Control system security

Control system security

Control system security is the prevention of intentional or unintentional interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.

Control system security is known by several other names such as SCADA security, PCN security, industrial network security, and control system cyber security.

Contents

Risks

Insecurity of industrial automation and control systems can lead the following risks:

  • Safety
  • Environmental impact
  • Lost production
  • Equipment damage
  • Information theft
  • Company image

Vulnerability of control systems

Industrial automation and control systems have become far more vulnerable to security incidents due to the following trends that have occurred over the last 10 to 15 years.

  • Heavy use of Commercial Off-the Shelf Technology (COTS) and protocols. Integration of technology such as MS Windows, SQL, and Ethernet means that process control systems are now vulnerable to the same viruses, worms and trojans that affect IT systems Increased Connectivity
  • Enterprise integration (using plant, corporate and even public networks) means that process control systems (legacy) are now being subjected to stresses they were not designed for
  • Demand for Remote Access - 24/7 access for engineering, operations or technical support means more insecure or rogue connections to control system
  • Public Information - Manuals on how to use control system are publicly available to would be attackers as well as to legitimate users

Regulation of control system security is rare. The United States, for example, only does so for the nuclear power and the chemical industries.[1]

Government efforts

The U.S. Government Computer Emergency Readiness team (US-CERT) has instituted a Control Systems Security Program (CSSP) which has made available a large set of free National Institute of Standards and Technology (NIST) standards documents regarding control system security.

Control system security standards

ISA99

ISA99 is the Industrial Automation and Control System Security Committee of the International Society for Automation (ISA). The committee is developing a multi-part series of standards and technical reports on the subject, several of which have been publicly released. Work products from the ISA99 committee are also submitted to IEC as standards and specifications in the IEC 63443 series.

  • ISA-99.01.01 (formerly referred to as "Part 1") (ANSI/ISA 99.00.01) is approved and published.
  • ISA-TR99.01.02 is a master glossary of terms used by the committee. This document is still a working draft but the content is available on the committee Wiki site (http://isa99.isa.org/ISA99%20Wiki/Master%20Glossary.aspx)
  • ISA-99.01.03 identifies a set of compliance metrics for IACS security. This document is currently under development.
  • ISA-99.02.01 (formerly referred to as "Part 2") (ANSI/ISA 99.02.01-2009) addresses how to establish an IACS security program. This standard is approved and published. It has also been approved and published by the IEC as IEC 62443-2-1
  • ISA-99.02.02 addresses how to operate an IACS security program. This standard is currently under development.
  • ISA-TR99.02.03 is a technical report on the subject of patch management. This report is currently under development.
  • ISA-TR99.03.01 ([1])is a technical report on the subject of suitable technologies for IACS security. This report is approved and published.
  • ISA-99.03.02 addresses how to define security assurance levels using the zones and conduits concept. This standard is currently under development.
  • ISA-99.03.03 defines detailed technical requirements for IACS security. This standard is currently under development.
  • ISA-99.03.04 addresses the requirements for the development of secure IACS products and solutions. This standard is currently under development.
  • Standards in the ISA-99.04.xx series address detailed technical requirements at the component level. These standards are currently under development.

More information about the activities and plans of the ISA99 committee is available on the committee Wiki site ([2])

American Petroleum Institute

API 1164 Pipeline SCADA Security

North American Electric Reliability Committee (NERC)

NERC Critical Infrastructure Protection (CIP) Standards

Guidance documents

American Chemistry Council

ChemITC Guidance Documents

Insightful Articles

Industrial Netorking Security

Control system security certification

ISA Security Compliance Institute

Related to the work of ISA 99 is the work of the ISA Security Compliance Institute. The ISA Security Compliance Institute (ISCI) has developed compliance test specifications for ISA99 and other control system security standards. They have also created an ANSI accredited certification program called ISASecure for the certification of industrial automation devices such as programmable logic controllers (PLC), distributed control systems (DCS) and safety instrumented systems (SIS). These types of devices provided automated control of industrial processes such as those found in the oil & gas, chemical, electric utility, manufacturing, food & beverage and water/wastewater processing industries. There is growing concern from both governments as well as private industry regarding the risk that these systems could be intentionally compromised by "evildoers" such as hackers, disgruntled employees, organized criminals, terrorist organizations or even state-sponsored groups. The recent news about the industrial control system malware known as Stuxnet has heightened concerns about the vulnerability of these systems.

References

  1. ^ Gross, Michael Joseph (2011-04). "A Declaration of Cyber-War". Vanity Fair. Condé Nast. http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104. Retrieved March 03, 2011. 

External links


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Control System Integrators Association — Formation 1994 Type Industry Association Headquarters Madison, WI Location United States Executive Director Bob Lowe …   Wikipedia

  • Domain Name System Security Extensions — Internet protocol suite Application layer BGP DHCP DNS FTP HTTP …   Wikipedia

  • Distributed Access Control System — DACS The Distributed Access Control System Original author(s) Developers at Distributed Systems Software Developer(s) Distributed Systems Software Stable release 1.4.26 / September 30, 2011; 14 days ago (2011 09 30) …   Wikipedia

  • Ship gun fire-control system — Mk 37 Director c1944 with Mk 12 (rectangular antenna) and Mk 22 orange peel Ship gun fire control systems (GFCS) enable remote and automatic targeting of guns against ships, aircraft, and shore targets, with or without the aid of radar or optical …   Wikipedia

  • Tartar Guided Missile Fire Control System — DescriptionThe Tartar Guided Missile Fire Control System, or Mk 74 Guided Missile Fire Control System, or just Tartar , is a US built medium range anti aircraft missile system. The French version used on Cassard class frigates is composed by a… …   Wikipedia

  • Networked control system — A Networked Control System (NCS) is a control system wherein the control loops are closed through a real time network. The defining feature of an NCS is that control and feedback signals are exchanged among the system s components in the form of… …   Wikipedia

  • SAC Automated Command and Control System — Description The SAC Automated Command and Control System was the command and control system used to coordinate the operational functions of the Strategic Air Command. It consisted of three main parts::# The Data Display System, which consisted of …   Wikipedia

  • Revision Control System — The Revision Control System (RCS) is a software implementation of revision control that automates the storing, retrieval, logging, identification, and merging of revisions. RCS is useful for text that is revised frequently, for example programs,… …   Wikipedia

  • HVAC control system — A HVAC control system is a computerized control system for climate control in buildings. Stand alone control devices may be pneumatic or electronic. Some may have microprocessors, but to be considered a control system for the context of this… …   Wikipedia

  • Cisco Wireless Control System — The Cisco Wireless Control System (Cisco WCS) is a Cisco Wireless LAN Solution network management software tool used to plan, design, and control a multi controller environment. Like the controller s interface the Wireless Control System uses the …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”