Article about securing critical control systems by David Geer

Page 1

Computer

Published by the IEEE Computer Society

T E C H N O L O G Y N E W S

or about 50 years, sophisti-

cated industrial control sys-

tems have kept major infra-

structure, manufacturing,

and utilities operations in

check. These systems gauge and

adjust factors such as temperature,

electrical current, pressure, and flow

rate to keep dams, factories, nuclear

power plants, and other similar facil-

ities functioning properly and safely.

Control systems are growing in

popularity. For example, as Figure 1

shows, global revenue from sales of

the systems will grow from $10.3

billion in 2000 to $12.4 billion this

year to $13.9 billion in 2009, pre-

dicted Datamonitor, a market re-

search firm.

“Control systems are being

adopted at an increasing rate around

the globe. Every country has infra-

structures and industry that need

these devices,” noted Michael J.

Skroch, manager of the Information

Operations Red Teaming and Assess-

ments Department at the US’s Sandia

National Laboratories.

Securing control systems has be-

come a much more serious issue

since the advent of the Internet and

the rise in terrorist threats. Today,

many government and private oper-

ations have connected their controls

to the Internet through unhardened

operating systems.

Internet connectivity can make

control operations more convenient,

but it also can leave the systems vul-

nerable to the same hackers, mal-

ware, and attacks that threaten

other online activities. Several at-

tacks on Internet-based control sys-

tems have already occurred.

The issue is so serious that the US

House of Representatives Commit-

tee on Homeland Security recently

heard testimony from experts in the

fields of security and control systems

in an effort to identify vulnerabili-

ties and determine whether federal

and private organizations are ad-

dressing them adequately.

Fred Cohen, a research professor

at the University of New Haven, said

a principal problem is that exposing

critical control systems to the Inter-

net and its dangers is simply a bad

idea. He said those responsible lack

control-system expertise and “are

anxious to make a change just for the

sake of making a change or because

of some perceived cost reduction.”

Larry Todd, director of security,

safety, and law enforcement for the

US Bureau of Reclamation, agreed

in his testimony before the congres-

sional hearing. “We have main-

tained a policy of not connecting our

[control] systems to our administra-

tive networks,” he said, “and we ad-

here to that policy in all but the most

unusual of situations.”

Nevertheless, organizations are

continuing to connect their control

systems to insecure networks such as

the Internet. Therefore, government

and private groups throughout the

world are trying to determine how to

make such connections more secure.

VULNERABLE

CONTROL SYSTEMS

During the past 40 years, organi-

zations have upgraded most manu-

ally operated, stand-alone control

systems to computer-run systems,

with many connecting them to the

Internet since the early 1990s.

The newer control systems are ba-

sically computers with sensors, actu-

ators, and software, noted Sandia’s

Skroch.

“These systems have taken the

place of control rooms with people

watching lots of dials, turning

valves, and sliding actuator switches

to keep things within a normal range

or deal with exceptional conditions.

When those can be replaced with

simple, computer-controlled actua-

tors, it reduces the manpower and

costs and very often allows for faster

responses,” said Purdue University

professor Eugene Spafford.

There are two major types of com-

puter-run control systems: Super-

visory control and data acquisition

(SCADA) systems are generally used

with utility and other infrastructure

operations, while process-control

systems (PCSs) are typically used in

production facilities.

SCADA sensors gather data in real

time from remote locations and feed

it to a computer running special soft-

ware. The computer processes the

data in a timely manner, records and

logs all events, and sounds an alarm

when conditions become hazardous.

Security of

Critical Control

Systems Sparks

Concern

David Geer

Page 2

January 2006

10,000

11,000

12,000

13,000

14,000

Revenue (millions of US dollars)

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Source: Datamonitor

Figure 1. Datamonitor, a market research firm, predicts revenue from the sales of the

increasingly popular control systems will grow between 3.5 and 4 percent per year

through 2009.

doesn’t provide adequate protection.

In addition, he said, SCADA and

PCS systems are often assembled

The technology is used in power

plants; oil and gas refineries; and

telecommunications, transportation,

water, and waste-control facilities.

According to Cohen, PCSs typi-

cally use sensors to track specific fac-

tors such as temperatures and the

volumes and levels of liquids and

gases in a system. The systems then

analyze those values against a model

of proper behavior and issue signals

to actuators that induce the desired

physical changes, he explained.

PCSs can handle more complex en-

vironmental measurements than

SCADA systems, process more com-

plicated calculations, and make deci-

sions and issue commands to control

more types of devices, said Skroch.

Because of their connections to the

Internet and other networks, newer

control systems have become as vul-

nerable as other connected systems,

as Figure 2 shows.

According to Skroch, most dedi-

cated SCADA and PCS applications

have not included built-in security

features and at most have used only

passwords or physical keys to pre-

vent unauthorized access, which

Internet and extranets

Firewalls

Web

server

Enterprise

process server

Control

application

servers

Wireless

links

Process control network

Modem

Operator

consoles

Unattended

PC in a lab

Distributed

control system

Internet worm

attacks

Web servers

Attacker taps

into wireless

communications

Attacker connects

via poorly

protected modem

Maintenance staff

inserts virus via

infected floppy

or CD

Attacker gains

access to

unprotected PC

• Accidental act by user

or administrator

• Attacker breaks in

through RAS or

third-party link

Source: Invensys

Router

Plant

Internal network

External access

Remote access server (RAS)

Dial-up connection

Figure 2. Industrial control systems connected to the Internet or private networks, like those used in factories and nuclear power

plants, face a number of threats that could cause serious safety problems. This has prompted concern about the systems’ security.

Page 3

Computer

“But the worm entered the plant net-

work via a contractor’s infected

computer connected by telephone

directly to the plant’s network,

thereby bypassing the firewall.” As

with every other successful Slammer

worm attack, he noted, the victim-

ized system had unpatched holes.

An attacker using a computer and

radio transmitter remotely hacked

an Australian sewage treatment

plant’s SCADA system in March

2000, altered data, and changed

valve settings, causing sewage to

back up into the city of Maroochy

Shire, Queensland.

In the early 1990s, a hacker broke

into several US government systems,

including a Department of the

Interior network in Portland,

Oregon, and eventually gained root

access over the computers that con-

trolled every dam in Northern

California. However, the attacker

caused no damage.

In 2003, two hackers, in an al-

leged extortion plot, gained access

to control technology for the US’s

Amundsen-Scott South Pole Station,

which ran life-support technology

for 50 scientists there.

Noted the SANS Institute’s Paller,

“We will never know about most of

the break-ins because the victims

will not tell the public.”

PROTECTING

CONTROL SYSTEMS

Older control systems were not

connected to the Internet. Their chief

vulnerability was telephonic access

designed to let third-party vendors

work with the software as needed.

Attackers had to be familiar with

older systems to exploit access they

gained, said Sam Varnado, director

of Sandia’s Information Operations

Center. Simply breaking in wasn’t

enough.

from numerous vendors’ devices,

components, and communications

services. However, the companies re-

sponsible for integrating these ele-

ments often don’t design system

security holistically.

Moreover, explained Alan Paller,

director of research at the SANS

Institute, a computer- and communi-

cations-security training and infor-

mation organization, “The people

who adopted these systems aren’t se-

curity experts, so they didn’t know

they needed to harden them.”

PAST ATTACKS

Viruses and worms often attack

control systems via vulnerabilities in

host operating systems. The mal-

ware may either write data to the

hard disc that makes the drive crash,

or it may make multiple server re-

quests, tying up the control system’s

server in a denial-of-service attack.

In DoS attacks, hackers send large

amounts of useless data to a system,

keeping it so busy it cannot handle

normal functions.

Hackers not knowledgeable about

control systems could use such tech-

niques to mount the same types of at-

tacks they would launch against any

computer, noted Skroch.

However, he said, experienced at-

tackers could launch better targeted,

well-timed assaults that cause more

significant problems.

The January 2003 Slammer worm

struck the computerized safety mon-

itoring system at the Davis-Besse nu-

clear power plant in the US, which

was shut down for repairs at the time,

noted Donald Purdy, acting director

of the US Department of Homeland

Security’s National Cyber Security

Division.

The worm’s scanning activities

caused congestion that slowed down

the plant’s network, eventually

crashing the safety-parameter dis-

play system, which monitors the

most important safety indicators.

“The managers had considered

the plant secure because the outside

network connection was protected

by a firewall,” Purdy explained.

This is not the case with Internet-

based systems.

“Now,” Varnado noted, “you have

people who can hurt you who are not

control-system engineers. All it re-

quires is that you know how to hack

computers.” Once a hacker gains ac-

cess, the simple application of generic

computer attacks can cause prob-

lems, he explained.

The best first steps for securing

control systems are becoming more

aware of both their vulnerabilities

and the potential solutions, as well

as implementing stronger safety

policies and procedures, said Ernest

A. Rakaczky, director of control sys-

tem security for Invensys Process

Systems, a vendor of products and

services for the automation of in-

dustrial-plant operations.

The Department of Homeland

Security’s Purdy said federal officials

“are trying to make it easier to un-

derstand the business case for tak-

ing steps to help create a security

framework against which they can

do a risk assessment of their sys-

tems.”

According to Paller, control-sys-

tem users should apply the same

measures they use with other sys-

tems to block unauthorized access.

These include techniques like au-

thentication, implemented via mea-

sures such as usernames, passwords,

and personal identification numbers;

and identification, implemented via

approaches such as digital tokens.

And, said Sandia’s Skroch, organi-

zations can harden operating systems

by removing services or features not

necessary for control-system opera-

tion, properly implementing security

settings, and immediately down-

loading available patches.

Paller noted that many users

haven’t hardened their OSs, even

though the US National Security

Agency and Defense Information

Systems Agency, the nonprofit Center

for Internet Security, and other orga-

nizations have published guidelines

for doing so.

Users can also implement firewalls

and intrusion-prevention systems,

T E C H N O L O G Y N E W S

Security is becoming an

increasingly important

issue for control systems.

Page 4

which can block or even short-cir-

cuit attacks.

In addition, organizations can en-

crypt communications between con-

trol systems and the outside world.

These communications, which can

include transmissions of authentica-

tion codes, could help a hacker fig-

ure out how to break into a system.

In some cases, users can exploit

their purchasing power, as the US

Air Force did when it bought hun-

dreds of thousands of Microsoft

Windows systems on the condition

that the company harden them first.

CHALLENGES TO PROTECTING

CONTROL SYSTEMS

“I’m worried about our use of

commercial off-the-shelf products in

secure systems,” said Sandia’s

Varnado. “Some of the software

programs on computers today have

20 million lines of code. We can’t

even get in there to see what the bits

and bytes are doing. We’re trying to

build trusted systems out of un-

trusted components.”

According to Purdue’s Spafford,

users are likely to resist taking mea-

sures that would require expensive

retrofitting of existing systems.

Added Sandia’s Skroch, “Control

systems have not been secured be-

cause the benefit of doing so has not

been demonstrated sufficiently to the

industries that develop or purchase

them. Fortunately, this situation

seems to be changing. We can only

hope improved security comes in

time.”

Many experts are pushing estab-

lished approaches to securing control

systems, such as the US Depart-

ment of Energy’s “21 Steps to

Improve Cyber Security of SCADA

Networks” (www.ea.doe.gov/pdfs/

21stepsbooklet.pdf) and the US

National Institute of Standards and

Technology’s “Security Configura-

html).

That way, Varnado explained,

users would know how the ap-

proaches work and how they should

be configured. However, he noted,

hackers would also know these

things and could use them to try to

exploit vulnerabilities.

In addition, Paller said, hardening

OSs could close network access to

systems that some control applica-

tions require to function properly.

Improperly implemented security

could also fail by making control

systems difficult to use. For exam-

ple, Skroch explained, “If designers

of security make it hard for autho-

rized employees to perform their

jobs, the security will likely be cir-

cumvented by the ultimate insider:

the employee.”

ontrol systems could face dan-

gerous new threats in the fu-

ture. For example, Paller said,

terrorists, extortionists, or other ma-

licious hackers could install Trojans

on computers inside utilities and re-

ceive information that could help

them threaten control systems.

Criminals could also aggregate these

Trojans, as they do for distributed

DoS attacks or spyware installation,

and sell them to people who want to

disrupt operations, he added.

With such threats in the offing,

said Invensys’ Rakaczky, “the big

success will be for [users] to just

adopt something.” Many users have

no security but spend time worrying

about what ideal approach they

could adopt when there are effective

interim steps they could take now,

he explained.

In general, concluded Purdue’s

Spafford, “Control system security

is going to be increasingly important

because we are deploying more com-

plex systems over greater distances.”

David Geer is a freelance technology

journalist based in Ashtabula, Ohio. Con-

tact him at david@geercom.com.

Editor: Lee Garber, Computer,

l.garber@computer.org

Here

now

from

the IEEE

Computer

Society

IEEE

ReadyNotes

Looking for accessible tutorials

on software development,

project management, and

emerging technologies? Then

have a look at ReadyNotes,

another new product from the

IEEE Computer Society.

These guidebooks serve

as quick-start references

for busy computing

professionals. Available as

immediately downloadable

PDFs (with a credit card

purchase), ReadyNotes

are here now at

http://computer.org/readynotes.