RTC Magazine

It all started out innocently enough. The IT manager for a major food manufacturer hired a consultant to scan the company’s PCs, find out which ones were out of date, and then apply the necessary patches – pretty standard stuff. So it was a big surprise when he received a call from a control systems engineer in the production department asking about unusual network activity coming from the enterprise network. They discovered that the consultant had accidently scanned a range of IP addresses that were assigned to programmable logic controllers (PLCs) on the plant floor. The scanning caused every single PLC to crash, bringing the plant to a complete standstill and leading to the loss of over $1 million of work in process.

This was a rather expensive outage for the company in question; fortunately, cookie dough doesn’t explode when it hits the plant floor. However, managers at other types of plants such as chemical, oil and gas, or nuclear facilities have to consider the potential safety issues that can be caused by cyber security incidents in their Supervisory Control and Data Acquisition (SCADA) and control infrastructure, in addition to the potential financial impact.

An industrial control system, at its simplest, is a digital process controlling a real-world event. This could be a robotic arm on a manufacturing floor, a cooling pump in a nuclear reactor, or a valve in an oil pipeline. Most control system networks were designed as isolated, self-contained end-to-end networks. However, more and more organizations are interconnecting control system networks with corporate enterprise networks to maximize accessibility and reduce cost.

Multiple business drivers compel this increase in interconnectivity. Geographically dispersed systems are expensive; an oil company managing refineries all over the world wants to reduce costs by consolidation. Improved responsiveness leads to cost savings; electric Independent System Operators (ISOs) need real-time generation output for managing shortages, and selling excess. Business must be agile; just in time manufacturing enables quick response to volatile supply and demand. Maintenance costs can be minimized by enabling remote debugging and repair; integrating SCADA and IP networks eliminates the expense of additional cabling in an industrial environment, which can cost up to $3000 per foot. 

Even efforts to protect the networks can lead to unintended consequences. Regulations such as the Critical Infrastructure Protection (CIP) standards from the North American Electric Reliability Corporation (NERC) drive integration, as electric ISOs seek access to production data in real-time to demonstrate compliance. Ironically, the pursuit of security itself can lead to exposure! Protective measures such as centralizing access control to minimize tampering, or extending closed-circuit TV monitoring or VoIP to remote stations, require increased accessibility.

Challenges of Interconnectivity

Clearly, interconnectivity is the wave of the future – but many control system components were conceived in the past. Control devices, and the PCs that manage them, are very vulnerable – not only to malicious attacks using malformed network data, but also in many cases to even high levels of well-formed network traffic. PLCs and remote terminal units (RTUs) are typically optimized for high-performance real-time I/O, not for robust network interfaces. In addition, control networks run continuously for weeks or months at a time, and many systems cannot be shut down even for a few minutes without significant financial or safety impact. As a result, the PCs in these networks are often not up to date with security patches or anti-virus definitions.

Secondly, control networks are usually poorly segmented, with little or no separation between different subsystems or even different physical locations. If a problem occurs in one area of the network, it will spread rapidly to other unrelated systems elsewhere in the network. Poor segmentation also makes it very difficult to locate the origin of a problem and resolve it at the source. In the early days, control networks started as very simple ‘islands’ of automation, but they have steadily grown in size and complexity over time.

The third common issue is the existence of multiple points of entry into these networks. Many control network managers will swear up and down that their control systems are not connected to the enterprise network or the internet, but authorized penetration testing often shows otherwise. In addition, there are often other transient paths of entry that don’t even show up on a network diagram: VPN connections, laptops or even USB memory sticks traveling in and out of the plant can easily carry viruses right into the heart of the plant network.