How to Stay in Control of Control Systems

December 1, 2014

Traditional network security risk management techniques are often inadequate to meet the specialized needs of enterprises' control systems. The good news is that a host of free resources exists to cover this important field of security, risk management, compliance and operational continuity.

The umbrella term “control systems” includes a wide range of programmable devices. In short, these systems collect and process data for the purpose of controlling physical equipment. Control systems are essential to the proper functioning of most of our critical infrastructure and as well manufacturing and food processing facilities. The most common control systems are referred to as Supervisory Control and Data Acquisition systems (SCADA), Distributed Control Systems (DCS), Programmable Logic Controllers (PLC), Remote Telemetry/Terminal Units (RTUs), Smart Meters and intelligent field instruments.

Is Control System Security a Unique Challenge?Yes. Generally speaking, control systems are designed for accuracy, extreme environmental conditions, and real-time response in ways that are often incompatible with the latest cybersecurity technologies, inconsistent with consumer grade hardware and software, and in conflict with common network protocols. As a result of these performance factors and limitations, engineers traditionally have been responsible for the design, operation and maintenance of control systems, rather than IT managers. Yet, despite their uniqueness, control systems are increasingly reliant upon common network protocols, and connectivity often exists between control systems and enterprise networks, to include the Internet.

What’s at Risk? If you were to ask people to describe cybersecurity worst-case scenarios, the discussion invariably would turn to control systems. In this context, people aren’t worried about consumer privacy or the theft of intellectual property. Instead, the focus is on the integrity of physical operations, on our ability to defend our critical infrastructure from being hijacked or destroyed from afar, and on our confidence that monitoring equipment put in place to alert us to problems is accurate.

Consider as a possible harbinger of things to come the rolling blackouts in 2003 that left 55 million people without power. The extent of the failure resulted from a software glitch that, unknown to systems operators, left the control room without any audio or visual alarms for over an hour. The operators thought everything was okay because the computers told them everything was okay. In another example, as a proof of concept Idaho National Laboratory physically destroyed a hulking 2.25MW diesel generator by way of a cyber attack, causing the machine to shake violently, erupt with smoke, and shoot out shrapnel as far as 80 feet away.

What Resources are Available (for Free)?The Department of Homeland Security operates the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) as the national focal point for control systems security. A quick visit to
ics-cert.us-cert.gov will provide you with a wealth of reference materials, ranging from tactical alerts and advisories to the broadly applicable NIST Guide to Industrial Control Systems Security. Also available from ICS-CERT are Web-based training modules and in-person courses and workshops.

The single most impressive resource, the Cybersecurity Self Evaluation Tool (CSET), is available for download. In addition to its sizable resource library, CSET prepares tailored analysis and assessment reports by walking companies through an extensive series of questions that incorporates the general control systems standards, sector specific standards (including electric, nuclear and pipeline), and/or IT specific standards that the user selects.

Control systems owners, operators and vendors also should consider joining ICS-CERT’s Joint Working Group, a government/industry information sharing and collaboration initiative dedicated to the design, development and deployment of more secure industrial control systems. Finally, should you find yourself responding to a control systems cyber attack, ICS-CERT actually provides free onsite incident response, as well as offsite malware analysis, and assistance with risk mitigation strategies.

In short, if you’re responsible for control systems security, you’re not alone and, with the help of ICS-CERT and its partners, you’re not on your own.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.