ICEweb has nearly 100 Control, Instrumentation, Fire & Gas, Safety Instrumented Systems core pages and a total of more than 300 pages - It Really is Cool Engineering - By Engineers for Engineers it must be just about the World's first choice for Technical Information.

Whilst every effort is made to ensure technical accuracy of the information supplied on iceweb.com.au, Keyfleet Pty Ltd and its employees accept no liability for any loss or damage caused by error or omission from the data supplied. Users should make and rely on their own independent inquiries. By accessing the site users accept this condition. Should you note any error/omission or an article offends please do not ignore it, contact the webmaster and we will review, rectify and remove as necessary.

Get seen by the people who use your products!
THIS SPACE
can be yours

Control System Security

Digital Control Systems and their associated industrial networks/protocols are extending the depth to which bi-directional communications extend throughout an enterprise. In many cases, the underlying technology for the business network and the process control network are the same. Consequently, many of the risks that are found in today's corporate or business environments can now impact the reliable operation of the process control system. This page and the links highlight some of the vulnerabilities, their sources and remedies that the modern integrated control system needs to address.

The Following Technical Articles and White Papers are from Torfino Security

Insider Threat to Utilities – More Focus Needed on Critical Components - Recently the Unites States’ Department of Homeland Security (DHS) released a report on “Insider Threat to Utilities” that has been getting a lot of attention in the mainstream media. While released “For Official Use Only (FOUO)”, the report has been posted on the Internet and portions of it have received considerable media coverage. Unfortunately media coverage so far tends to focus on the dramatic, such as the potential threat of Al-Qaeda attacks on the ten year anniversary of 9/11, and don’t actually help utility owner operators secure their systems. In this article Eric Byres share his thoughts on how critical infrastructure operators need to extend the report’s recommendations to include additional protective measures.
New SCADA Security Reality: Assume a Security Breach - This article highlights that sometimes the "fortress" mentality on security does not work. Antivirus Protection for PLCs – Not Enough on its Own - If any security expert claims systems can be secured by just using antivirus products on the Windows computers in a control system, they are crazy, irresponsible or both. Antivirus (AV) technology helps protect the plant floor, but it is not enough on its own. For the most part, AV software only works if you have a signature, which is great for dealing with well known common malware like Conficker. Unfortunately, there is no signature for a worm using a zero-day vulnerability. Stuxnet proved that – it was in the wild for a year before there were any signatures available. Antivirus software did not spot the worm for that year.
SCADA Cyber Security Problems – Just How Common are the Programming Errors? - This interesting article by Rob Hulsebos has been posted on the Practical SCADA Security blog - Find out how and why common programming errors still exist in today’s SCADA systems.
SCADA Security and the Broken Business Model for Software Testing - David Alexander - Recently Rob Hulsebos wrote an article for this blog where he raised the perennial problem of programming errors contributing to security vulnerability. I have a newsflash for you - this isn’t new. It may be a new concept to some in the world of Industrial Control Systems, but it’s been a problem for software engineers since about 5 seconds after the first ever program successfully compiled.
12.12 The iPhone is Coming to the Plant Floor – Can we Secure it? - Eric Byres - This is an issue that industry needs to come to terms with quickly if we are ever going make our plant floors secure. What is your company doing about mobile devices on the plant floor? Does it have a strategy?
Address SCADA Security Vulnerabilities NOW, Not Later - Eric Byres - Who is responsible for fixing the thousands (some say 100,000) of vulnerabilities that exist in PLCs, DCS, RTUs and other automation devices that are in use in facilities around the world?
11.12 SCADA Security Basics: Integrity Trumps Availability - Eric Byres - There is more to consider when it comes to industrial security priorities.
11.12 SCADA Security Basics: Why Industrial Networks are Different than IT Networks - Heather MacKenzie - This blog looks at SCADA security from another angle, which is “Why is securing Industrial Networks different than securing IT Networks?” It covers three ways to address these differences.
11.12 Shamoon Malware and SCADA Security – What are the Impacts? - Heather MacKenzie - The most destructive post-Stuxnet discovery of advanced threats is a malicious malware known as Shamoon. Like Stuxnet, Duqu and Flame, it targeted energy companies in the Middle East, this time Saudi Aramco, Qatar’s RasGas and likely other oil and gas concerns in the region. It is a new species however, because it did not disrupt an industrial process as Stuxnet did, nor did it stealthily steal business information as Flame and Duqu did. Instead it removed and overwrote the information on the hard drives of 30,000 to 55,000 (yes those numbers are correct!) workstations of Saudi Aramco (and who knows how many more at other firms). Nothing this damaging has been seen in a while. As a Kaspersky Lab expert commented “Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often.”What does Shamoon mean for SCADA and ICS Security? This is an interesting article into what is in effect cyber terrorism.
The Cost of Cyberattacks - Greg Hale - Can You Afford NOT to Deploy Best Practices? There is a spectrum of awareness and capability regarding cyber security in industry, with the oil and gas sector being at the forefront of implementing best practices and many other sectors still unconvinced that it merits expenditure and resource allocation. According to Greg companies that implement cyber security best practices are 2.5 times less likely to experience a major cyberattack and 3.5 times less likely to experience unplanned downtime than companies that don’t. Cyber incidents cost organizations:
- $558,000 in revenue losses
- $480,831 in brand damage
- $366,301 in compliance fines
- 174,309 in lost productivity
It all adds up to costing U. S. industry $6 million a day or $20 billion a year.
Presentation: "Unicorns and Air Gaps - Do They Really Exist?" - Eric Byres' presentation explains:
- The current status of air gaps and industrial control systems
- The challenge of air gaps and today’s infrastructure systems
- Why real world security measures are needed
- How an oil and gas refinery deals with multiple pathways
- The importance of last-line-of-defense critical systems
This presentation will increase your knowledge of air gaps as a security measure and provide you with practical advice on real-world security for control systems. You will need to register to download.
SCADA Security: A Call-out to Control Engineers about Air Gaps- Recently Eric Byres discussed how security experts and ICS / SCADA vendors are giving up on the dream of the air gap as a viable security solution for the modern control system. Unfortunately, it is still all too easy to believe your control system is isolated. Recently he had a very enlightening conversation with a control engineer who thought his system was air gapped.
SCADA Security: New Vulnerability Disclosure Framework a Step Forward - In a move that may be helpful for critical infrastructure asset owners, on July 23 2012 the Industrial Control Systems Joint Working Group (ICSJWG) published a new document for disclosing Industrial Control System (ICS) vulnerabilities titled Common Industrial Control System Vulnerability Framework . It provides building blocks for a new vulnerability disclosure process that will benefit both vendors and asset owners.
SCADA Security Basics: SCADA vs. ICS Terminology - “What’s the difference between a SCADA system and an ICS system, and if there is no difference, then why do we have two different names?” - This is a good question, because unless you have worked in the industrial automation field for a few decades, the terminology can seem very confusing. Not only do we have SCADA versus ICS, we also have terms like Process Control, Discrete Control, Industrial Automation, Manufacturing Automation Systems, Distributed Control Systems, Energy Management Systems and so on.
SCADA Security Basics: Why are PLCs so Insecure? - An interesting discussion on this point which provides much "food for thought".
32 Minutes to Understanding SCADA Security - Engineers as well as IT staff in the process control and SCADA industries have varying levels of knowledge about industrial cyber security. We come across this regularly when talking to people at industry events or speaking with customers or partners. To help you, no matter where you are in the learning curve, we have recently released a five-part video series. This article summarizes the videos and provides you with direct access to them.
ICS Security and VLANs – Boogeyman or Helper? - Virtual Local Area Networks (VLANs) should not be counted on as a security feature of modern managed Ethernet switch networks. This is now common knowledge, both in IT departments and also in the Industrial Control Community. Indeed in Eric Byres’ article "Why VLAN Security isn't SCADA Security at all" he points out that switches with VLANS are not firewalls. But are VLANs the boogeyman of industrial control system security...or are they underestimated helpers? This article examines that question in detail.
Why SCADA Firewalls Need to be Stateful - Joel Langill of SCADAhacker.com and Eric Byres are leading experts in the field of SCADA security. Their article will help you learn about stateful firewall inspection. It explains (a) What "state" is in regard to data communication (b) How Stateless and Stateful firewalls work (c) How a PLC can be attacked using the HTTP protocol (d) The relevance of Stateful Firewalls in today's ICS and (e) this article will increase your knowledge of Stateful Inspection and will provide useful guidance and examples for mitigation planning.
Using ANSI / ISA-99 Standards to Improve Control System Security - Eric Byres is recognized as one of the world's leading experts in the field of SCADA security. He has also been acclaimed by the group behind the standards, ISA, with the honor of ISA Fellow. Eric's White Paper will help you understand (a) why the "push for productivity" has degraded control network security (b) the ANSI/ISA-99 Zone and Conduit Model (c) how to implement zones and conduits for your control network and (d) how a major oil refinery implemented network segmentation using ANSI/ISA-99 zones and conduits Start using the Zone and Conduit Model to protect your plant against process disruption, safety incidents and business losses from modern cyber security threats.
SCADA Security: Justifying the Investment - Frank Williams - In the blog article Industrial Data Compromise – The New Business Risk it was recommended that End Users and Control Engineers need to redouble their efforts in relation to securing their process. However, finding the best way to justify the costs of implementing and maintaining a more secure process environment is new territory even for the most seasoned control system engineer. This article suggests a way to determine the right amount of investment in ICS and SCADA security measures.
Uninterruptible Power Supplies and Cybersecurity - Hackers can Remotely Power Down Critical Automation - Michael A Stout - The recent number of cyber-attacks and their level of sophistication have demonstrated the inadequate network security measures employed by many large corporations, government, and military agencies. Time is on the hackers’ side. They only have to find one unsecure computer or device on a segment of a corporate or governmental network, and they can use any number of methods to eventually gain access to critical data. Should they not be able to find an unsecured computer, they simply have to send a cleaver e-mail containing a one-off designer backdoor virus that will evade many corporate level antivirus software and firewalls—and again they are in - from ISA and InTech.
Cyber Security Nightmare in the Netherlands - Rob Hulsebos - The first two weeks of February have been exciting times in the Netherlands, with many cyber security incidents making headlines in the news. One of the most worrisome involved keeping my country, a country that is below sea level, dry. This task is delegated to industrial systems - and one would expect the safety of millions of people properly managed and kept up to the highest standards. But is it? - From Tofino Security.
7 Steps to ICS and SCADA Security - This paper provides a process for operators to go through so that they can improve their cyber security practices and protect their facilities from modern cyber security threats - From Tofino Security.
Securing Your OPC Classic Control System - Thomas Burke and Eric J. Byres - OPC Classic is a software interface technology used to facilitate the transfer of data between different industrial control systems. It is widely used to interconnect Human Machine Interface (HMI) workstations, data historians and other hosts on the control network with enterprise databases, Enterprise Resource Planning (ERP) systems and other business-oriented software. Unfortunately, securely deploying OPC Classic has proven to be a challenge. This white paper describes two independent techniques for ensuring strong security in systems using OPC Classic technology. This first creates zone-based defenses using OPC-aware firewalls. The second takes advantages of improvement in the Windows operating system to managing OPC accounts and permissions. Both security techniques are available and proven for use in today’s control systems.

Stuxnet and Other Threats

Siemens PLC Security Vulnerabilities – It Just Gets Worse - A new article by Eric Byres has been posted on the Practical SCADA Security blog.
6.12 Securing SCADA systems from APTs like Flame and Stuxnet – Part 1 - Eric Byres - Recently a very complex worm called Flame has been discovered attacking companies in the Middle East, and it is an excellent example of what security experts call an Advanced Persistent Threat (APT). Figuring out how to defend against APTs is a major focus in the IT security world.
6.12 Securing SCADA systems from APTs like Flame and Stuxnet – Part 2 - Professor Paul Dorey recently presented a paper about the seven important lessons the IT world has learned in managing Advanced Persistent Threats (APTs). This article discusses lessons #2, #3 and #4, and how to apply these lessons to ICS and SCADA security.
Air Gaps won’t Stop Stuxnet’s Children - Eric Byres - As someone working in the field of industrial cyber security I never thought I would see the day when a cyber attack would be the topic of a prime time television show. Recently the U.S. program “60 Minutes” aired a segment called “Stuxnet: Computer worm opens new era of warfare,” If you have not seen it, I recommend viewing it. It does a good job of explaining a complex malware and it is interesting to learn about it from the people who were directly involved in deciphering and tracking it. Post-Stuxnet, well-designed ICS worms such as Night Dragon, Duqu and Nitro have been revealed. Each of them has focused on stealing intellectual property such as oil field bids, SCADA operations data, design documents and other information that could cause business harm. This focus on industrial data compromise is new, and signals a new era of industrial malware.

Process Control Security Applications

Offshore Oil and Gas Platform: Cyber Security Implementation - An oil and gas production company operates a fixed natural gas and oil gathering and processing platform located in deep water on the US continental shelf. The platform serves multiple natural gas and oil wells connected by pipes running along the seabed back to the platform. The facility was designed to handle a high volume, thus there is a strong emphasis on reliability. Any downtime, whether caused by accidental or malicious forces, would interrupt oil and gas production and be very costly. The production company presented Cimation, a Tofino Certified System Integrator, with the challenge of maximizing the reliability and uptime of the platform.
Cyber Security And The Pipeline Control System - Eric J. Byres - Sound strategy, regardless of whether it is for military, physical or cyber security, relies on the concept of “defense in depth.” Effective security is created by layering multiple security solutions so that if one is bypassed another will provide the defense. This means not overrelying on any single technology such as a firewall. Firewalls aren’t bad technology. In fact, they are a fantastic tool in the security toolbox. But, industry has misused them by believing they will solve all security - from Tofino Security.

5.13 Industrial Cyber Security Videos

The following videos are from Tofino Security, it is recommended that they are viewed in the following sequence;
(1) What is Cyber Security? - Our modern lifestyle relies on critical infrastructure and industrial plants that use complex networks of computers, PLC controllers, remote terminal units and other specialized equipment. However as these industrial networks have become more complex and interconnected, Cyber Security becomes more and more important to ensure their continued safe and reliable operation. This video examines the current state of cyber security in SCADA and industrial control networks, talks about how we got to this point, and lays the foundation for discussing how to improve the security of these systems.
(2) We're Secure - We Have A Firewall! - Many companies already use firewalls to isolate the plant and enterprise networks. What's so bad about this approach? Aren't these networks already protected? In this video, we'll explore the types of cyber security issues we often see in plant networks and learn how these issues can impact plant operations in spite of these firewalls.
(3) Security Strategies that Work on the Plant Floor - The previous video in this series showed that a firewall on the plant network could not protect us against many cyber security threats. But if that doesn't work, then what ARE we supposed to do to protect our plant? IT engineers have been dealing with cyber security issues for years. This video examines the security strategies that they have found to work, and see how we can implement them on the plant floor.
(4) Why Is Cyber Security still a Problem in SCADA and Control Networks? - IT engineers have been dealing successfully with cyber security issues for years, and there are many security products in daily use in enterprise networks. Why is cyber security such a challenge on control networks? Why can't the same tools and techniques be used to secure these systems? The answers to these questions lie in understanding the unique requirements of control and SCADA networks, and applying cyber security strategies in ways that are appropriate to these applications.
(5) How does Tofino Protect my Plant? - Previous videos in this series have discussed how Defense in Depth can be an effective strategy to secure control networks. So how exactly does Tofino implement Defense in Depth? And what makes it the best solution? This video takes a deeper dive into the components of the Tofino Industrial Security Solution, and examines how they work together to implement cyber security on the plant floor.

Control System Security

Stuxnet and Other Threats

Process Control Security Applications

5.13 Industrial Cyber Security Videos

Other Process Control Security Links

Useful Process Control System Security Organisation Links