By Peter Cleaveland
Technical Editor, PD&D
March 5, 2007
September 11, 2001 brought the vulnerability of the United States into
sharp focus, yet it was not the first terrorist attack on our shores.
The World Trade Center itself had been bombed in 1993, and home-grown
terrorists had blown up the Murrah Federal Building in 1995. Then in
June of 2004, the CBS News program 60 Minutes showed reporters walking
unchallenged into facilities storing chlorine, anhydrous ammonia and
boron trifluoride. The public began to realize that the casualty count
from an attack on one of these could dwarf those of both Oklahoma City
Cyber attacks have also proliferated, many of them against SCADA
(supervisory control and data acquisition) systems. In 2004 US-CERT, the
United States Computer Emergency Readiness Team, stopped reporting
statistics for attacks on SCADA systems, saying increased use of
automated attack tools had made any such counts meaningless. Attacks
from 1988 to 2003 totaled 319,992, with 137,529 counted in 2003 alone.
Where Are We Now?
It is difficult to obtain an accurate count of attacks on industrial
facilities. Incidents are reported in the press from time to time, and
there are databases listing attacks, but, says Marilyn Guhr, senior
marketing manager in Honeywells Lifecycle Services group, We think that
only about ten percent or so of the incidents, maybe less than that,
ever get reported.
While the threat is real, U.S. companies have made substantial progress
in bolstering their defenses. For example all member companies of the
American Chemistry Council (ACC) are required, as a condition of
membership, to comply with the ACCs Responsible Care Security Code of
Management Practices, which begins with a thorough vulnerability
The program, says Ted Cromwell, ACCs senior director of security and
operations, was developed with the aid of Sandia Labs and the Center for
Chemical Process Safety, and was put together through
nationally-accredited programs. But there is a limit to what ACC can do.
While its members have 85 percent of the nations chemical production
capacity, says Cromwell, there are another 15,000 to 20,000 sites
outside ACCs purview that fall under the Department of Homeland
Securitys classification as chemical facilities. These could range from
a local paint store to a warehouse full of solvents or pesticides.
The first step to security is to find out where you are: get an
assessment done. Some control system vendors provide services that can
be tailored to the individual plant. According to Henry Malo,
SureService business development manager, Emerson Process Control,
Calling a third party organization such as us, that is familiar with the
DCS, can quickly bring clarity as to where there are potential issues
and where there are best practices. The service, he continues, can
document that and facilitate the company understanding their baseline of
where they are, and the things they can do to mitigate risk.
The 60 Minutes report showed how easy it would be to walk through an
unlocked gate or drive a truck through a fence to cause a large-scale
chemical release, but the defenses against that vary. In Texas, says
ACCs Cromwell, it may be half a mile from the gate to the actual process
equipment, while in a crowded state like New Jersey there may be process
equipment just 15 feet from the perimeter fence. In a lowland area with
drainage ditches, it might be possible to configure those drainage
ditches to block a bomb-laden truck, while in New Jersey, a mechanical
arrangement or concrete barrier might be needed.
Attacks dont have to come from the outside. Just because someone wears a
hard hat and shoes and goes in the contractors entrance doesnt mean he
belongs there. Employee screening, badges, and employees trained to step
up and question people who dont seem to be in the right place can go a
Idaho National Laboratories likens cyber security to an arms race. Over
time the attackers change, their techniques and motivations change and
their knowledge and understanding changes. On the defender (your) side,
new vulnerabilities are constantly discovered and the technologies of
the defended systems, and the system knowledge, must change as well.
Figure 1 is a graphic representation of the range of threats and of
The most obvious way to prevent an attack on a control system would seem
to be to have no connection between the plant control network and the
outside world. An air gap between the two leaves no path for intrusion.
But a connection is usually necessary, either for remote monitoring,
notifying plant personnel of upsets, or connecting to a remote
maintenance or database service. If such a connection isnt provided
intentionally it may appear by itself, as plant personnel install local
modems or wireless links without the knowledge of the people in charge
of plant security.
There are tools available to detect so-called rogue wireless LAN users,
and they should be used on a regular basis. Any connection between the
corporate network and the control network must be designed with care. At
a minimum, there should be a firewall between the two, although a
poorly-designed system may give the illusion of safety without providing
Firewalls take a number of forms, both software-based and
hardware-based. Software firewalls are available from firms like
Symantec, and there is a firewall built into Windows XP. Hardware
firewalls may be stand-alone units or be included in routers.
As pointed out in the Emerson Process Control white paper, Best
Practices for DeltaV Cyber-Security, The firewall should be set up to
allow only specific users to access the system and to block access
through any ports not specifically needed to support the [control
system] connections to the outside LAN. Specifically, port 80 for the
Internet and all/any ports that would allow e-mail access must be closed
Firewalls come in several flavors, according to NIST Publication 800-82
- Guide to Supervisory Control and Data Acquisition and Industrial
Control Systems Security.
Packet filtering, the simplest, checks basic information in each packet
against a set of rules.The application-proxy gateway examines packets at
the application layer and filters traffic based on specific application
rules, such as specified applications.
Additional security can be gained by establishing a so-called
Demilitarized Zone (DMZ), a separate network segment that connects
directly to the firewall. The DMZ can contain things like the data
historian, the wireless access point, or remote and third party access
systems. One way to do this is to run all connections through a
Many security breaches are caused by sheer carelessness. One of the
biggest issues, says Bob Huba, senior product manager, DeltaV at Emerson
Process Control, is keeping users from bringing in portable media like
floppy disks and memory sticks to download MP3s so they can listen to
them, or download a game so they can play, and in the mean time infect
Some facilities allow employees to connect laptops to the corporate LAN,
but when disconnected and used elsewhere, such a laptop can become
infected with malware, which is then introduced when the user
re-connects to the LAN.
One might think that the security measures used by the companys IT
department would be sufficient, but a control network and a corporate
network are used differently, have different priorities, and are
maintained differently, which means that normal IT security measures may
not be applicable to the control network, and may actually degrade or
disable it. The IT departments priorities, says Huba, are
confidentiality, availability and integrity in that order. In our world,
its the opposite. Availability is most important, integrity is
important, and confidentiality tends not to be a big issue.
Selling It To Management
Some corporate types resist spending anything that doesnt have an ROI
attached. If Im a control systems manager, trying to put forward a
project that will increase the security of my control systems, says
Marty Edwards, industry liaison lead for control system security
program, Idaho National Labs, how do I put that into a business case or
an ROI type of conversation that I can have with my upper management so
I can secure budgetary funding?
The answer, suggests Ric Kucharyson, senior marketing manager for
Honeywell Process Solutions Migrations and Expansion Solutions group, is
to ask yourself one simple, yet important question: What if this
particular asset got hit at some level of criticality, and what would it
cost if that damage did occur?
Perhaps the first place to look for assistance is the vendor of your
plants control system. Many control system vendors, including Invensys
Process Systems, Emerson Process Control and Honeywell Process Solutions
provide security services, beginning with vulnerability assessments and
extending to match whatever type of program the plant may need.
Acknowledgements: Ted Cromwell, senior director of security and
operations, American Chemistry Council; Bob Huba, senior product
manager, DeltaV, and Henry Malo, SureService business development
manager, both at Emerson Process Control; Ric Kucharyson, senior
marketing manager for Honeywell Process Solutions Migrations and
Expansion Solutions Group; Marilyn Guhr, senior marketing manager in
Honeywells Lifecycle Services Group; Marty Edwards, industry liaison
lead for control system security program at Idaho National Labs; and
Ernie Rakaczky, program manager for cyber security and Doug Clifton,
senior solutions architect, both of Invensys Process Systems.
Copyright 2007 Advantage Business Media. All rights reserved.
Visit the InfoSec News Security Bookstore