According to RISI, the industry had one-quarter of the number of incidents reported by other verticals such as water and petroleum, but had six times more than the mining sector. Of those that occurred, 50% resulted in minimal damage (small dollar amount) but one-third were much more significant - think north of six figures.1
The vast majority for all incidents were unintentional, almost always malware or virus in nature. However, close to half of all intentional incidents were created or perpetrated by company insiders. So, almost 10% of reported incidents were both intentional and executed by insiders.
Figure 1 - Industrial IT challenges faced by most process control organizations today
Major company assessment results
So these reports are interesting if you look back. However what if we look forward? What do we find when we look at a mill that has not yet had an incident? If you're wondering what an assessment of a mill might reveal, consider this recent assessment of a major mill:
- 37 assets were tested. (An ‘asset' is a computer. A server, workstation, file server, domain controller or other such ‘cyber' asset.)
- A quick review of the collected data from the site revealed at least four major vulnerabilities in any given category - applications, services, etc. And, this result was almost immediately after the site had performed a round of antivirus installs and system updates to correct for a Conficker infection.
- The site was missing, on average, 19% of all high/critical/service pack updates.
- By reasonable extrapolation, we can determine there were between 175 and 233 vulnerabilities per asset at this site, and between 26% and 48% of those would rank as high severity issues. Specific numbers, asset count and vulnerabilities are specifically withheld to keep the client anonymous.
It is important to reiterate that this site was in the process of cleaning up a Conficker outbreak. Prior to its discovery, site administration had no comprehensive antivirus solution in place, nor did they regularly update workstations. Indeed, it is our experience that in much of the industry, cyber assets are installed and then left in situ thereafter, barely (if ever) receiving any sort of patching or software updates.
At another site belonging to this company, the Windows Update Agent was not installed on the vast majority of assets, which means that it is highly likely their assets were essentially unpatched since the date of their installation.
What do these observations tell us? It is reasonable to conclude that many mills have not developed a security program for their production-related assets that supports their business strategy. A cyber security program combines policies and procedures coupled with technical countermeasures and an ongoing program to monitor, maintain and adapt as necessary. Simply stated, cyber security is a risk management issue, and the proper way to address it is with a risk management program.
Ongoing advances in hardware and software are opening up more ways of using automation technology to great advantage. Meeting today's exacting automation challenges means being knowledgeable about what is possible. Change can be good, and our ability to evolve with it and to extract the most value from it is the measure of our creativity and dedication - and perhaps in our application of a logical approach to this evolution.
We must be aware of the challenges that are contributing to risk. Over time, the impact of these challenges has increased. Risk has increased due to:
Increased accessibility requirements and tighter linkage between business and process information:To achieve a sustainable competitive advantage, manufacturing and process businesses must be able to adapt quickly to change. Reduced time to decision and action is critical for improving quality and productivity -- making the timely collection, manipulation and distribution of reliable information is a significant issue. In today's business environment, electronic data need to be presented as information to operations, engineering and management in the context most meaningful to them. Historical, process and business data are collected from disparate sources and stored securely. The business requirement is to transform that data into meaningful information, which is presented in a manner that is easy to understand, providing important support at every level to improve efficiency and profitability. As a result, most organizations are faced with requirements to increase accessibility to the system - and, while this tighter linkage between business and process information is necessary, it opens the door to intrusions - whether unintentional or targeted.
Complex array of tools, standards and best practices:With the proliferation of open systems, the complexity of plant networks and the need to support legacy systems, more tools are available to address requirements and exposures, with the attendant standards and best practices that follow. Understanding which tools best fit an environment can be a rigorous task.
Targeted malicious cyber security threats:With the increasing demand for accessibility and sharing of information, we see the number of targeted malicious cyber security threats increasing as well. Being the subject of the next big story in the press is not advantageous. When P. T. Barnum said, "I don't care what you say about me, just spell my name right," perhaps he would have rephrased had he known about cyber security threats, the Internet, and the widespread access to technology.
Increase in industry and government regulations or standards:Based on the industry, there are directives to adopt standards and installations in some situations to adhere to regulatory guidelines. There is an attendant uncertainty about interpreting or applying regulatory and best practice controls.
Increased emphasis on uptime, availability & reliability:With all of these challenges comes the demand for increased uptime, availability and reliability. Many organizations find themselves without the required people assets to manage a security program that meets the high standards required by Industrial Information Technology. The lack of IT "know-how" in the plant is problematic, with a priority placed on availability over confidentiality.
The question, then, is:How do we respond to this increased risk level?
Control systems are an integral part of the industrial infrastructure today - not just in North America, but around the world. We have come to understand that control systems share some information technology (IT) similarities with corporate business systems; however, control systems are technically, administratively, and functionally more complex and unique than business IT systems.
Vulnerabilities, particularly cyber security, affect the safe, functional performance of both control systems and business IT systems. However, while mainstream IT is quite knowledgeable and experienced with the threats and management of the security environment - perhaps years ahead of the current status of control systems, control networks have significant room for improvement. We do have the opportunity to learn from the experiences of business IT and shorten the time span for control systems to acquire the same level of security awareness.
One of the main reasons for this difference in cyber security maturity is the difference in focus between business IT and control systems. Control systems have focused on equipment efficiency and reliability, while cyber security was left to the business IT organizations. However, this situation is changing. And, we see that the convergence of IT and control systems requires expertise from both business IT and industrial control systems.
We call this convergence industrial IT.
A logical, organized approach to the industrial IT lifecycle is necessary to ensure the appropriate steps are taken at the appropriate time - and that the process is repeatable. The industrial IT lifecycle is an ongoing cycle, and requires continuous attention. The approach consists of four phases: assess, remediate, manage, and assure.
A quick view of each phase and its primary function can be viewed as:
- Assessthe site's assets against industry standards, regulatory requirements and best practices.
- Remediateaddresses the actions needed to address issues identified in the assess phase with a custom-designed industrial IT program.
- Managerefers to the management of the site's industrial IT investment, including network security, with support and training.
- Assureaddresses methods to assure the customer that its industrial IT solutions are functioning as designed.
Figure 2 - Industrial IT lifecycle phases
Where do you start?
At the beginning of this article, we discussed a major mill and the security exposure at that site. Those findings were the result of an assessment. The "assess" phase is very important in the industrial IT lifecycle. During this phase, overall shortcomings and vulnerabilities are compared with desired result status. Of the four phases, this one is perhaps the most enlightening. Assessments usually result in actionable recommendations that will help in better management and therefore greater security and reliability of the system. The recommendations should be prioritized to aid in logically addressing the identified vulnerabilities. In addition, budgetary guidelines will be helpful in assisting with the size and scope of the effort required in the next step, the "remediate" phase.
Assessment types are varied, depending upon the immediate and long-term needs of the installation. For some installations, regulatory assessments are at the forefront. If there are immediate concerns regarding network vulnerabilities, the network assessment would be the ideal starting point.
Recognizing the need to address cyber security issues is the first step. Securing your critical infrastructure is an evolving process. As we often say: "Security is a journey, not a destination!"
1. Testimony of Joseph M. Weiss Control Systems Cyber Security Expert before the Committee on Commerce, Science, and Transportation U.S. Senate, March 19, 2009.