SCADA Testing and Security | Industrial Control Security

Hardening the control components that use common operating systems is a commonly suggested solution for improving system security. Yet with 78% of reported incidents in the last four years being malwarerelated, the deployment of A/V software and patch management in control systems obviously needs improvement.

The difficulty with both antivirus deployment and patch management in SCADA is that one cannot blindly deploy new A/V signatures or patches into the industrial control environment without risking disruption of operations. In fact, there have been at least two cases recorded in ISID where inappropriate deployment of A/V patches on the control system has caused loss of production.

This does not mean that the deployment of antivirus software or patches in control systems should be given up as impossible. A number of companies have demonstrated that careful A/V and patching policy and practice can be used in a balance of system reliability with the need for system security. For example, several major petroleum and chemical companies have publicly described how they successfully used antivirus technology and patch management on their control systems10. The Edison Electric Institute (EEl) has detailed recommendations on a tiered approach to patch management for control systems11. Finally, most of the major control equipment vendors now offer guidance on both patch management and A/V deployment for their control products. Thus there is little reason for SCADA system owners/operators not to have good patch and A/V programs in place today.

In many cases, the most critical devices in a control system are based on operating systems and architectures that do not allow the addition of security features such as A/V software or permit regular patching. Furthermore, the majority of control devices in use today offer no authentication, integrity, or confidentiality mechanisms, and can be completely controlled by any individual pinging the device. Thus the most critical devices on the plant floor are also the most vulnerable.

A rapidly evolving security solution is the use of low-cost security appliances deployed directly in front of each control device (or group of devices) that needs protection. These appliances provide protection directly at the critical edge device, similar to the way personal firewalls, antivirus software, or intrusion detection systems provide local protection for desktop computers and servers. The result is a true ‘defence in depth’ strategy, so that even if a hacker or virus manages to get through the main corporate firewall, they will still be faced with an army of SCADAfocused security devices that need to be breached before any damage can be done. Typically, each of these remote security appliances are centrally configured, monitored, and managed from a central management system. Because of their focus on protecting a small number of critical devices rather than a whole network, each appliance can be tuned to meet the security needs of the device it is protecting.

The Cyber-Threat Impact Index (CTII) attempts to quantify the total impact of an incident by categorising it into one of three impact classes: low, moderate, and high. Instead of being wholly dependent on the direct financial impact, other factors such as loss of employee time, loss of hardware, environmental consequences, and health and safety issues are considered as well. Impact is then more accurately defined as the total transaction cost (or consequence) experienced by the organisation. The table summarises the results of this categorising, and we can see that the majority of attacks can be classified as serious or moderate as defined by the CTII.The frequency of moderately severe incidents has increased steadily over the last few years. Given this, a future incident has about a 67% chance of being moderate or serious based on CTII categories averaged from 2001 to 2004.

Abridged from the white paper Security Incidents and Trends in the SCADA and Process Industries:A statistical review of the Industrial Security Incident Database www.symantec.com

References
1. We have your water supply, and printers. Brumcon report, The Register, Oct 20, 2003 www.toorcon.org www.blackhat.com
2. Surge in criminal-driven cyber attacks anticipated in 2006, IBM Global Business Security Index Report, Dec 2005
3. Katherine Campbell, Lawrence A. Gordon, Martin P.Loeb and Lei Zhou; The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market, Journal of Computer Security,Vol. 11,No. 3, 2003, pp. 431-448
4.Tony Stephanou; Assessing and Exploiting the Internal Security of an Organization, The SANS Institute, Mar 13, 2001
5. Nash, Emma;Hackers bigger threat than rogue staff, VNU Publications, May 15, 2003, www.vnunet.com
6. Bob Mick; Manufacturing Security Status & Strategies ARC Advisory Group, Oct 2005
7. ISA-TR99.00.01-2004, Security Technologies for Manufacturing and Control Systems, Instrumentation, Systems and Automation Society (ISA), 2004
8. www.nerc.com Effective Practices for Meeting NERC Critical Infrastructure Protection Requirements in the Electric Power Industry,” Symantec Corporation, 2006 www.symantec.com

9. Eric Byres, John Karsch, and Joel Carter, NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, National Infrastructure Security Coordination Centre (NISCC), Jul 8, 2004.
10. Eric Cosman; Patch Management at Dow Chemical, ARC Tenth Annual Forum on Manufacturing, ARC Research, Feb 20-24, 2006
11. Patch Management Strategies for the Electric Sector, white paper, Edison Electric Institute—IT Security Working Group,March 2004

Eric Byres is CEO, Byres Security Inc.
David Leversage lectures at the British Columbia Institute of Technology
Nate Kube is CTO, Wurldtech Security Technologies