How to Stay in Control of Control Systems

December 1, 2014

Traditional network security risk management techniques are often inadequate to meet the specialized needs of enterprises' control systems. The good news is that a host of free resources exists to cover this important field of security, risk management, compliance and operational continuity.

The umbrella term “control systems” includes a wide range of programmable devices. In short, these systems collect and process data for the purpose of controlling physical equipment. Control systems are essential to the proper functioning of most of our critical infrastructure and as well manufacturing and food processing facilities. The most common control systems are referred to as Supervisory Control and Data Acquisition systems (SCADA), Distributed Control Systems (DCS), Programmable Logic Controllers (PLC), Remote Telemetry/Terminal Units (RTUs), Smart Meters and intelligent field instruments.

Is Control System Security a Unique Challenge?Yes. Generally speaking, control systems are designed for accuracy, extreme environmental conditions, and real-time response in ways that are often incompatible with the latest cybersecurity technologies, inconsistent with consumer grade hardware and software, and in conflict with common network protocols. As a result of these performance factors and limitations, engineers traditionally have been responsible for the design, operation and maintenance of control systems, rather than IT managers. Yet, despite their uniqueness, control systems are increasingly reliant upon common network protocols, and connectivity often exists between control systems and enterprise networks, to include the Internet.

What’s at Risk? If you were to ask people to describe cybersecurity worst-case scenarios, the discussion invariably would turn to control systems. In this context, people aren’t worried about consumer privacy or the theft of intellectual property. Instead, the focus is on the integrity of physical operations, on our ability to defend our critical infrastructure from being hijacked or destroyed from afar, and on our confidence that monitoring equipment put in place to alert us to problems is accurate.

Consider as a possible harbinger of things to come the rolling blackouts in 2003 that left 55 million people without power. The extent of the failure resulted from a software glitch that, unknown to systems operators, left the control room without any audio or visual alarms for over an hour. The operators thought everything was okay because the computers told them everything was okay. In another example, as a proof of concept Idaho National Laboratory physically destroyed a hulking 2.25MW diesel generator by way of a cyber attack, causing the machine to shake violently, erupt with smoke, and shoot out shrapnel as far as 80 feet away.

What Resources are Available (for Free)?The Department of Homeland Security operates the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) as the national focal point for control systems security. A quick visit to
ics-cert.us-cert.gov will provide you with a wealth of reference materials, ranging from tactical alerts and advisories to the broadly applicable NIST Guide to Industrial Control Systems Security. Also available from ICS-CERT are Web-based training modules and in-person courses and workshops.

The single most impressive resource, the Cybersecurity Self Evaluation Tool (CSET), is available for download. In addition to its sizable resource library, CSET prepares tailored analysis and assessment reports by walking companies through an extensive series of questions that incorporates the general control systems standards, sector specific standards (including electric, nuclear and pipeline), and/or IT specific standards that the user selects.

Control systems owners, operators and vendors also should consider joining ICS-CERT’s Joint Working Group, a government/industry information sharing and collaboration initiative dedicated to the design, development and deployment of more secure industrial control systems. Finally, should you find yourself responding to a control systems cyber attack, ICS-CERT actually provides free onsite incident response, as well as offsite malware analysis, and assistance with risk mitigation strategies.

In short, if you’re responsible for control systems security, you’re not alone and, with the help of ICS-CERT and its partners, you’re not on your own.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

How to Stay in Control of Control Systems

Recent Articles by Steven Chabinsky

Who's Responsible for Cloud Security?

Clear, Purge & Destroy: When Data Must be Eliminated, Part 2

Clear, Purge & Destroy: When Data Must be Eliminated

Bug Bounty Programs: An Emerging Best Practice

Managing Supply Chain Risk

Security Magazine

2020 October

How to Stay in Control of Control Systems

Recent Articles by Steven Chabinsky

Related Articles

Related Events

Report Abusive Comment