Control system security
Control system security, or automation and control system (ACS) cybersecurity, is the prevention of (intentional or unintentional) interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents.[1] The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.
Control system security is known by several other names such as SCADA security, PCN security, Industrial network security, Industrial control system (ICS) Cybersecurity, Operational Technology (OT) Security, Industrial automation and control systems and Control System Cyber Security.
Risks
[edit]Insecurity of, or vulnerabilities inherent in automation and control systems (ACS) can lead to severe consequences in categories such as safety, loss of life, personal injury, environmental impact, lost production, equipment damage, information theft, and company image.
Guidance to assess, evaluate and mitigate these potential risks is provided through the application of many Governmental, regulatory, industry documents and Global Standards, addressed below.
Vulnerability of automation and control systems
[edit]Automation and Control Systems (ACS) have become far more vulnerable to security incidents due to the following trends that have occurred over the last 10 to 15 years.
- Heavy use of Commercial Off-the Shelf Technology (COTS) and protocols. Integration of technology such as MS Windows, SQL, and Ethernet means that process control systems are now vulnerable to the same malware (viruses, worms and trojans) that affect common IT systems
- Enterprise integration (using plant, corporate and even public networks) means that process control systems (legacy) are now being subjected to stresses that they were not designed for
- Demand for Remote Access - 24x7 access for engineering, operations or technical support means more insecure or rogue connections to control system
- Security Through Obscurity - Using non-standard, private or proprietary protocols or standards is detrimental to system security
The cyber threats and attack strategies on automation systems are changing rapidly. Regulation of industrial control systems for security is rare and is a slow-moving process. The United States, for example, only does so for the nuclear power and the chemical industries.[2]
Government efforts
[edit]The U.S. Government Computer Emergency Readiness Team (US-CERT) originally instituted a control systems security program (CSSP) now the National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems, which has made available a large set of free National Institute of Standards and Technology (NIST) standards documents regarding control system security.[3] The U.S. Government Joint Capability Technology Demonstration (JCTD) known as MOSIACS (More Situational Awareness for Industrial Control Systems) is the initial demonstration of cybersecurity defensive capability for critical infrastructure control systems.[4] MOSAICS addresses the Department of Defense (DOD) operational need for cyber defense capabilities to defend critical infrastructure control systems from cyber attack, such as power, water and wastewater, and safety controls, affect the physical environment.[5] The MOSAICS JCTD prototype will be shared with commercial industry through Industry Days for further research and development, an approach intended to lead to an innovative, game-changing capabilities for cybersecurity for critical infrastructure control systems.[6]
Automation and Control System Cybersecurity Standards
[edit]The international standard for cybersecurity of automation and control systems is the ISA/IEC 62443. In addition, multiple national organizations such as the NIST and NERC in the USA released guidelines and requirements for cybersecurity in control systems.
ISA/IEC 62443
[edit]
The ISA/IEC 62443 cybersecurity standards define processes, techniques and requirements for Automation and Control Systems (ACS). Responsibility for these standards lies with a collaboration between the ISA99 committee of the International Society for Automation (ISA) and IEC Technical Committee 65 Working Group 10.
The ISA99 committee operates as an ANSI-accredited standards development organization (SDO) in the US. In IEC the standards creation process all national committees agree upon a common standard.
The ISA/IEC 62443 standards and technical reports are organized into four general categories called General, Policies and Procedures, System and Component.
- The first category includes foundational information such as concepts, models and terminology.
- The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
- The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model.
- The fourth category includes work products that describe the specific product development and technical requirements of control system products.
NERC
[edit]The most widely recognized and latest NERC security standard is NERC 1300, which is a modification/update of NERC 1200. The latest version of NERC 1300 is called CIP-002-3 through CIP-009-3, with CIP referring to Critical Infrastructure Protection. These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best-practice industry processes.
NIST
[edit]The NIST Cybersecurity Framework (NIST CSF) provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes. It is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it.[7]
NIST Special Publication 800-82 Rev. 2 "Guide to Industrial Control System (ICS) Security" describes how to secure multiple types of Industrial Control Systems against cyber attacks while considering the performance, reliability, and safety requirements specific to ICS.[8]
Control system security certifications
[edit]Certifications for control system security have been established by several global Certification Bodies. Most of the schemes are based on the IEC 62443 and describe test methods, surveillance audit policy, public documentation policies, and other specific aspects of their program.
External links
[edit]- IEC 62443
- US NIST webpage
- US NERC Critical Infrastructure Protection (CIP) Standards Archived 2011-01-01 at the Wayback Machine
- UK NPSA Tools, Catalogues and Standards
References
[edit]- ^ Byres, Eric; Cusimano, John (February 2012). "The 7 Steps to ICS Security". Tofino Security and exida Consulting LLC. Archived from the original on January 23, 2013. Retrieved March 3, 2011.
- ^ Gross, Michael Joseph (2011-04-01). "A Declaration of Cyber-War". Vanity Fair. Condé Nast. Archived from the original on 2014-07-13. Retrieved 2017-11-29.
- ^ "Standards and References - NCCIC / ICS-CERT". ics-cert.us-cert.gov/. Archived from the original on 2010-10-26. Retrieved 2010-10-27.
- ^ "More Situational Awareness For Industrial Control Systems (MOSAICS) Joint Capability Technology Demonstration (JCTD): A Concept Development for the Defense of Mission Critical Infrastructure – HDIAC". Retrieved 2021-07-31.
- ^ "More Situational Awareness for Industrial Control Systems (MOSAICS): Engineering and Development of a Critical Infrastructure Cyber Defense Capability for Highly Context-Sensitive Dynamic Classes: Part 1 – Engineering – HDIAC". Retrieved 2021-07-31.
- ^ "More Situational Awareness for Industrial Control Systems (MOSAICS): Engineering and Development of a Critical Infrastructure Cyber Defense Capability for Highly Context-Sensitive Dynamic Classes: Part 2 – Development – HDIAC". Retrieved 2021-07-31.
- ^ "NIST Cybersecurity Framework". Retrieved 2016-08-02.
- ^ Stouffer, Keith; Lightman, Suzanne; Pillitteri, Victoria; Abrams, Marshall; Hahn, Adam (2015-06-03). "Guide to Industrial Control Systems (ICS) Security". CSRC | NIST. doi:10.6028/NIST.SP.800-82r2. Retrieved 2020-12-29.