Executive Summary

Control Systems (CS) have come a long way over the past 25 years. In the electrical age that we are living in, these devices (some as big as a bread box, others as small as a credit card) have flourished in all aspects of industry from plant floor machine controls to semi-sophisticated data acquisition systems, from motor starters to “Smart” MCCs. They are appearing in instrumentation and sensing and, with the advent of Industry 4.0 (Internet of Things in North America) demanding increased interconnectivity of devices, they will appear in even more conspicuous applications such as Air and Water Filtration, Purification and Decontamination systems, for example, which are subject to national, regional, municipal or industry-specific regulations.

Why it matters

Cyber Security at the CS level (Level 1 per ISA-95) has been relatively tame thus far; the Stuxnet malware attack being probably the most widely remembered. The proprietary and closed nature of legacy Operating Systems explain the minimal presence of this issue. Newer controls, however, are based on more open, less controlled platforms, such as Linux. The increased sophistication of cyber attacks is bound to increase the risk of threats as they move from Advanced Persistent Treats (APT) to memory-resident and fileless malware. As a matter of fact, vulnerabilities of the most well-known CS vendors are now being published in an attempt to address this increasing risk to critical infrastructure. According to Kapersky Security Researchers, cross-site scripting (XSS), buffer overflows and compromising of credentials will account for 20% of attacks on ICS over the coming years.

Where to Start

Mitigating these risks starts with a Cyber Security Plan. The Plan establishes a means to achieve a high assurance that Electronic and Programmable Electronic systems and communication networks associated with the following functions are adequately protected against cyber attacks:

Safety-related and important-to safety functions;
Security functions; and
Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions.

Some Recommended Best Practices:

Develop a thorough Cyber Security Plan. Many organizations will find it efficient to have an independent automation consultant to do it for them.
Questioning your vendors. Many vendors have been slow to mitigate risks within their platforms. If you see weaknesses, identify them and ask your vendors about implementing effective solutions. Become informed about their existing documented vulnerabilities and recommended mitigating actions.
Planning to migrate to newer technology and budget it as a necessary cost of business if your CS network relies on older Microsoft or proprietary operating systems. While many CS are designed with a systems life ranging from 15 to 20 years, older systems may be able to accommodate the rapidly changing cyber environment we face today.
Hire a reputable firm to review software update deliverables prior to installation in the production network. Your preferred controls integrator or consultant is the best place to start. Consider having static memory analysis performed to detect Rootkits. Assume this gap will be breached and plan your response accordingly.

Thanks,

Peter Darveau