In the decade before Stuxnet attacked process control systems in Iran, there were just five known supervisory control and data acquisition (SCADA) vulnerabilities for all control systems in the world, according to the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). In 2011, the year after Stuxnet, that vulnerability count jumped to more than 215. Last year, it reached 248 (Figure 1).
"Thanks to Stuxnet, the bar has been lowered on what the bad guys know and what they do. SCADA and process control was really off the hacker radar before, but now everybody has heard of it," cautions Eric Byres," CTO and VP engineering of Tofino Security, Lantzville, B.C.
And the bad guys come in many different guises. The Shamoon attack, for example, is thought to have been designed by a group of students. "It was a very amateurish code, but it successfully wiped out 30,000 hard drives at Saudi Aramco," he notes (Figure 2).
At the other end of the scale is state-sponsored information gathering, for example by Nitro malware. This attacked 25 manufacturers of chemicals and advanced materials for the purpose of industrial espionage.
"Stuxnet has thrown the hidden underside of process control systems into the open. While companies such as Windows, Linux and Apple have constantly got more sophisticated with their security over the years, this simply isn't the case for process controls. Overall, we have increased the capability and interest of attackers and not done enough for the control systems," adds Byres.
He believes that the chemical industry has three main cyber-security struggles to overcome.
First is the big difference between the information technology (IT) and the process control worldviews. For example, IT might say "software will be replaced next year when the next upgrade comes — any security problems will be sorted then." However, process controls have a 20–30 year life span. Hundreds of billions of dollars worth of process controllers are sitting out there, most of which weren't designed with security in mind and are very problematic in terms of patching.
A case in point, says Byres, is a plant in Texas that put good Cisco firewalls — the same as used by Tofino — in its distributed control system/programmable logic controller (DCS/PLC) network. The supplier assumed the firewalls would be used in an IT environment and left them with their default settings during installation. Default IT settings assume that incoming traffic is untrusted and, so, should be blocked. "Unfortunately in this case, incoming traffic from the DCS to the PLCs was critical. The firewalls blocked the incoming traffic from the DCS and tripped the plant. The plant went down for three hours." So while the firewall in itself was fine, the worldview was wrong: an unexamined assumption such as "incoming traffic is untrusted" can have devastating consequences on the plant floor.
The second challenge relates to differing priorities. For IT, confidentiality is king. In chemical plant operations, safety and reliability are key. IT will shut a system down if it thinks the system has been hacked. In chemicals, the last thing you want to do is shut down the process. Here, Byres cites the example of a client that converts natural gas to fuel oil in a converter. "If for any reason the process stops, the paraffin in the process solidifies. Then you have a serious problem. So you have to approach security issues differently in an industrial process versus an IT process."
Many major chemical companies — for example, Dow Chemical — are very good at having IT and operations staff work together to make joint decisions, he adds. However, it can be a different story with medium-size companies: "Here it's like the IT and process control departments are not aware of each other's existence. And the need for cyber security has made it all worse."
The third issue is avoiding panic. The scale of the problem is causing some people to look like deer caught in a car's headlights. Byres knows of smaller chemical companies that have scrapped all plans for cyber security because they have been told it is a $1-million project. "I think companies have to realize that they don't need to eat the elephant in the first bite. Just get started."
A STARTING POINT
Aggressors usually will strive to do the most harm possible — and, for the chemical industry, that means attacking safety and reliability. There are a number of ways to rise to this challenge, according to Byres.
For example, Tofino has worked on a project that involved turbines built by Caterpillar for use by the oil and gas industry in remote locations. The solution chosen here was read-only firewalls. The process can be analyzed remotely but not altered. "You have to be onsite to make such changes. I think that's a reasonable approach; I think there is good justification for separating remote monitoring from remote programing."
Another option is to use a rendezvous site to which both the local user and remote control engineer connect. The link ends when the action in question is complete.
For those many chemical plants that shut down only rarely, Tofino — working alongside Honeywell, Invensys and Schneider — has developed drop-in firewalls. Now one of the company's biggest businesses, these firewalls typically are used in front of safety systems and clusters of controllers.
Then there's the question of patching versus compensating controls. Often older control equipment can't be patched because the vendor has discontinued it and has stopped offering patches.
Time also is a factor. Every change made to base PLC or DCS code has to go through a detailed validation process before patches can be released. Byres notes that one PLC vendor took four months to issue a patch after vulnerabilities in its products were published on the Internet. In contrast, it only took Tofino ten days to build and validate the necessary compensating controls for these vulnerabilities. This is because the compensating control rules are independent of the PLC software and, so, are a lot easier to create and test. "For firewalls, the same validation process is there, but there is less to test — basically: 'Do the rules block the bad messages and allow the good messages?' That is a lot simpler and quicker," he says.
SECURING THE CYBER PERIMETER
Two main factors account for the success of unauthorized, unqualified people in accessing safety-critical networks within chemical companies, says Andrew Ginter, VP industrial security for Waterfall Security Solutions, Calgary, AB.
First, is the tendency for large chemical companies to centralize engineering functions. "So remote access is used to handle engineering issues and Waterfall is particularly concerned that it is being targeted by hackers. Centralized support might be great for saving money, but it's very bad for security," he notes.
Second, is the perennial problem of the difference between how IT and control systems are managed. "There has always been a significant difference, but people are only now just beginning to realize quite how big this really is."
As an example, Ginter contrasts how standard IT network management works versus how the safety instrumented systems (SISs) for a chemical plant are implemented.
While both have some elements of engineering change control in them, standard IT management has a greater focus on ongoing aggressive change for anti-virus signature and patch/security management. IT networks face constant and pervasive threats — every web page and email could be an attack — and threats continually evolve. To an extent, staying ahead of the bad guys requires ongoing change. In contrast, he notes: "The SISs are the devices and controllers whose sole purpose in life is to watch for unsafe conditions and trigger safety shutdowns when those conditions are observed — and their management is inevitably extremely cautious."
In terms of how chemical companies are approaching cyber security, the focus is very much on DCSs and the technologies and processes unique to control systems. Ginter highlights three main ones:
1. Device firewalls. These control which equipment can send commands to devices and, sometimes, what commands can be sent. Thus, compromised hosts can't sabotage device operations simply by sending commands — more sophisticated attacks are needed.
2. Application control (also known as whitelisting). Rules describe software that is recognized and authorized to run, and forbids any unrecognized software to run. This effectively blocks conventional malware and even most zero-day attacks (i.e., ones where defenders don't have prior awareness of a vulnerability). The rules may contain file names, file sizes, modification dates and cryptographic checksums. However, as software changes the rules must be updated, too — a process that modern application control systems use sophisticated software packages to manage. "Maintaining this list of approved software is in a sense an expected and welcome part of the process of reviewing and approving changes in a tightly change controlled environment," says Ginter.
Some vendors now are installing whitelisting systems. For example McAfee has partnered with Siemens Industry Automation Division, Hannover, Germany, to develop its Application Control solution against disruptive software, advanced persistent threats and zero-day malware attacks. Honeywell also promotes whitelisting as one of a number of valuable cyber-security techniques (see: "Better Protect Your Control System," www.ChemicalProcessing.com/articles/2012/better-protect-your-control-system/).
3. Unidirectional security gateways. Waterfall developed its hardware-enforced unidirectional security gateways in Israel in 2004. They now are widely used by process companies in that country. Currently the company's biggest installed base in North America is in power generation, with the chemicals and refining sectors growing quickly in importance.
While traditional firewalls essentially are software, a unidirectional gateway is hardware. In Waterfall's case, it's made up of two boxes, with a laser in the first and a receiver in the second. A short fiber-optic cable links the two boxes. Standard fiber-optic components include a laser and a photocell in each chip, so that a computer using the chip can both send and receive information. Waterfall's chips have only one or the other. As a result, the transmit gateway only can send information and the receive gateway only can receive information. There's no laser in the receive gateway to send any malware, or remote control attack, or anything at all back over the fiber to the transmit gateway.
While such a solution initially appears to rule out any kind of remote support, actually a number of options exist, with the choice depending upon the needs and sophistication of the user, notes Ginter.
Within the hierarchy of plant control, two kinds of network interfaces are proving equally popular locations for unidirectional security gateways. One is the interface between SIS and DCS networks. "This interface is ideal because, as a rule, you want to monitor the safety systems to determine if they are operating correctly, but you do not want to change them much at all. You do not routinely send commands to safety systems — this is where engineering change control kicks in big-time. Ideally, safety systems do their thing continuously and without depending on any other system or commands for correct operation. You want to protect the safety systems absolutely from tampering from outside networks, but you still want to see that they are working correctly," he explains.
The second is the more traditional interface between plant/operations and corporate networks.
Ginter believes the jury is still out on whether the future of control system cyber security includes routinely applying to DCS systems "host hardening" techniques — such as host firewalls, anti-virus, security updates, per-user passwords and device communications encryption — or on having a network full of soft targets such as control systems that are protected by strong physical security and network perimeter security mechanisms. Applying "constant aggressive change" techniques to systems directly or indirectly involved with the safe operation of chemical plants can pose serious risks, he notes.
"Whatever the answer, chemical control systems protections must always lag IT protections to some extent and, so, the cyber perimeter protections will always be disproportionately important in protecting the soft center of control systems," Ginter concludes.
Seán Ottewell is Chemical Processing's Editor at Large. You can e-mail him at firstname.lastname@example.org.