Control system security

Last updated December 28, 2024

Control system security, or automation and control system (ACS) cybersecurity, is the prevention of (intentional or unintentional) interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents.^[1] The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.

Risks

Insecurity of, or vulnerabilities inherent in automation and control systems (ACS) can lead to severe consequences in categories such as safety, loss of life, personal injury, environmental impact, lost production, equipment damage, information theft, and company image.

Guidance to assess, evaluate and mitigate these potential risks is provided through the application of many Governmental, regulatory, industry documents and Global Standards, addressed below.

Vulnerability of automation and control systems

Automation and Control Systems (ACS) have become far more vulnerable to security incidents due to the following trends.

Increasing use of Commercial Off-the Shelf Technology (COTS) and protocols. Integration of technology such as MS Windows, SQL, and Ethernet means that these systems may now have the same or similar vulnerabilities as common IT systems.
Enterprise integration (using plant, corporate and even public networks) means that these (legacy) systems may now be subjected to stresses that they were not designed for.
Demand for Remote Access - 24x7 access for engineering, operations or technical support increases the attack surface, possibly leading to more insecure or rogue connections.
Increased awareness and understanding of industrial systems - As more and more people become aware of these systems, the strategy of Security Through Obscurity is no longer viable.
Although the cyber threats and attack strategies on automation systems are changing rapidly, regulation of industrial control systems for security is rare and is a slow-moving process. The United States, for example, only does so for the nuclear power and the chemical industries.^[2]

Government efforts

The U.S. Government Computer Emergency Readiness Team (US-CERT) originally instituted a control systems security program (CSSP) now the National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems, which has made available a large set of free National Institute of Standards and Technology (NIST) standards documents regarding control system security.^[3] The U.S. Government Joint Capability Technology Demonstration (JCTD) known as MOSIACS (More Situational Awareness for Industrial Control Systems) is the initial demonstration of cybersecurity defensive capability for critical infrastructure control systems.^[4] MOSAICS addresses the Department of Defense (DOD) operational need for cyber defense capabilities to defend critical infrastructure control systems from cyber attack, such as power, water and wastewater, and safety controls, affect the physical environment.^[5] The MOSAICS JCTD prototype will be shared with commercial industry through Industry Days for further research and development, an approach intended to lead to an innovative, game-changing capabilities for cybersecurity for critical infrastructure control systems.^[6]

Automation and Control System Cybersecurity Standards

The international standard for cybersecurity of automation and control systems is the IEC 62443. In addition, multiple national organizations such as the NIST and NERC in the USA released guidelines and requirements for cybersecurity in control systems.

IEC 62443

The IEC 62443 cybersecurity standards define processes, techniques and requirements for Automation and Control Systems (IACS). The IEC 62443 standards and technical reports are organized into four general categories called General, Policies and Procedures, System,Component, Profiles and Evaluation.

The first category includes foundational information such as concepts, models and terminology.
The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model.
The fourth category includes work products that describe the specific product development and technical requirements of control system products.
The fifth category provides profiles for industry-specific cybersecurity requirements according to IEC 62443-1-5.
The sixth category defines assessment methodologies that ensure that assessment results are consistent and reproducible.

NERC

The most widely recognized and latest NERC security standard is NERC 1300, which is a modification/update of NERC 1200. The latest version of NERC 1300 is called CIP-002-3 through CIP-009-3, with CIP referring to Critical Infrastructure Protection. These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best-practice industry processes.

NIST

Although it is not a standard, the NIST Cybersecurity Framework (NIST CSF) provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes. It is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it.^[7]

NIST Special Publication 800-82 Rev. 2 "Guide to Industrial Control System (ICS) Security" describes how to secure multiple types of Industrial Control Systems against cyber attacks while considering the performance, reliability, and safety requirements specific to ICS.^[8]

Control system security certifications

Certifications for control system security have been established by several global Certification Bodies. Most of the schemes are based on the IEC 62443 and describe test methods, surveillance audit policy, public documentation policies, and other specific aspects of their program.

External links

Related Research Articles

The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The institute has been recognized for its training programs and certification programs. Per 2021, SANS is the world’s largest cybersecurity research and training organization. SANS is an acronym for SysAdmin, Audit, Network, and Security.

The United States Computer Emergency Readiness Team (US-CERT) was a team under the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security.

The National Cyber Security Division (NCSD) is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Formed from the Critical Infrastructure Assurance Office, the National Infrastructure Protection Center, the Federal Computer Incident Response Center, and the National Communications System, NCSD opened on June 6, 2003.

Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

In the U.S., critical infrastructure protection (CIP) is a concept that relates to the preparedness and response to serious incidents that involve the critical infrastructure of a region or the nation. The American Presidential directive PDD-63 of May 1998 set up a national program of "Critical Infrastructure Protection". In 2014 the NIST Cybersecurity Framework was published after further presidential directives.

An information assurance vulnerability alert (IAVA) is an announcement of a computer application software or operating system vulnerability notification in the form of alerts, bulletins, and technical advisories identified by US-CERT, https://www.us-cert.gov/ US-CERT is managed by National Cybersecurity and Communications Integration Center (NCCIC), which is part of Cybersecurity and Infrastructure Security Agency (CISA), within the U.S. Department of Homeland Security (DHS). CISA, which includes the National Cybersecurity and Communications Integration Center (NCCIC) realigned its organizational structure in 2017, integrating like functions previously performed independently by the U.S. Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). These selected vulnerabilities are the mandated baseline, or minimum configuration of all hosts residing on the GIG. US-CERT analyzes each vulnerability and determines if it is necessary or beneficial to the Department of Defense to release it as an IAVA. Implementation of IAVA policy will help ensure that DoD Components take appropriate mitigating actions against vulnerabilities to avoid serious compromises to DoD computer system assets that would potentially degrade mission performance.

An industrial control system (ICS) is an electronic control system and associated instrumentation used for industrial process control. Control systems can range in size from a few modular panel-mounted controllers to large interconnected and interactive distributed control systems (DCSs) with many thousands of field connections. Control systems receive data from remote sensors measuring process variables (PVs), compare the collected data with desired setpoints (SPs), and derive command functions that are used to control a process through the final control elements (FCEs), such as control valves.

Security controls or security measures are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

File integrity monitoring (FIM) is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and a known, good baseline. This comparison method often involves calculating a known cryptographic checksum of the file's original baseline and comparing with the calculated checksum of the current state of the file. Other file attributes can also be used to monitor integrity.

IEC 62443 is a series of standards that address security for operational technology in automation and control systems. The series is divided into different sections and describes both technical and process-related aspects of automation and control systems security.

The National Cybersecurity Center of Excellence (NCCoE) is a US government organization that builds and publicly shares solutions to cybersecurity problems faced by U.S. businesses. The center, located in Rockville, Maryland, was established in 2012 through a partnership with the National Institute of Standards and Technology (NIST), the state of Maryland, and Montgomery County. The center is partnered with nearly 20 market-leading IT companies, which contribute hardware, software and expertise.

SCADA Strangelove is an independent group of information security researchers founded in 2012, focused on security assessment of industrial control systems (ICS) and SCADA.

The Cyber Resilience Review (CRR) is an assessment method developed by the United States Department of Homeland Security (DHS). It is a voluntary examination of operational resilience and cyber security practices offered at no cost by DHS to the operators of critical infrastructure and state, local, tribal, and territorial governments. The CRR has a service-oriented approach, meaning that one of the foundational principles of the CRR is that an organization deploys its assets to support specific operational missions. The CRR is offered in a facilitated workshop format and as a self-assessment package. The workshop version of the CRR is led by a DHS facilitator at a critical infrastructure facility. The workshop typically takes 6–8 hours to complete and draws on a cross section of personnel from the critical infrastructure organization. All information collected in a facilitated CRR is protected from disclosure by the Protected Critical Infrastructure Information Act of 2002. This information cannot be disclosed through a Freedom of Information Act request, used in civil litigation, or be used for regulatory purposes. The CRR Self-Assessment Package allows an organization to conduct an assessment without the need for direct DHS assistance. It is available for download from the DHS Critical Infrastructure Cyber Community Voluntary Program website. The package includes an automated data answer capture and report generation tool, a facilitation guide, comprehensive explanation of each question, and a crosswalk of CRR practices to the criteria of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The questions asked in the CRR and the resulting report are the same in both versions of the assessment. DHS partnered with the CERT Division of the Software Engineering Institute at Carnegie Mellon University to design and deploy the CRR. The goals and practices found in the assessment are derived from the CERT Resilience Management Model (CERT-RMM) Version 1.0. The CRR was introduced in 2009 and received a significant revision in 2014.

Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. The term has become established to demonstrate the technological and functional differences between traditional information technology (IT) systems and industrial control systems environment, the so-called "IT in the non-carpeted areas".

The External Dependencies Management Assessment is a voluntary, in-person, facilitated assessment created by the United States Department of Homeland Security. The EDM Assessment is intended for the owners and operators of critical infrastructure organizations in the United States. It measures and reports on the ability of the subject organization to manage external dependencies as they relate to the supply and operation of information and communications technology (ICT). This area of risk management is also sometimes called Third Party Risk Management or Supply Chain Risk Management.

The NIST Cybersecurity Framework (CSF) is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks. Developed by the U.S. National Institute of Standards and Technology (NIST), the framework was initially published in 2014 for critical infrastructure sectors but has since been widely adopted across various industries, including government and private enterprises globally. The framework integrates existing standards, guidelines, and best practices to provide a structured approach to cybersecurity risk management.

A cyber PHA or cyber HAZOP is a safety-oriented methodology to conduct a cybersecurity risk assessment for an industrial control system (ICS) or safety instrumented system (SIS). It is a systematic, consequence-driven approach that is based upon industry standards such as ISA 62443-3-2, ISA TR84.00.09, ISO/IEC 27005:2018, ISO 31000:2009 and NIST Special Publication (SP) 800-39.

The National Cybersecurity and Communications Integration Center (NCCIC) is part of the Cybersecurity Division of the Cybersecurity and Infrastructure Security Agency, an agency of the U.S. Department of Homeland Security. It acts to coordinate various aspects of the U.S. federal government's cybersecurity and cyberattack mitigation efforts through cooperation with civilian agencies, infrastructure operators, state and local governments, and international partners.

Havex malware, also known as Backdoor.Oldrea, is a Remote Access Trojan (RAT) employed by the Russian attributed APT group "Energetic Bear" or "Dragonfly". Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.

References

↑ Byres, Eric; Cusimano, John (February 2012). "The 7 Steps to ICS Security". Tofino Security and exida Consulting LLC. Archived from the original on January 23, 2013. Retrieved March 3, 2011.
↑ Gross, Michael Joseph (2011-04-01). "A Declaration of Cyber-War". Vanity Fair. Condé Nast. Archived from the original on 2014-07-13. Retrieved 2017-11-29.
↑ "Standards and References - NCCIC / ICS-CERT". ics-cert.us-cert.gov/. Archived from the original on 2010-10-26. Retrieved 2010-10-27.
↑ "More Situational Awareness For Industrial Control Systems (MOSAICS) Joint Capability Technology Demonstration (JCTD): A Concept Development for the Defense of Mission Critical Infrastructure – HDIAC" . Retrieved 2021-07-31.
↑ "More Situational Awareness for Industrial Control Systems (MOSAICS): Engineering and Development of a Critical Infrastructure Cyber Defense Capability for Highly Context-Sensitive Dynamic Classes: Part 1 – Engineering – HDIAC" . Retrieved 2021-07-31.
↑ "More Situational Awareness for Industrial Control Systems (MOSAICS): Engineering and Development of a Critical Infrastructure Cyber Defense Capability for Highly Context-Sensitive Dynamic Classes: Part 2 – Development – HDIAC" . Retrieved 2021-07-31.
↑ "NIST Cybersecurity Framework" . Retrieved 2016-08-02.
↑ Stouffer, Keith; Lightman, Suzanne; Pillitteri, Victoria; Abrams, Marshall; Hahn, Adam (2015-06-03). "Guide to Industrial Control Systems (ICS) Security". CSRC | NIST. doi:10.6028/NIST.SP.800-82r2 . Retrieved 2020-12-29.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[tofinoexida201202-1] Byres, Eric; Cusimano, John (February 2012). "The 7 Steps to ICS Security". Tofino Security and exida Consulting LLC. Archived from the original on January 23, 2013. Retrieved March 3, 2011.

[gross201104-2] Gross, Michael Joseph (2011-04-01). "A Declaration of Cyber-War". Vanity Fair. Condé Nast. Archived from the original on 2014-07-13. Retrieved 2017-11-29.

[3] "Standards and References - NCCIC / ICS-CERT". ics-cert.us-cert.gov/. Archived from the original on 2010-10-26. Retrieved 2010-10-27.

[4] "More Situational Awareness For Industrial Control Systems (MOSAICS) Joint Capability Technology Demonstration (JCTD): A Concept Development for the Defense of Mission Critical Infrastructure – HDIAC" . Retrieved 2021-07-31.

[5] "More Situational Awareness for Industrial Control Systems (MOSAICS): Engineering and Development of a Critical Infrastructure Cyber Defense Capability for Highly Context-Sensitive Dynamic Classes: Part 1 – Engineering – HDIAC" . Retrieved 2021-07-31.

[6] "More Situational Awareness for Industrial Control Systems (MOSAICS): Engineering and Development of a Critical Infrastructure Cyber Defense Capability for Highly Context-Sensitive Dynamic Classes: Part 2 – Development – HDIAC" . Retrieved 2021-07-31.

[7] "NIST Cybersecurity Framework" . Retrieved 2016-08-02.

[8] Stouffer, Keith; Lightman, Suzanne; Pillitteri, Victoria; Abrams, Marshall; Hahn, Adam (2015-06-03). "Guide to Industrial Control Systems (ICS) Security". CSRC | NIST. doi:10.6028/NIST.SP.800-82r2 . Retrieved 2020-12-29.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]