecting your systems and have every right to maintain control over who does what in your environment. Get their requirements early in the project planning phase, specifically for
o Physical access requirements
o Remote access requirements
Will they need to upload firmware/software to their systems?
Will they frequently need access to the systems for reporting and maintenance?
• When changes are required to meet new needs, make sure they are reviewed and still adhere to corporate business needs.
Yes, there will be some costs associated with ensuring better security and reliability, but these automated systems are being implemented because of their strategic importance and/or their ability to reduce operational costs. As we all know, the costs of not being prepared can be far greater.
About ZAG Technical Services, Inc.
ZAG Technical Services, Inc. (ZAG) is an award winning IT consulting firm specializing in network infrastructure, security, disaster recovery, virtualization, cloud computing services, and remote access. As a Microsoft Gold Certified Partner, ZAG provides Enterprise class business solutions that help companies reduce IT costs, increase productivity and ensure security. Located in San Jose and Salinas, California ZAG serves businesses throughout Northern California.
For more information about ZAG, please visit the company website at http://www.zagtech.com
ZAG can also be reached at +1.408.383.2000, +1.831.422.3100 or via email at info@zagtech.com.
