Are Industrial Control Networks Secure?

In 2010, the clandestine world of cyber-attacks took aim at control systems. Siemens PLCs operating Iran's nuclear enrichment facility were attacked by sophisticated, state-sponsored malware whose main target was industrial espionage & sabotage. It was an abrupt awakening that viruses could now illicitly access the previous isolated world of industrial control systems, PLCs and SCADA networks.

So, the simple answer to the question, "Are industrial control systems secure?" is no. Insecure control systems and unqualified industrial IT networks put companies at financial risk.

Even worse, since PLC programming and DCS controllers are used in water treatment plants, oil & gas pipelines & power distribution, vulnerabilities in these control networks can put societies and public safety at risk.

In the past, SCADA & PLC systems were segregated from the corporate network and only trained operators and engineers had access. Security protocols weren't in-depth since the only way to break into the system was to be physically at the operating console.

Today, the control network is connected to the corporate network to allow business management software to access historical databases, to forecast maintenance trends and to monitor performance.

The once segregated control network is now an extension of the corporate network and critical control data shares bandwidth with enterprise data.

Even with the updated virus scanners & network firewalls, electronic attacks are now sophisticated enough to go undetected until havoc has been unleashed.

Securing the Industrial Control System

Security for SCADA & control systems is challenging for different reasons:

• Everyone's Pointing Fingers - Who is the rightful guardian of the critical control network - the IT department, the operations department, the engineering group? While corporate IT departments secures common computer platforms, control systems run on RSLogix & others which means that ordinary IT security solutions will not be sufficient.
• Now that SCADA & PLCs are connected to the standard protocols like TCP/IP, if hardware & firmware is not updated frequently, these subsystems may be exposed to attack. Using open-source protocols means more vulnerabilities.
• Network Traffic - As more devices are connected to the control network, it's getting harder to monitor network performance. All personnel should be trained as network monitors and have them report suspicious traffic patterns.
• Attack from Within - Even though it's important to guard against an external attack, it's almost impossible to protect against internal sabotage from disgruntled employees. To slow the process:
• Restrict access with passwords.
• Have different clearance levels and only granting permission to those whose backgrounds have been reviewed.
• Record past activity and regularly review user operation.
• Explain & enforce an ethics & disciplinary policy.

As the American National Standards Institute stated, "...the single biggest threat to cyber security is misunderstanding." As control systems engineers, our jobs, our companies and our society are relying on us to be knowledgeable and effective at industrial control system security.

Greg A. Lynch, P.Eng.