- November 14, 2011
Automation.com, November 2011
By Eric Byres, Byres Security Inc.
On one hand, industry is becoming increasingly concerned about just how vulnerable control systems have become to outside attacks. At the same time, new tools and applications that improve efficiency, but increase that exposure, are appearing daily. So must we sacrifice these gains in efficiency if we want to be secure?
By Eric Byres, CTO and VP of Engineering at Byres Security, Inc. (www.tofinosecurity.com)
A few weeks ago, Automation.com ran two side-by-side articles in its Programmable Automation Controllers (PAC) Update eNewsletter:
Really, Really, Really Cyber Secure ControlGlobal, August 2011 By Walt Boyes ‚ÄúIt is now clear that machine-level, embedded controllers, such as PLCs, PACs and DCS controllers are vulnerable from both inside and outside the plant.‚Äù
Automation & Control Getting iPhone App Enabled Design News, July 2011 By Alexander Wolfe ‚ÄúProgrammable logic controllers are beginning to connect beyond the confines of the factory floor, via iPhone Apps that display status data or even control PLCs directly via over-the-air commands.‚Äù
The contrast between these two articles beautifully captures an issue the automation industry must resolve in the next few years. On one hand, industry is becoming increasingly concerned about just how vulnerable control systems have become to outside attacks. At the same time, new tools and applications that improve efficiency, but increase that exposure, are appearing daily.
So must we sacrifice these gains in efficiency that modern technologies offer if we want our utilities and factories to be secure?
Security versus Efficiency ‚Äì A Battle that was Lost Long Ago
For many security commentators, the answer is:
‚ÄúYes ‚Äì industry should give up its dependency on modern, highly interconnected communications networks and completely isolate the plant floor. Forget the reduced downtime that remote maintenance offers or the efficiency that demand-driven, just-in-time manufacturing allows. We should wall off our critical factories and utilities from the outside world and make them bastions of security in a sea of insecurity.‚Äù
In a previous column, ‚ÄúSCADA Security‚Äôs Air Gap Fairy Tale,‚Äù I outlined why the idea of walling off a control system just isn‚Äôt feasible today. Modern industry and the technologies it depends on need a steady diet of electronic information from the outside world to operate. Cut off one source of data into the plant floor and another (potentially riskier) ‚Äúsneaker-net‚Äù just replaces it.
Now industry and government can try to battle this trend by banning technologies and mandating complex and onerous procedures. We see this sort of strategy every time we try to board a plane and wait in long lines to take our shoes off and get our hair shampoo confiscated. Frankly, I don‚Äôt think it is effective or efficient security for air travel. It is even worse for companies that ultimately need to be profitable if they are going to stay in business.
Simply put, expecting companies (and the people running them) to pick security over efficiency is not a realistic strategy because it goes against human nature. People are terrible at making good judgements about risk. We badly underestimate the risks of very infrequent, but serious events. We lean toward decisions that are beneficial or efficient in the short term, as long as the consequences are sufficiently long term. We underestimate the risks for things we can control (like driving a car), but overestimate the risks for things we can‚Äôt control (like being in a plane crash).
This is not just a fact for security related decisions. We are bad at any risk-related decision ‚Äì health, personal safety, financial planning and so on. Consider the poor smoker ‚Äì neither gruesome images of cancer victims nor graphic warning labels prevent them from opening those packs and enjoying their next smoke. Only when a health crisis is upon us, do most of us modify our behaviours.
For ICS and SCADA security the story is the same. It is also just as true for the CEO in the boardroom as it is for the janitor on the plant floor. In the battle between making a task easier and making a task more secure, security is going to lose. So rather than fighting efficiency, the security industry needs to start to help companies be more efficient and secure at the same time.
Taking a Page from Safety
Now interestingly, in the safety arena many things have improved over the past few decades. Smoking rates are falling (at least in the developed world), workers in factories are more safety-aware, and driving deaths are declining.
Progress comes from a combination of three solutions:
- Sustained educational programs.
- Enforced management of behaviours.
- Simplified risk reduction technologies.
Consider driving deaths due to car accidents. The combination of massive educational programs on the risks of driving without a seatbelt, laws requiring the wearing of seatbelts, and the introduction of improved safety technology (such as antilock brakes and air bags) in automobiles have all helped to drive these deaths downward. All three have been critical legs of the solution. All have been expensive and slow to see significant results. But they do get results.
ICS and SCADA security needs to take a page from the lesson book of safety, especially industrial process safety. Significant progress has been made in this area over the past two decades:
- Years of regularly repeated safety education programs have made safety top of mind for anyone entering an industrial site.
- Well-designed standards like IEC-61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems) and IEC-61511 (Functional safety - Safety instrumented systems for the process industry sector) have led to well-designed safety strategies.
- Significant improvement in the technologies and ease of use for safety integrated systems (SIS) has made deploying a safe process an economically viable reality.
All three have been critical to achieving safer plants and factories.
Forget the Battle, We Need to Win the War
We are not going to be successful at making our factories and infrastructure more secure unless we embrace education, standards and technology as the three legs of the solution. Furthermore, each leg needs to be well-designed and implemented. Education that is sporadic, poor regulations that reward compliance rather than results, or technology that is complex and cumbersome will doom the quest for better security.
Now many pages have been written on the impact of poor regulations, and I have discussed the problems caused by sporadic security training in my blog, so in this column I want to focus on technology. Here the battle between security and efficiency has to end. These two characteristics need to become one, that is, the cyber security solution itself must help the plant become more efficient. The technology should allow both the business and its engineers to achieve their goals.
Take industrial wireless as an example. Companies can ban wireless outright, but a better solution is to use its adoption as a way to drive better plant floor security. Boeing, the aircraft manufacturer, makes extensive use of wireless technologies in its 777 and 787 manufacturing operations. At the same time, it is using the migration to wireless as the impetus to manage and encrypt all in-plant manufacturing communications whether wired or wireless. As a result, the flawed ‚Äúcrunchy on the outside, chewy on the inside‚Äù mentality is disappearing and a truly robust plant floor is emerging.
A personal favourite of mine are the opportunities for reliability that firewall technologies can offer. Rather than just seeing traffic filtering a way of keeping the bad guys out of the plant, an alternative strategy is to use the technology to manage all control network traffic. Too many companies simply have no idea what is even travelling over their control networks, good or bad. Issues such as Ethernet broadcast storms have been the cause of many production outages, such as the Browns Ferry Nuclear shutdown in 2006. If firewall technology can be used by industry to regulate all traffic on the control network, the plant floor is not only more secure, but also safer and more reliable.
Robust yet simple and easy to implement cyber security technology, sustained education and well thought out standards are all required to end the battle between security and efficiency ‚Äì and truly protect our plants and critical infrastructure.
References and Further Reading:
Information about Human Judgement Regarding Risk
- Why the Human Brain Is a Poor Judge of Risk Wired News, March 22, 2007 Bruce Schneier
- Cognitive biases potentially affecting judgment of global risks Singularity Institute, August 2006 Eliezer Yudkowsky
Information about Safety
- IEC-61511 (Functional safety - Safety instrumented systems for the process industry sector)
- IEC-61850 (Functional safety - Electrical/electronic/programmable electronic safety-related systems)
- exida - Control System Security blogs
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe