In the decade before Stuxnet attacked process control systems in Iran, there were just five known supervisory control and data acquisition (SCADA) vulnerabilities for all control systems in the world, according to the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). In 2011, the year after Stuxnet, that vulnerability count jumped to more than 215. Last year, it reached 248 (Figure 1).
"Thanks to Stuxnet, the bar has been lowered on what the bad guys know and what they do. SCADA and process control was really off the hacker radar before, but now everybody has heard of it," cautions Eric Byres," CTO and VP engineering of Tofino Security, Lantzville, B.C.
And the bad guys come in many different guises. The Shamoon attack, for example, is thought to have been designed by a group of students. "It was a very amateurish code, but it successfully wiped out 30,000 hard drives at Saudi Aramco," he notes (Figure 2).
At the other end of the scale is state-sponsored information gathering, for example by Nitro malware. This attacked 25 manufacturers of chemicals and advanced materials for the purpose of industrial espionage.
"Stuxnet has thrown the hidden underside of process control systems into the open. While companies such as Windows, Linux and Apple have constantly got more sophisticated with their security over the years, this simply isn't the case for process controls. Overall, we have increased the capability and interest of attackers and not done enough for the control systems," adds Byres.
He believes that the chemical industry has three main cyber-security struggles to overcome.
First is the big difference between the information technology (IT) and the process control worldviews. For example, IT might say "software will be replaced next year when the next upgrade comes — any security problems will be sorted then." However, process controls have a 20–30 year life span. Hundreds of billions of dollars worth of process controllers are sitting out there, most of which weren't designed with security in mind and are very problematic in terms of patching.
A case in point, says Byres, is a plant in Texas that put good Cisco firewalls — the same as used by Tofino — in its distributed control system/programmable logic controller (DCS/PLC) network. The supplier assumed the firewalls would be used in an IT environment and left them with their default settings during installation. Default IT settings assume that incoming traffic is untrusted and, so, should be blocked. "Unfortunately in this case, incoming traffic from the DCS to the PLCs was critical. The firewalls blocked the incoming traffic from the DCS and tripped the plant. The plant went down for three hours." So while the firewall in itself was fine, the worldview was wrong: an unexamined assumption such as "incoming traffic is untrusted" can have devastating consequences on the plant floor.
The second challenge relates to differing priorities. For IT, confidentiality is king. In chemical plant operations, safety and reliability are key. IT will shut a system down if it thinks the system has been hacked. In chemicals, the last thing you want to do is shut down the process. Here, Byres cites the example of a client that converts natural gas to fuel oil in a converter. "If for any reason the process stops, the paraffin in the process solidifies. Then you have a serious problem. So you have to approach security issues differently in an industrial process versus an IT process."
Many major chemical companies — for example, Dow Chemical — are very good at having IT and operations staff work together to make joint decisions, he adds. However, it can be a different story with medium-size companies: "Here it's like the IT and process control departments are not aware of each other's existence. And the need for cyber security has made it all worse."
The third issue is avoiding panic. The scale of the problem is causing some people to look like deer caught in a car's headlights. Byres knows of smaller chemical companies that have scrapped all plans for cyber security because they have been told it is a $1-million project. "I think companies have to realize that they don't need to eat the elephant in the first bite. Just get started."