If you have paid much attention at all to Control Systems news in the past year, you undoubtedly have heard of the Stuxnet worm. For those of you not in the know, the worm was found to have infected many industrial systems that ran Siemens PCS7. After analysis of the software and its payload, it was discovered that the worm was a targeted attack against a system exhibiting certain characteristics. When it found these markers, the worm would inject itself into the Siemens PLC running the process and surreptitiously change VFD settings on certain drives.
It was speculated, then later confirmed, that the target of the attack was the Natanz nuclear facility in Iran, specifically destroying centrifuges used to enrich uranium. The attack appeared successful in that hundreds of centrifuges were damaged at the site, causing replacements to be needed, and stalling, for a while, enrichment programs.
Should we fear an attack like this? Not really. This was a highly sophisticated attack, which probably had some sort of government backing and resources that are out of reach to the large majority of hackers. If a group is dedicated and has sufficient funding and time, they will be able to break through your security. Our job is to make that threshold so high that it is unreasonable for them to do so.
The only sure-fire way of locking down your system is to completely disconnect it from the outside and disallow physical access to the controllers/servers. This, of course, is impossible to do as more and more systems are being tied together using SCADA software so that real-time monitoring can be used on the enterprise level. Listed below are some simple strategies that are effective, and when used together, forms stronger security by creating a “defense in depth” strategy. This is not an exhaustive list, but it will get you started heading in the right direction:
Segregate your networks
You should never have your control and business networks on the same network. The security implications are obvious in that one malicious email attachment could bring down both networks, but there are also performance gains that can be achieved by separating the two.
A DMZ (demilitarized zone) is a section of a network which can be accessed by both your control network and your business network. It provides an intermediate layer of security in that the business network can only access certain servers that reside in the DMZ, such as a data historian, and the control network can push data into this DMZ, but the control and business networks never speak directly.
Anti-virus (AV) integration into control system networks can be a tricky thing. For anti-virus products to be effective, they need regular updates to stay on top of new attacks. In a locked-down or validated system, patching is almost non-existent and anti-virus products would not get the updates they need. Another problem with AV solutions is that vendors require certain files and folders to be excluded from scans in order for the products to play nicely together. This can cause a system to lose responsiveness and AV effectiveness can be lost.
One way to utilize anti-virus products is to have it sitting on a gateway server, so that any files transferring in and out of the system must pass through and be scanned before being allowed into the main servers. This server could also vet any USB drives or CDs that would be used on the other servers.
Deny Access by Default
Configuring firewalls between networks is something that many companies fail to do adequately. Many configurations are rushed, leaving them incomplete with gaping security holes. It’s akin to barricading your front door while leaving your window wide open. The best policy is to deny all traffic by default, and only allow connections on an exception basis, a concept called ‘whitelisting’. This may be time consuming, as you need to figure out exactly what traffic or programs are necessary to allow through the firewall, but it provides much better security overall.
Restrict Physical Access
You’d be surprised how many installations have very good IT infrastructure security, but allow anyone to be able to walk up to a cabinet in the field and hook up their laptop directly to the PLC or network switch. Simple solutions, such as locking control panels, and allowing only certain pre-screened engineering laptops on the control network can increase security and stop the proliferation of harmful worms and viruses.
Disable USB/CD Autoplay
The original vector for Stuxnet was through infected USB drives that integrators took with them around the world and plugged into control systems. It is good practice to disable Autoplay in Windows, so these infections are not spread through merely inserting a USB device.
To disable Autoplay on Windows XP:
- Bring up the Run prompt using Win+R
- Type gpedit.msc and press Ok.
- Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > System
- Under the settings in the right-hand window pane, double-clickTurn off Autoplay
- Select the Enabled radio button and select All Drives from the drop-down menu to disable Autoplay on all drives.
- Press OK.
I believe lasting legacy of Stuxnet will not be that of a new era of attacks on control systems, but an era of focusing more on the security of these systems. For too long has the industry relied on security through obscurity; it’s time to be more proactive in our security practices.
Below are some links for further reading about industrial control system security:
- www.tofinosecurity.com – ICS security devices and information
- http://www.digitalbond.com/ – Lots of good ICS information
- http://www.us-cert.gov/control_systems/ics-cert/ – US Government’s Industrial Control Systems Cyber Response Team
[Original post by: Kevin Rawls]