Andrew Ginter says that most critical infrastructure control systems were not designed with security in mind, and history has proven that these systems are vulnerable to attack and to performance failures.

An increasing focus for companies managing critical infrastructures is the security of process control systems. At the same time, enterprises increasingly rely on access to real-time data in order to drive faster time-to-revenue through the use of business intelligence systems. Access to real-time data requires connectivity into the heart of critical infrastructure process control and SCADA networks, including those in the electric power, oil and gas, transportation, water and chemical sectors. 

Most critical infrastructure control systems were not designed with security in mind, and history has proven that these systems are vulnerable to attack and to performance failures. Truth be told, many plant networks were designed to be “air gapped” – they were never designed for connectivity to business networks, or for remote access from other networks. However, it turns out that simply applying proven enterprise security policies to control systems is not the answer. 

So how should security executives secure their critical revenue-generating assets where the risk of a security breach has not only significant economic and social impact, but potentially physical, life-threatening impact as well? More still, what do enterprise security professionals need to know about this environment to work with the operations staff to properly secure and defend against these threats?

Connecting These Two Networks Introduces Real Risk on Both Sides

Enterprise security personnel looking at a control system connected to the enterprise network may see a vulnerable source of and reservoir of malware-infected systems. Many control system hosts are running older, unpatched operating systems. The most elementary security technologies like host anti-virus scanning and host firewalls are not in widespread use, nor are elementary security processes like host hardening and the use of strong passwords.

In contrast, operations personnel looking at the enterprise network connected to the control network see a source of attack that is not under control. Operations computers and networks tend to be under tight physical security and tight change management controls. 

In the end, both perspectives are aspects of the greater truth and both perspectives must be taken into account when securing control system assets.

A Different Line of Defense is Required

Corporate standards selected for enterprise networks do not meet the needs of control networks. Security can have a tendency to look at control systems as just another computer, but treating the two types of systems as equivalents can lead to unexpected and perhaps even catastrophic results. The truth of the matter is that the unique characteristics of operations networks and systems mean that many conventional enterprise security solutions not only don’t work on control networks, they may impair the operation of the system or stop it from operating completely. 
Case in point: Governance/Risk/Compliance inspired regulations focus first on confidentiality, then integrity and availability. Operations inspired standards focus on safety first, which means availability and integrity are critical. The biggest difference is that control systems are often directly connected to pipelines, electrical grids, water supplies and chemical plants. Undoubtedly, a security breach here can have severe consequences including loss of revenue, environmental damage, power outages and even loss of life. As a result, the imperative for security is seen as an aspect of the imperative for safety.

Clearly, security solutions that protect critical infrastructures need to be designed and optimized for control networks. Some of these unique requirements include:

• Recognition of the importance of perimeter protection and internal monitoring for safety critical systems that cannot tolerate after-market changes that focus on intrusion prevention;
• Recognition of unique network protocols so as not to cause unnecessary alerting;
• Configuration of control system intrusion sensors to detect the known, good traffic and alarm on anything else;
• Careful design in adding host intrusion detection sensors so that they consume minimal CPU and network bandwidth to avoid disrupting time-critical operations; and,
• Support for access control for remote devices such as PLCs, RTUs and distributed controllers.

Conclusion and Recommendations

As organizations increasingly merge their security systems to support business requirements, the responsibility for securing all of these important assets from cyber attack can converge as well. Companies can benefit from having an enterprise view across all security systems, but the products in the control world need to be optimized for the unique needs of this environment.