IT Security for Industrial Control Systems

The National Institute of Standards and Technology (NIST) is working to improve the information technology (IT) security of networked digital control systems used in industrial applications. This effort is being carried out through the Process Control Security Requirements Forum (PCSRF), an industry group organized under the National Information Assurance Program (NIAP). The PCSRF is working with security professionals to assess the vulnerabilities and establish appropriate strategies for the development of policies to reduce IT security risk within the U.S. process controls industry. The outcome of this work will be the development and dissemination of best practices and ultimately Common Criteria, ISO/IEC 15408 based security specifications that will be used in the procurement, development, and retrofit of industrial control systems. In support of this work this paper addresses the computer control systems used within process control industries, their similarities, and network architectures. A generic set of networking system architectures for industrial process control systems is presented. The vulnerabilities associated with these systems and the IT threats these systems are exposed to are also presented along with a discussion of the Common Criteria and its intended use for these efforts. The current status as well as future efforts of the PCSRF are also discussed. Introduction The National Institute of Standards and Technology (NIST), Intelligent Systems Division of the Manufacturing Engineering Laboratory is working with the NIST Information Technology Laboratory and the NIST Electrical and Electronics Engineering Laboratory to improve the IT security of networked digital control systems used in industrial applications. This effort is being carried out through the Process Control Security Requirements Forum (PCSRF), an industry group organized under the National Information Assurance Program (NIAP). NIAP is a joint effort between the NIST and the National Security Agency (NSA). As part of the Critical Infrastructure Protection Program, NIST and NSA are working to provide technical support and guidance to industry to improve the Nation's security posture. The outcome of this work will be the development and dissemination of best practices and ultimately security specifications that will be used in the procurement, development, and retrofit of industrial control systems. The Process Control Security Requirements Forum (PCSRF) is a working group comprising representative organizations from the various sectors that make up the U.S. Process Control Industry and the vendors that design, produce, and/or integrate components and systems for the industry. The PCSRF is working with security professionals to assess the vulnerabilities and establish appropriate strategies for the development of policies and countermeasures that the U.S. process controls industry would employ through a combination IT and non-IT mechanisms to reduce residual risk to an acceptable level. The Common Criteria for Information Technology Security Evaluation, also known as ISO/IEC 15408, is being used to document the results of this effort in the form of Common Criteria Protection Profile security specifications. Primary focus area of the group to improve the IT security of the computer control systems used in process industries, including electric utilities, petroleum (oil & gas), water, waste, chemicals, pharmaceuticals, pulp & paper, and metals & mining with an emphasis on industries considered to be part of the Nation’s Critical Infrastructure. This paper discusses the computer control systems used within process control industries, their similarities, and network architectures. A generic set of network system architectures for industrial process control systems is presented. The IT threats these systems are exposed to are also presented along with a discussion of the Common Criteria and its intended use for these efforts. The current status as well as future efforts of the PCSRF are also discussed. Process Control Computer Systems Real-time computer control systems used in process control applications have many characteristics that are different than traditional information processing systems used in business applications. Foremost among these is design for efficiency and time-critical response. Security is generally not a strong design driver and therefore tends to be bypassed in favor of performance. Computing resources (including CPU time and memory) available to perform security functions tend to be very limited. Furthermore, the goals of safety and security sometimes conflict in the design and operation of control systems. Commercial equipment and materials are identified, in order to adequately specify certain systems. In no case does such identification imply recommendation of endorsement by the National Institute of Standards and Technology, nor does it imply that the materials or equipment identified are necessarily the best available for the purpose. Digital industrial control systems can be either process-based or discrete-based. Process-based controls [1] are used to control a continuous process such as fuel or steam flow in a power plant or petroleum in a refinery. Discrete-based controls (otherwise known as batch controls) control discrete parts manufacturing or “batches” of material in a chemical plant. Both utilize the same types of control systems, sensors, and networks. While efforts of the PCSRF are currently geared toward continuous processing systems, results will likely be applicable to discrete based systems. The key control components of an industrial control system, including the control loop, the human machine interface (HMI), and remote diagnostics and maintenance utilities, are shown in Figure 1. A control loop consists of sensors for measurement, control hardware, process actuators, and communication of measurement variables. Measurement variables are transmitted to the controller from the process sensors. The controller interprets the signals and generates corresponding control signals that it transmits to the process actuators. Process changes result in new sensor signals, identifying the state of the process, to again be transmitted to the controller. The human machine interface allows a control engineer or operator to configure set points, control algorithms and parameters in the controller. The HMI also provides displays of process status information, including alarms and other means of notifying the operator of malfunctions. Diagnostic and maintenance tools, often made available via modem and Internet enabled interfaces, allow control engineers, operators and vendors to monitor and change controller, actuator, and sensor properties from remote locations. A typical industrial system contains a proliferation of control loops, HMIs and Remote Diagnostics and Maintenance tools built on an array of network protocols. Supervisory level loops and lower level loops operate continuously over the duration of a process at cycle times ranging on the order of minutes to milliseconds. Figure 1 Key Control Components In a large enterprise, there may be several geographically distributed industrial plants. Enterprise business operations can access plant information over the Internet or in some cases over a wide area network (WAN). The local area network (LAN) of a processing plant services all of the operations within the plant while the actual control system of the plant sits on a somewhat isolated peer-to-peer network. The systems at these levels can be categorized into two types of supervisory based control schemes, Distributed Control Systems (DCS) and Supervisory Control and Data Acquisition Systems (SCADA). DCS are used to control large, complex processes such as power plants, refineries, and chemical plants typically at a single site. SCADA are used to control more dispersed assets where centralized data acquisition is as important as control. Distribution operations including water systems, gas pipelines, and electrical lines use SCADA. PCSRF members have constructed diagrams of typical DCS and SCADA based control system network architectures derived from industrial plant visits, review of technical documents and workshop based discussions. Generic industrial control system network architectures are shown for both DCS and SCADA based control schemes in Figures 2 and 3 respectively. A glossary of terms describing the components found in the diagram can be found in the Appendix of this document. A comparison of these diagrams shows that at the higher level of the plant network architectures the plant operations are similar for plants containing either DCS or SCADA systems. At this level, everything resides on a local area network. Components include general purpose workstations, printers, plant database, application servers and domain controllers. Communication outside the plant is typically established via a firewall to the Internet or a wide area network (WAN). Modems are also available, usually to allow remote access to employees working from home or on the road. The DCS and local SCADA components of a plant system typically reside on a peer-to-peer network. A DCS is comprised of a supervisory layer of control and one to several distributed controllers contained within the same processing plant. The supervisory controller runs on the control server and communicates to its subordinates via a peer-to-peer network. The supervisor sends set points to and requests data from the distributed controllers. The distributed controllers control their process actuators based on requests from the supervisor and sensor feedback for process sensors. These controllers typically use a local field bus to communicate with actuators and sensors eliminating the need of point-to-point wiring between the controller and each device. There are several types of controllers used at the distributed control points of a DCS including machine controllers, programmable logic controllers, process controllers and single loop controllers depending on the application. Many of the distributed controllers on a DCS have the capability to be accessed directly via a modem allowing remote diagnostics and servicing by vendors as well as plant engineers. A SCADA typically consists of a Central Monitoring System (CMS), contained within the plant and one or more Remote Stations. The CMS houses the Control Server and the communications routers via a peer-to-peer network. The CMS collects and logs information gathered by the remote stations and generates necessary actions for events detected. A remote station consists of either a Remote Terminal Unit (RTU) or a Programmable Logic Controller (PLC) which controls actuators and monitors sensors. Remote stations, typically, have the added capability to be interfaced by field operators via hand held devices to perform diagnostic and repair operations. The communications network is the medium for transporting information between remote stations and the CMS. This is performed using telephone line, cable, or radio frequency. If the remote site is too isolated to be reached directly via a direct radio signal, a radio repeater is used to link the site. Process Control Industry Overview The computer control systems used in process industries, including electric utilities, oil & gas, water, waste, chemicals, pharmaceuticals, pulp & paper, and metals & mining can be divided amongst the usage of either DCS or SCADA technology and implementation depends on the geographic distribution of the operation. Network architectures that encompass processing operations involving the transformation of raw materials into a usable product in a continuous fashion, follow the DCS scenario. On the other hand, the network architectures that encompass distribution operations of the usable products, typically over large distances, follow the SCADA scenario. The electrical power infrastructure is made up of power generation facilities as well as transmission and distribution grids that create and supply electricity to end-users. Power generation facilities using fossil fuel and hydroelectric turbine/generator systems to produce electricity use DCS. The electric power grid is a highly interconnected and dynamic system consisting of thousands of public and private utilities and rural cooperatives. A SCADA system manages electricity distribution by collecting data from and issuing commands to geographically remote field control stations from a centralized location. Natural gas, crude, refined petroleum, and petroleum-derived fuels represent Oil and Gas substances. The Oil & Gas infrastructure includes the production holding facilities, refining and processing facilities, and distribution mechanisms (including pipelines, ships, trucks, and rail systems) for such substances. Refining and processing facilities make use of DCS while holding facilities and distribution systems utilize SCADA technology. The water supply infrastructure encompasses water sources, holding facilities, filtration, cleaning and treatment systems and distribution systems. Like electric, oil and gas, the processing operations use DCS technology while the distribution operations use SCADA technology. A waste water treatment infrastructure is very similar to that of a water supply infrastructure. Chemical, pharmaceutical, pulp and paper, and metals and mining industries primarily fit into the category of processing facility and use DCS technology. Process Control System Vulnerabilities and IT Threats IT security [2][3] has not been a significant issue within the process controls community. Systems were designed to meet performance, reliability, safety, and flexibility requirements and were typically physically isolated and based on proprietary hardware and communications. The introduction of Internet based information technology within the process controls industry has increased vulnerabilities to the industry's computer systems. Centralized operation and remote maintenance of industry systems conducted freely over public telecommunication networks opens the door for threatening organizations to tamper with this critical infrastructure. DCS and SCADA systems that operate on commercial off-the-shelf hardware and software, combined with connections to external networks, allow for simplified invasion and possibly devastation of company production and distribution systems. Threats to these infrastructures could come from numerous sources: hostile governments, terrorist groups, disgruntled employees, malicious intruders, complexities, accidents, and natural disasters. A generalized list of IT threats, extracted from the Common Criteria Toolbox [4], can be found Appendix II. There are several risks associated with IT threats to industrial control systems. The most consequential risks, those associated with the health and safety of human lives, primarily belong to the industries identified as part of the critical infrastructure. Cyber attacks on energy production and distribution systems including electric, oil, and gas, water treatment and distribution systems as well as on chemical plants containing potentially hazardous substances could endanger public health and safety as well as invoke serious damage to the environment. Attacks on any of the process control industries discussed could result in serious financial implications including loss of production, generation or distribution of a product, compromising of proprietary information and creation of liability issues. The introduction of Internet based IT and enterprise integration strategies coupled with lack of IT security knowledge has left process control systems vulnerable to cyber based attacks [4-6]. Control networks have been merged with corporate network connections to allow engineers to monitor and control systems from points on the corporate network. IT mechanisms are also in place to allow corporate, decision makers to obtain instant access to critical data. Network architecture modifications, often implemented without a full understanding of the corresponding security risks, can lead to control networks that are only as secure as the corporate network. Vulnerabilities are dependent on the existing network architectures, IT policies and risks associated with a particular industrial process control system. One initial focus of the PCSRF is to identify and document these vulnerabilities across the industries represented by the PCSRF. These vulnerabilities will be used in the development of best practices and security specifications. Vulnerabilities are often introduced into process control systems due to the lack of policy. Corporate IT policy can reduce vulnerabilities by mandating conducts such as password usage and maintenance or requirements for connecting modems to the process control system. Vulnerabilities could even exist because of poorly configured IT security equipment. Other vulnerabilities are associated with the public availability of information on widely used open communication protocols, techniques for the interconnection of DCS and SCADA and widely used, commercially available, Internet connectable, toolkits for implementing DCS and SCADA. Common Criteria Based Approach The Common Criteria (CC), ISO/IEC 15408 [7], is a meta-standard of criteria and constructs used to develop security specifications in support of the evaluation of products and systems. The specifications define and characterize the security problem including assumptions about the operational environment, threats that must be encountered and policies that must be enforced. Also characterized is the intended approach to eliminate, minimize or monitor defined threats, and enforce stated policy. The specification defines functional requirements, specifying what the system is to do and assurance requirements, specifying what is done to verify that the system does exactly what it is supposed to. These CC requirements, selected from a catalog of criteria, are independent of technology and implementation. The finished specification is a formal CC Protection Profile (PP) for a product or system. A PP is applied to serve as an acquisition/ procurement vehicle to specify the security requirements of a component or system design or to gauge the security features of available components or systems. A PP can also be applied to verify product compliance both at the component evaluation level and at the system certification level. Initial PCSRF specifications are being documented using a variation of the CC Protection Profile (PP) methodology of developing security specifications. Rather than working directly within the context of the CC's language and constructs, this effort will focus on developing and documenting requirements using the language of the process control industry operating domains. In turn, this intermediate specification will be translated into one or more CC-compliant protection profiles. This will enable the inclusion of safety critical and performance information in relation to the security aspects of the specification, topics that are not covered by the CC. During initial information gathering exercises, the PCSRF plans to identify vulnerabilities across the diversities of the participating industry boundaries. Industry specific working groups will define vulnerabilities specific to their process control system based on a minimal set of system functions and capabilities defined by the PCSRF. The results of the individual vulnerability assessments will be analyzed and consolidated, by the PCSRF, into comprehensive statements of vulnerabilities to be used in the development of protection profile(s).