Operators of America's vital power, water and manufacturing facilities use industrial control systems (ICS) to manage them. But the security of these systems, increasingly linked with Microsoft Windows and the Internet, is now under intense scrutiny because of growing awareness that they could be attacked and cause massive disruptions.
Industrial facility operators are making efforts to follow security procedures, such as using vulnerability-assessment scanning tools to check for needed patches in Windows. But ICS environments present special problems, say managers who spoke on the topic at a conference organized by the Department of Homeland Security.
"A lot of my ICS systems are running on Windows Server 2003," said Tracy Waller, a manager in the process and controls engineering division at Savannah River Site, the sprawling Department of Energy facility in Aiken, S.C. where nuclear-weapons-related tasks, such as processing tritium and managing waste, is done. Supervisory control and acquisition systems (SCADA) "don't play well with Microsoft patches," he noted. The problem is that it's not always clear ICS will work properly after Microsoft patches are applied. Sometimes vendors want customers to buy new ICS gear to keep up with Windows releases.
Waller said it's not possible to scan the actual working ICS production network because it would likely bring it down, so an exact duplicated ICS network is maintained separately and scanned regularly as a surrogate network to check for and patch holes that involve Windows. Waller said he uses tools such as Hercules, Nessus and Shavlik (now owned by VMware) to monitor the ICS-based networks. Because ICS operates around-the-clock for industrial purposes, machine operators never log out. "Passwords are shared," he said, noting five shifts would use the same password, and who is at the controls is maintained through a written log check-in. "The password is changed once a year."
While ICS and SCADA once seemed safely tucked away in the depths of engineering, they are now subject to security demands from the IT and security departments, and the two groups don't always get along. Eric Cosman, engineering consultant at Dow Chemical said cooperation there is fostered by inviting the IT division into the plants to promote constructive discussion and choices. But at the same time, he said he hoped IT security professionals would abandon the role of "high priest." Infighting between IT and the process engineers makes everyone look like "the kids who can't get things done," he warned.
These days, energy and manufacturing facilities are being openly warned by DHS and ICS-CERT, the DHS investigative arm, that they are being targeted by attackers who will often try to infiltrate business networks, often through spear phishing attacks against employees, in order to also gain information about ICS operations. The idea is that this information could be used by a nation-state or criminal organization to disable America's critical infrastructure. The advent of the Stuxnet malware, which struck an Iranian nuclear facility in 2010, having some impact on Siemens control equipment used there, has also upped the ante, since Stuxnet is thought to have been a malware-based attack from Iran's enemies — either Israel, the U.S. or both.
The idea of cyberwar is starting to transform the once closed world of ICS vendors and users, forcing them to more vigorously debate the status of security on ICS networks. Based on much debate heard at this conference, there's tension between ICS vendors and users over security. Vendors say they want to improve their products, but when they do, they aren't even sure their customers know and make use of the security they provide.
In addition, a recent vulnerability-disclosure effort by researchers, called Project Basecamp, publicly highlighted vulnerabilities in commercial ICS equipment, though most were said to be known vulnerabilities. There's debate about whether Project Basecamp made things better by putting pressure on vendors to fix their products, or encouraged attackers because some vulnerability information ended up in the Metasploit open-source assessment tool.
"There will always be vulnerabilities in industrial control systems," said Brad Hegrat, business manager for the automation portfolio at Rockwell Automation, during a panel discussion that tackled a barrage of audience questions from users, analysts and other vendors. "There are many features in our products today that users choose not to leverage." He said project Basecamp didn't change anything at all and simply heightened risk, particularly associated with Microsoft and Adobe, through public disclosure.
Some vendors say customers don't do enough lobbying.
"Customers are going to have to start demanding security," said Markus Braendle, head of cybersecurity for ABB Group. He noted customers too often let equipment such as programmable logic controllers operate almost untouched for over a decade. He said ABB Group is now out trying to raise awareness with customers about cybersecurity.
"Cyberwar was not a term we used when most of the field devices were deployed," noted Rob McComber, security program manager at Telvent, now part of Schneider.