Brian M. Ahern, Verano Inc.
Power producers and utilities today face an unprecedented quantity of constraints upon their business operations. They have long worked under the familiar, unrelenting demands of continuous production and distribution born by all operators of critical industrial infrastructure. In recent years, deregulation and “best practices” have pressured them to infuse openness into facility control systems to allow sharing of operating information throughout the enterprise. Since 9/11, new geopolitical realities have brought an intense pressure to secure their operations as never before. How can they cope with these three imperatives while satisfying shareholders, regulators and customers?
The answer lies in understanding the true nature of the cyber terrorist threat, recognizing the gap most companies currently have in their defenses, and understanding how “best practices” for defeating control system cyber terrorism have fundamentally changed.
A new vulnerability to the intruder beneath
In recent years, most companies that operate critical industrial infrastructure have invested heavily in protecting their high-level corporate information systems from cyber terrorism, and for good reason. Significantly, a corresponding investment in securing plant- and facility-level control systems has largely not materialized.
Industrial monitoring and control systems are directly connected to station equipment. A cyber terrorist attacking the control system layer can cause complete service interruptions, loss of generating capacity, environmental damage and unsafe working conditions.
Control system layer computers and other control devices (e.g. intelligent electronic devices, programmable logic controllers, and remote terminal units) increasingly utilize Ethernet ports, web servers, wireless networks, and other remote access techniques to enable timely information sharing and troubleshooting. The associated supervisory control systems (SCADA), energy management system and distributed control system software typically also lack adequate cyber security upgrades. This combination of evolving control layer technology and lagging security investment make the control system layer especially vulnerable to attack by cyber terrorists.
The cyber terrorist’s weapons-of-choice bear a strong resemblance to those commonly used to infiltrate higher level information systems: Trojan horses, viruses, worms, denial-of-service programs, password/ID theft tools, etc. However, there is a dramatic difference between the security tools that will work effectively at the enterprise level and those required at the control system level. For example, password lockout, frequent patch updates and periodic virus scanning are all examples of tools that have problematic application history at the control system level.
Control level computers must operate with extremely high availability and fail-safe performance. Losing information to a cyber terrorist at the enterprise level might ruin an accountant’s day and force backup retrieval; losing control of plant equipment to a cyber terrorist might result in a human and economic catastrophe.
It is also critically important to understand that external threats are not the only part of the problem; they are actually the smaller part of the problem. Nearly 70 percent of documented cyber terrorist incidents come from within the enterprise, often perpetrated by disgruntled employees, suppliers or contract/consulting staff. Many corporate firewalls are not designed to stop internal threats. For the control system layer, designing a cyber terrorist defense that is entirely outward-focused is a prescription for failure.
Bridging the cyber security gap
Federal and state government agencies are actively promulgating standards for cyber security within critical industrial infrastructure based on five key functions:
“- Monitor—An initial, comprehensive vulnerability assessment followed by continuous, automated monitoring.
“- Detect—Recognition of unusual operational patterns indicating possible attack.
“- Notify—Real-time notification and alert of appropriate personnel.
“- Protect—Effective neutralization and quarantine of cyber attackers.
“- Recover—Safe, timely operational recovery from successful cyber attacks.
A comprehensive, initial security assessment of the control system layer is the foundation of a successful cyber terrorism defense. It should produce an accurate characterization of the nature and magnitude if cyber security risks inherent within a particular system, and corresponding corrective actions.
An accurate assessment will enable the design and implementation of a security system to effectively perform the five key functions listed above. Such a system will give management a continuous view of its operations and an effective, real-time defense 24x7x365.
In conclusion, effectively securing critical infrastructure operations from cyber terrorism requires that management observe four important principles:
“- Understand that the control system layer is a vulnerable point of attack with potentially serious consequences.
“- Recognize that security tools designed for higher, corporate-level information security do not adequately address control layer security threats.
“- Plan to build a defense that will handle attacks from outside and from within the enterprise.
“- Apply “best practices” in creating a control level security system that will perform these five key functions: monitor, detect, notify, protect and recover.
Today’s economic, regulatory and geopolitical realities require critical infrastructure personnel to adequately secure operations while effectively sharing information within an enterprise and preserving continuous operations. The technology exists to achieve this goal. Applying this technology, while observing the principles outlined above, is our best defense against cyber terrorism.
Ahern is president and CEO of Verano.
Verano Inc. is a provider of cyber-security management and control solutions for mission-critical industrial operations. More information on Verano can be found at www.verano.com.