To start with, even PC security is pretty bad. Most programmers don’t seem to know the basic concepts for securely handling passwords (as the recent Sony data breach shows us). At least there are some standards, like the Payment Card Industry Data Security Standard.
Unfortunately, if PC security is a leaky bucket, then automation system security about as watertight as a pasta strainer. Here are some pretty standard problems you’re likely to find if you audit any small to medium sized manufacturer (and most likely any municipal facility, like, perhaps, a water treatment plant):
- Windows PCs without up-to-date virus protection
- USB and CD-rom (removable media) ports enabled
- Windows PCs not set to auto-update
- Remote access services like RDP or Webex always running
- Automation PCs connected to the office network
- Unsecured wireless access points attached to the network
- Networking equipment like firewalls with the default password still set
- PLCs on the office network, or even accessible from the outside!
All of these security issues have one thing in common: they’re done for convenience. It’s the same reason people don’t check the air in their tires or “forget” to change their engine oil. People are just really bad at doing things that are in their long term best interest.
Unfortunately, this security issue is becoming an issue of national security. Some have said there’s a “cyber-cold-war” brewing. After the news about Stuxnet, it’s pretty clear the war has turned “hot”.
I’m usually not a fan of regulations and over-reaching standards, but the fact is the Japanese didn’t build earthquake resistant buildings by individual choice. They did it because the building code required it. Likewise, I’ve seen a lot of resistance to the OSHA Machine Guarding standards because it imposes a lot of extra work on Control System Designers, and the companies buying automation, but I’m certain that we’re better off now that the standards are being implemented.
It’s time for an automation network security standard. Thankfully there’s one under development. ISA99 is the Industrial Automation and Control System Security Committee of ISA. A couple of sections of the new standard have already been published, but it’s not done yet. Also, you have to pay ISA a ransom fee to read it. I don’t think that’s the best way to get a standard out there and get people using it. I also think it’s moving very slowly. We all need to start improving security immediately, not after the committee gets around to meeting a few dozen more times.
I wonder if you could piece together a creative-commons licensed standard based on the general security knowledge already available on the internet…
A site you should probably check out is http://www.digitalbond.com/. I found this guy about a year ago and while a number of the issues he discusses seem to focus more on public utilities (i.e. power grid, water, etc.) the general thoughts and activities are fairly applicable to many of us. Turns out there is a lot more going on out there around security than I ever realized.
Also check out the Bandolier product. It appears to be a tool that helps you identify the vulnerabilities and general level of compliance in your ICS.
Thanks Andy. Now I have a new blog to read. 🙂
I agree with your list save for one item:
“Windows PCs not set to auto-update”
Constant change is the bane of an industrial automation system. Patches should be collected for a period of time, applied to a test system, tested, and then applied to the production system in a way that provides the ability to reverse the patch should a problem show up. That requires some careful patch management, and “just set it to auto update” isn’t very careful. I agree that auto-update is better than no-update, but a degree of rigor is an even better plan.
@Sam – I agree, if you have proper managed updates with a testing environment that’s much better than auto-update, but there are a lot of places that never do updates and have the PCs remotely accessible. That’s a recipe for disaster.