Securing Industrial Control Systems

Transcription

1 L OCKHEED MARTIN Whitepaper Securing Industrial Control Systems The Basics Abstract Critical infrastructure industries such as electrical power, oil and gas, chemical, and transportation face a daunting and challenging environment. There are real threats to cybersecurity by external threat actors as well as both unintentional and malicious security breaches caused by insiders. Management must act to protect mission-critical assets, customers and employees. However, management is torn under pressure to improve financial performance. This is driving companies to improve efficiencies through tighter integration of security and operations, both within the facility and supply chain partners, thus ending the days of isolated control networks. Companies can protect their control system and infrastructure assets while increasing operational effectiveness. Since isolation seems to be impossible in today s world, how do companies protect their control systems and critical assets while improving efficiencies? 1 id.lockheedmartin.com 2014 Lockheed Martin Industrial Defender, Inc.

2 Introduction Critical infrastructure industries such as electrical power, oil & gas, chemical, and transportation face a daunting and challenging environment. On the one hand, there are real threats to cybersecurity by external threat actors, as well as both unintentional and malicious security breaches caused by insiders. Management must act to protect mission-critical assets, customers and employees, but pressure to improve financial performance is driving companies to improve efficiencies through tighter integration of security and operations, both within the facility and supply chain partners. How do companies deal with these two seemingly conflicting needs? Is it possible to go back to the past when industrial control systems (ICS) were isolated, making them immune to cyber attacks? In May 2011, Sean McGurk, then National Cybersecurity and Communications Integration Center Director at the Department of Homeland Security, testified that during vulnerability assessments for critical infrastructure owners and operators, the agency has always discovered connections between the enterprise network and the operations network: In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks. In some extreme ases, we have identified up to 250 connections between the actual producing network and the enterprise network. 1 Since isolation seems to be impossible in today s world, how do companies protect their control systems and critical assets while improving efficiencies? The first step is to understand a facility s vulnerabilities. For example, a major industrial company learned there were over 500 entry points to the corporate LAN and two thirds of their process control networks were thereby connected to the outside world. As sobering as this is, cyber intruders may not be the greatest threat. Malicious insiders armed with specialized knowledge and privileged access is capable of doing great harm. Faced with both external and internal threats, what steps are necessary to protect critical industrial control systems and still allow them to serve real-time information to knowledge workers, and not be a burden on either the systems or the operators? The risks of making the wrong decision are high. Consider the ramifications of two trains heading toward each other on the same track due to software hacked by a disgruntled employee; the cost of a chemical plant spilling hazardous material because a worm disables part of a control system; the result of a widespread power outage due to a coordinated cyberattack on multiple power plants. 1 Testimony before the House of Representatives Oversight Committee Subcommittee on National Security, Homeland Defense, and Foreign Operations, May 25, 2011, 2 id.lockheedmartin.com 2014 Lockheed Martin Industrial Defender, Inc.

3 Protect Industrial Networks Industrial control systems utilize the same computers and communication technologies as the corporate network but also have unique equipment and operating constraints. It will take the compilation of control system expertise and cybersecurity knowledge to properly secure these systems. While many think IT should be responsible for cybersecurity needs and consult with colleagues accountable for the control systems to find vendors that understand both domains, a 2011 survey showed there was no one group that was specifically responsible for cybersecurity in control systems.. Lockheed Martin recommends the following best practices for cybersecurity within critical infrastructure companies: Maintain a database of all your assets that includes their configurations, software inventories, and patches to quickly identify vulnerabilities when they become known Monitor all events occurring within your control system, all the way down to the control system devices including HMIs, PLCs, RTUs, and IEDs. Choose a single industry or sector specific framework to build your security program around, including 2 : NIST Cybersecurity Framework: for all Critical Infrastructure sectors International Society of Automation ISA99: for all Control Systems NERC CIP: for North American Electric Utilities American Petroleum Institute 1164: For Oil & Gas sector Backup system configurations to ensure safe, timely recovery from a successful cyberattack Leverage technologies that have been certified and validated by your control system vendors Based on these practices, senior IT and management executives should consider the following blueprint when providing optimal security solutions: 1. Strengthen the defenses of existing systems by conducting a vulnerability assessment and adding intrusion detection and real-time security event monitoring software built for ICS environments 2. Implement zones and network segmentation to isolate the control network while supporting secure transfer of realtime information to corporate users and systems. To be effective, network architectures must be highly resistant to internal and external threats. 3. Deploy critical systems like SCADA or DCS on operating systems that are specifically designed to provide a high degree of protection and integrity. Steps one and two can be applied to existing industrial networks to bolster their defenses, while the third step is most appropriate for new systems or a major upgrade. To avoid introducing new vulnerabilities, all three approaches should be based on a platform that is, itself, extremely secure. To achieve such a high level of security, it s necessary to look at the capabilities of the computer operating system, and when using commercial-off-the-shelf software be sure to always follow the vendors system hardening guidelines. 2 Examples are provided for reference and do not represent an exhaustive list 3 id.lockheedmartin.com 2014 Lockheed Martin Industrial Defender, Inc.

4 Real-time Security Management The process and utilities industries routinely use real-time computer systems to monitor the health and safety of their operations. But the health and security of these computer networks remains invisible. What if we could watch for or monitor security incidents in the same way a SCADA system monitors flow rates and alerts an operator to a dangerous condition? Security management systems (see Figure 1.) are available for this purpose. They consist of a perimeter protection that is installed on existing computers, and automated data collection that fits within the low-bandwidth requirements of control systems. The protection appliance is a Unified Threat Management (UTM) device that provides firewall and other security capabilities such as antivirus filtering and intrusion prevention. 4 id.lockheedmartin.com 2014 Lockheed Martin Industrial Defender, Inc.

5 Automated data collection should report on asset health, changes in security log files and control application status. This information is sent to an appliance where it is stored in a real-time database. From there, alarm limits can be set, alerts generated, incident reports created and trends displayed. The security console also runs network intrusion detection software and has the ability to monitor network equipment like switches, routers and firewalls via the Simple Network Management Protocol (SNMP). An old truism states that a person can t control what isn t measured, and this applies to security as well. Security event management systems give organizations a better view of vulnerabilities by aggregating information generated by firewalls, intrusion detection systems, switches and other network devices. In the industrial environment, information from industrial assets and application programs needs to be added, ensuring the availability and performance of critical systems. Without monitoring events, companies are flying blind and have no idea what their vulnerabilities are or even if they are under attack until it s too late. In particular, control systems can benefit from this approach because some IT practices such as password lockout, frequent patch updates and periodic virus scanning don t translate well into the plant environment, since they compromise the safety and integrity of the operation. Installing event monitoring software at key facilities provides many benefits including: 1. A central view of industrial control systems, their applications and computers providing an overview of the current security status. 2. Perimeter protection of mission critical control systems. 3. Key information including software inventory, patch version, and operating system to reduce or mitigate future security risks. 4. Satisfying emerging government, insurance and industry requirements concerning cybersecurity. Conclusion Heightened cybersecurity concerns are causing companies, particularly those that operate critical infrastructure and process manufacturing facilities, to re-examine their networks from a cybersecurity perspective. For over a decade, companies have implemented Lockheed Martin s Industrial Defender Solutions in mission-critical applications keeping power plants running and transportation companies moving at peak efficiency, as well as ensuring that water, gas and electricity are delivered to our homes reliably. Now, with the introduction of the Industrial Defender ASM, Lockheed Martin is the first company to address control system security concerns while improving operational effectiveness and providing a significant return on investment. 5 Industrial Defender Solutions 16 Chestnut Street, Suite 300 Foxborough, MA, USA, Phone: info@industrialdefender.com id.lockheedmartin.com 2014 Lockheed Martin Industrial Defender, Inc.