infrastructure DEFENSE security services

Industrial Control Systems are Not Exempt from Attacks

In July 2010, the first ever computer worm was discovered that targeted control systems. Referred to as Stuxnet, this worm has proven to be one of the most advanced worms of its kind exploiting particular weaknesses in the Windows operating system that had not been previously documented, and possessing the ability to exploit a particular control system platform. It took nearly five months from the time Stuxnet was discovered until the time at which Microsoft had issued patches which closed the four zero-days that were exploited by Stuxnet.

In March 2011, a combination of events including the public disclosure of more than 36 vulnerabilities covering six different SCADA systems was released complete with "proof-of-concept" code on exploiting these vulnerabilities on the target systems (see additional information on this site). At the same time, Russian security firm Gleg released their Agora SCADA+ exploit pack add-on for the Immunity Canvas framework that provided (for a fee), exploit modules to a wide range of products, including some additional "zero-day" vulnerabilities that have not been addressed by the system vendors

Control System Security is not the same as IT Security

A common trap that many users of industrial control systems fall into when seeking advice on the best approach to securing a control system is that they turn to professionals who primarily work in the information technology (IT) domain. As any control system engineering knows, these two worlds are drastically different. The obvious difference is the classic shift in priorities from C-I-A (confidentiality, integrity, availability) to A-I-C. Some other more apparent differences have to do with the "sensitivity" of the communications stacks/protocols that interconnect all of the individual pieces of these very large, complex, hetergeneous solutions.

What usually happens is that security assessments and audits tend to focus on the low-hanging fruit, and fail to miss some of the more subtle, yet equally vulnerable, targets within the overall system architecture. SCADAhacker understands this, and believes that any services that deal with security control systems, from awareness to standards development to assessments and audits, must address all aspects of the automation solution. This is important because each particular component introduces unique vulnerabililities that must be identified, reviewed, and assessed.

ICS Vulnerabilities

One simple analogy is that in the safety world, safety functions and integrity ratings are developed on the entire "loop", which covers everything from initial measurement to final actuation. The same needs to be applied to determining and measuring "security assurance". With a staff of professional possessing decades of control system experience, working on some of the largest integration control system projects globally, I-Def is ready to work together to better secure the system controlling our infrastructure.

Cyber Security Services from an ICS Point of View

As a wake-up call to the automation and control systems business, I-Def has responded with a comprehensive set of security services for industrial clients. This service portfolio begins by offering clients a simple security audit. This audit is intended to be passive in nature, and does not actually exploit any systems equipment. Instead, it focuses on reviewing the client’s current policies relating to cyber security, assessing compliance to these policies, and performing simple audits of critical system components against a “high-risk” checklist. This results in a gap analysis and report which highlights potential security vulnerabilities and recommendations on correcting these weaknesses. For clients requiring additional services designed to assess their current security posture, we can then connect test servers to the control system infrastructure, and provide system vulnerability assessments. These assessments expose additional vulnerabilities within the various components of the control system that a simple audit is unable to reveal, and provide documentation relating to the overall security posture of the system. This test can also be tailored to assess compliance with existing security policies.

The figure below graphically shows the various security services and how the compare on a value (e.g. cost) basis versus amount of time involved in the activity.

Security Services

The most advanced service offering available to industrial clients involves performing an actual system penetration test, where the consultant attempts to exploit non-critical system components like external firewalls and secondary workstations and backup or non-critical servers to gain access and control over the control system. These tests provide the greatest amount of information relating to the actual risk of a particular system to a cyber security attack. What is important to understand is that most attacks originate from “inside” an organization. This is an often overlooked aspect of the potential threats, and is one of the reasons the Stuxnet worm represents such a significant threat to control systems. Stuxnet was initially introduced via the common USB flash memory stick, and was able to propagate within the control system network and communicate with external servers that could then issue actual commands to various controllers connected to the system.

 Security Testing for Control Systems

I-Def, working closely with trusted partners experienced in ICS cyber security, is actively working with clients in explaining the necessity of performing rigorous security tests during the standard factory and site acceptance test phases of most control system projects. This is the last opportunity most clients have to thoroughly test the security posture of the system before it is commissioned and placed in service. Once a system is operational, rigorous testing is often considered too risky. SCADAhacker also encourages clients to consider adding advanced system security testing during planned outages and maintenance turnarounds, when the control systems can be examined while not actually controlling an active process.

The picture below illustrates some of the common components within an integrated control system. These components are typically supplied by a wide range of vendors, and then integrated. Many of the "primary" components like system Servers, HMI's and Controllers may have sufficient security designed into them. However, the problem often arises when secondary components are placed in the architecture that do not follow the same cyber security philosophy (either due to different vendors, or vendor development activities). These components then become the logical entry point to launch a potential attack.

ICS Attack Vectors

It is important to conduct security testing on "as-built" or "as-shipped" integrated control systems, because only when the system has been completely integrated, will it be possible to assess the entire system and identify what could be latent vulnerabilities in secondary components that lead to a complete compromise of the automation system.